栏目导航: 首页 > 漏洞预警 > 数据库类 > 内容

微软 Jet数据库引擎 MDB 文件解析远程栈溢出漏洞

www.hx99.net    时间: 2009-12-31    阅读: 次     整理: 华西安全网

受影响:
Microsoft msjet40.dll 4.0.8618.0
Microsoft Access 2003
    - Microsoft Windows XP SP2 内容来自"华西黑客联盟"

描述:

内容来自"华西黑客联盟"

BUGTRAQ  ID: 26468

Microsoft Jet是MS Office应用中广泛使用的轻型。

Jet在处理畸形MDB文件时存在缓冲区溢出,远程者可能利用此通过诱使用户处理恶意文件,控制服务器。

[]

Office Access在解析MDB文件时会调用Jet引擎(msjet40.dll),如果解析了恶意的MDB文件就会在以下代码中触发栈溢出:

    C:/Windows/System32/msjet40.dll,版本为4.0.8618.0

    .text:1B0B72BB                 mov     ecx, edx        ; ecx=0x5200
    .text:1B0B72BD                 mov     esi, edi        ; esi point
to the datas
    .text:1B0B72BF                 mov     ebp, ecx           ; which
can be find in the mdb file
    .text:1B0B72C1                 lea     edi, [esp+40h]  ; edi point
to stack memory
    .text:1B0B72C5                 shr     ecx, 2


    .text:1B0B72C8                 rep movsd               ; stack overflow!!
    .text:1B0B72CA                 mov     ecx, ebp
    .text:1B0B72CC                 mov     eax, [eax+1]
    .text:1B0B72CF                 and     ecx, 3
    .text:1B0B72D2                 rep movsb

以下为调试信息: "华西黑客联盟"

    eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12
edi=0013db60
    eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0         nv up ei pl
nz ac pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000216
    msjet40!Ordinal55+0x23cd8:
    1b0b72c5 c1e902          shr     ecx,2
    0:000> u eip
    msjet40!Ordinal55+0x23cd8:
    1b0b72c5 c1e902          shr     ecx,2
    1b0b72c8 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    1b0b72ca 8bcd            mov     ecx,ebp


    1b0b72cc 8b4001          mov     eax,dword ptr [eax+1]
    1b0b72cf 83e103          and     ecx,3
    1b0b72d2 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
    1b0b72d4 8bb424d4000000  mov     esi,dword ptr [esp+0D4h]
    1b0b72db 8b4b28          mov     ecx,dword ptr [ebx+28h]
    0:000> db esi
    05f5cd12  00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41  .O.S.~.1./.V.B.A
    05f5cd22  00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42  ./.V.B.A.6./.V.B
    05f5cd32  00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56  .E.6...D.L.L.#.V
    05f5cd42  00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61  .i.s.u.a.l. .B.a "华西黑客联盟"
    05f5cd52  00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20  .s.i.c. .F.o.r.
    05f5cd62  00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74  .A.p.p.l.i.c.a.t
    05f5cd72  00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00  .i.o.n.s........
    05f5cd82  00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34  .......*./.G.{.4
    0:000> db edi
    0013db60  09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b  .............Q..
    0013db70  86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00  ................
    0013db80  22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05  "|..............
    0013db90  3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05  <............x..
    0013dba0  e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b  .......|8x......
    0013dbb0  80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b  ................ []
    0013dbc0  9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00  .x......L...L...
    0013dbd0  01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00  ....`...........

请注意由于这是Jet引擎中的,因此一些空间供应商也可能受影响。者可以上传.和.mdb文件,并通过ADODB.Connection服务器对象利用这个。

厂商补丁:

目前厂商还没有提供补丁或者升级,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.microsoft.com/technet/security/


本文来源:华西安全网[http://www.hx99.net]
发表评论】【告诉QQ好友】【错误报告】【加入收藏】【关闭