【新聞】特殊格式的圖片文件可使IE拒絕服務【轉貼】【轉貼】



贊助商連結


煙蟲
2002-05-22, 01:49 AM
原創:tombkeeper(tombkeeper)
來源:tombkeeper

Author : tombkeeper
Email : [email protected]
HomePage: http://www.whitecell.org

漏洞類別:Windows,IE,遠程 D.o.S.


經測試受影響的系統:

Microsoft Internet Explorer 6.0

- Microsoft Windows 2000 Server SP2 SRP
- Microsoft Windows 2000 Advance Server SP2 SRP
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0 SP6a

Microsoft Internet Explorer 5.0

- Microsoft Windows 2000 Server SP2 SRP
- Microsoft Windows 2000 Advance Server SP2 SRP
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0 SP6a

未測試的系統:

各平台上的
Microsoft Internet Explorer 5.5

以及
Microsoft Windows 2000 Professional 平台


描述:

將以下代碼存為一個文件,無論副檔名是什麼,在IE中直接請求或在HTML文件中作為圖
片插入引用,都可以正常顯示為一幅16x16像素的BMP圖片。

#define odo_width 16
#define odo_height 16
static char odo_bits[] = {

以上是對於遠程文件的情況。在本地機器上打開時,文件副檔名必須是不能被瀏覽器顯
示的,不能是 html,txt,gif,jpg 等,可以是 zip,exe,xxx 或其他未知的。可以通過
在HTML文件中作為圖片插入引用。

當把 odo_width 和 odo_height的值設為一個極大的數時,IE並不檢查文件的實際大小,
而是直接按照 odo_width 和 odo_height的值來申請內存,導致系統資源耗盡,最終系統會
調用DbgBreakPoint殺掉IE的進程。

在資源瀏覽器中預覽或者作為HTML郵件查看也有類似的情況。


測試代碼:

將以下代碼保存為IEcrash.htm,放到web目錄下:

#
在瀏覽器裡輸入:http://127.0.0.1/IEcrash.htm


解決方案:

我們已通知了微軟,微軟承諾在下一個Service Pack裡解決此問題。WSS 建議您不要瀏
覽不受信任的網站,不要用HTML方式察看郵件。在微軟給出安全補丁之前暫不要使用IE瀏覽
器,或者關閉IE對圖片的支持。


感謝:

感謝iDuba Security Team的Refdom([email protected])幫助測試。


附:微軟的回復

----- Original Message -----
From: Microsoft Security Response Center
Cc: Microsoft Security Response Center
Sent: Thursday, April 25, 2002 2:58 AM
Subject: RE: A vulnerability of Crashing IE [MSRC 1129LT]


Hi -

Thanks very much for your note. I'll start an investigation of this
issue immediately, and will let you know what I find out. In the
meantime, I've assigned tracking number MSRC 1129LT to this issue. If
you would keep it in the subject line of future notes on the subject, it
would make it easier to get status information for you.

Regards

[email protected]

----- Original Message -----
From: Microsoft Security Response Center
Cc: Microsoft Security Response Center
Sent: Tuesday, May 14, 2002 5:35 AM
Subject: RE: A vulnerability of Crashing IE [MSRC 1129LT]


Hi,

I wanted to update you on this issue and let you know where we are in
our testing. The devs found that there is a problem in mshtml but were
unable to run any exploit, only crash IE. They have suggested that a
service pack level fix would be best for this kind of problem for two
reasons. First, and most importantly, service packs get better testing
and so there are less potential problems than with patches. Secondly,
the developers could not run any kind of exploit other than crashing IE.
We are committed to fixing this but would prefer to do it in the next
service pack.

Please let me know if we have missed something or if you have any
feedback you want to share. Thanks again for bringing this issue to our
attention and for providing valuable feedback.

Regards,

[email protected]


關於我們:

WSS (Whitecell Security Systems),一個非營利性民間技術組織,致力於各種系統安
全技術的研究。堅持傳統的hacker精神,追求技術的精純。

WSS 主頁:http://www.whitecell.org/
WSS 論壇:http://www.whitecell.org/forum/

贊助商連結


iamdc
2002-05-22, 02:13 PM
之前看過的,可是應該把描述消毒一下比較好,因為這樣會導致原本不知道的人全都知道了,近而用來攻擊有上傳圖片自動顯示功能的論壇被搗亂與攻擊......

煙蟲
2002-05-22, 10:09 PM
之前在貼這篇文章時,有考慮到您所說的問題,原本是想將原文呈現,單純的讓還沒看過的人參考了解,不過,看了一您的回覆,再看下此討論區的主題是防駭&防毒,故尊重您的意見,將一些敏感的文字刪除,以免讓某些不知道的人,知道之後,卻又喜歡拿別人當測試對象來搗亂.謝謝您的警示,小弟下次貼文章時會注意.