Microsoft IE javaprxy.dll COM对象实例化堆溢出漏洞(MS05-037)

发布日期：2005-06-30
更新日期：2005-07-12

受影响系统：

Microsoft Internet Explorer 5.0.1 SP3
- Microsoft Windows 2000 SP3
Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Windows 2000 SP4
Microsoft Internet Explorer 5.5 SP2
- Microsoft Windows Millennium Edition
Microsoft Internet Explorer 6.0
- Microsoft Windows XP SP2
- Microsoft Windows XP 64-bit Edition
- Microsoft Windows Server 2003 SP1
- Microsoft Windows Server 2003
Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows XP SP1
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 2000 SP4
- Microsoft Windows 2000 SP3

描述：

---

BUGTRAQ ID: 14087
CVE(CAN) ID: CVE-2005-2087

Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。

Microsoft Internet Explorer中存在堆溢出漏洞，远程攻击者可能利用这个漏洞覆盖函数指针或数据段，导致在IE环境中执行任意代码。

漏洞起因是恶意的网页实例化javaprxy.dll COM对象的方式。如果用户加载了有某些嵌入CLSID的HTML文档的话，就可能导致空指针错误或内存破坏。



<*来源：Bernhard Mueller （research@sec-consult.com）
sk0L （bmu@sec-consult.com）
Martin Eiszner （security@freefly.com）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=112006764714946&w=2
http://www.sec-consult.com/184.html
http://www.frsirt.com/english/advisories/2005/0935
http://www.microsoft.com/technet/security/advisory/903144.mspx
http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
######################################################
#
# Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched-
#
# Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com >
# Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit
# 01 July 2005
#
# Description - http://www.frsirt.com/english/advisories/2005/0935
# Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx
# sec-consult - http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to "High" or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
# Internet Explorer 6 for Microsoft Windows XP Service Pack 2
# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003
# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium
# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
#
# Usage : perl iejavaprxyexploit.pl > mypage.html
#
######################################################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!