欧美激情网,国产欧美亚洲高清,欧美屁股xxxxx,欧美群妇大交群,欧美人与物ⅴideos另类,区二区三区在线 | 欧洲

新聞動(dòng)態(tài)
  • ·聯(lián)系電話:+86.023-75585550
  • ·聯(lián)系傳真:+86.023-75585550
  • ·24小時(shí)手機(jī):13896886023
  • ·QQ 咨 詢:361652718 513960520
當(dāng)前位置 > 首頁(yè) > 新聞動(dòng)態(tài) > 行業(yè)動(dòng)態(tài)
最新windows嚴(yán)重漏洞
發(fā)布時(shí)間:2011-11-22 | 發(fā)布人:管理員 | 點(diǎn)擊率:477
昨天我們玩了病毒溢出,今天我們拿到最新的漏洞攻擊程序,動(dòng)畫(huà)正在制作中,
程序先發(fā)出來(lái)給大家玩玩..

 

Microsoft ASN.1庫(kù)BER解碼堆破壞漏洞

受影響系統(tǒng):
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows NT 4.0SP6a
Microsoft Windows NT 4.0SP6
Microsoft Windows NT 4.0SP5
Microsoft Windows NT 4.0SP4
Microsoft Windows NT 4.0SP3
Microsoft Windows NT 4.0SP2
Microsoft Windows NT 4.0SP1
Microsoft Windows NT 4.0
Microsoft Windows 2003
Microsoft Windows 2000SP4
Microsoft Windows 2000SP3
Microsoft Windows 2000SP2
Microsoft Windows 2000SP1
Microsoft Windows 2000
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CAN-2003-0818

Abstract Syntax Notation 1 (ASN.1)是用于多個(gè)應(yīng)用程序和設(shè)備的數(shù)據(jù)標(biāo)準(zhǔn),允許數(shù)據(jù)可在各種平臺(tái)傳遞。Microsoft ASN.1庫(kù)廣泛使用在Windows安全子系統(tǒng),包含kerberos、NTLMv2驗(yàn)證,及使用各種證書(shū)的應(yīng)用程序(SSL、EMAIL數(shù)字簽名、ActiveX控件簽名)。

Microsoft ASN.1庫(kù)實(shí)現(xiàn)上存在整數(shù)溢出漏洞,遠(yuǎn)程攻擊者可以利用這些漏洞造成堆破壞從而執(zhí)行惡意指令。漏洞影響MSASN1.DLL相關(guān)的應(yīng)用,其中比較常見(jiàn)的是LSASS.EXE和CRYPT32.DLL(任何使用CRYPT32.DLL的應(yīng)用程序)。

ASN.1基本編碼規(guī)則(BER)基本概念是一個(gè)靈活的編碼二進(jìn)制數(shù)據(jù)的編碼方案。每片數(shù)據(jù)按照描述如何解釋下面值數(shù)據(jù)的類(lèi)型號(hào),然后是數(shù)據(jù)長(zhǎng)度,最后是數(shù)據(jù)本身,通過(guò)提供超大值(從0xFFFFFFFD到0xFFFFFFFF)給長(zhǎng)度字段,可在堆分配函數(shù)中產(chǎn)生整數(shù)溢出,雖然有地方對(duì)這個(gè)值長(zhǎng)度進(jìn)行確認(rèn)和檢查,不過(guò)在驗(yàn)證函數(shù)中獨(dú)立的指針?biāo)惴〞?huì)導(dǎo)致漏洞發(fā)生。

具體漏洞細(xì)節(jié)如下:
1、當(dāng)一個(gè)簡(jiǎn)單的值(這個(gè)值由原子數(shù)據(jù)組成)由MSASN1解碼時(shí),ASN1BERDecLength()調(diào)用來(lái)獲得值長(zhǎng)度,然后把這個(gè)值長(zhǎng)度傳遞給ASN1BERDecCheck()函數(shù)確保數(shù)據(jù)實(shí)際存在。

2、ASN1BERDecCheck()驗(yàn)證無(wú)符號(hào)數(shù)據(jù)"pointer_to_start_of_data + reported_length_of_data"是否小于或者等于"pointer_to_start_of_BER_block + total_size_of_BER_block",如果檢查沒(méi)通過(guò),函數(shù)返回錯(cuò)誤,并停止解碼(本來(lái)ASN1BERDecCheck()函數(shù)檢查也存在問(wèn)題,不過(guò)微軟在Windows 2000 SP4和Windows Server 2003中已經(jīng)在函數(shù)中增加額外的比較進(jìn)行修補(bǔ)了)。

3、如果函數(shù)調(diào)用ASN1BERDecLength()然后嘗試分配內(nèi)存和拷貝數(shù)據(jù)(如ASN1BERDecOctetString(),不過(guò)不是ASN1BERDecOctetString2()),它就會(huì)傳遞解碼的長(zhǎng)度給DecMemAlloc(),然后分配結(jié)果,此函數(shù)的操作也即:"LocalAlloc(LMEM_ZEROINIT, (length + 3) & ~3)."

4、如果DecMemAlloc()函數(shù)成功返回,調(diào)用函數(shù)然后使用原始解碼的長(zhǎng)度作為計(jì)數(shù)字節(jié)長(zhǎng)度通過(guò)memcpy()把數(shù)據(jù)拷貝到已經(jīng)分配的堆緩沖區(qū)中,就會(huì)觸發(fā)溢出。

如果在第一步ASN1BERDecLength()解碼的長(zhǎng)度非常大,就會(huì)在第二步ASN1BERDecCheck()增加長(zhǎng)度到當(dāng)前數(shù)據(jù)指針時(shí)發(fā)生整數(shù)溢出。更明確的是,如果長(zhǎng)度數(shù)據(jù)范圍在0xFFFFFFFD 到0xFFFFFFFF之間,會(huì)通過(guò)ASN1BERDecCheck()的檢查,在完成DecMemAlloc()調(diào)用后,長(zhǎng)度的總和會(huì)變?yōu)榱悖琇ocalAlloc()成功的分配零長(zhǎng)度堆段,但由于memcpy()在處理超長(zhǎng)長(zhǎng)度數(shù)據(jù)進(jìn)行拷貝時(shí)沒(méi)有任何檢查,結(jié)構(gòu)可出現(xiàn)堆破壞,臨近的任何數(shù)據(jù)可被任意數(shù)據(jù)覆蓋。

最簡(jiǎn)單的方法產(chǎn)生此條件是構(gòu)建一個(gè)簡(jiǎn)單八位字符串(tag 04h),'length-of-length'設(shè)置為4,length設(shè)置為0xFFFFFFFF的編碼,對(duì)應(yīng)字節(jié)為'04h/84h/FFh/FFh/FFh/FFh',根據(jù)MSASN1客戶使用的解碼函數(shù),可觸發(fā)此漏洞。以下是受此漏洞影響的解碼函數(shù):

ASN1BerDecCharString
ASN1BERDecChar16String
ASN1BERDecChar32String
ASN1BERDecEoid
ASN1BERDecGeneralizedTime
ASN1BERDecMultibyteString
ASN1BERDecOctetString
ASN1BERDecOpenType
ASN1BERDecSXVal
ASN1BERDecUTCTime
ASN1BERDecUTF8String
ASN1BERDecZeroCharString
ASN1BERDecZeroChar16String
ASN1BERDecZeroChar32String
ASN1BERDecZeroMultibyteString

<*來(lái)源:Derek Soeder (dsoeder@eeye.com
 
  鏈接:
http://www.eeye.com/html/Research/Advisories/AD20040210.html
       
http://www.eeye.com/html/Research/Advisories/AD20040210-2.html
       
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
*>

建議:
--------------------------------------------------------------------------------
廠商補(bǔ)。

Microsoft
---------
Microsoft已經(jīng)為此發(fā)布了一個(gè)安全公告(MS04-007)以及相應(yīng)補(bǔ)丁:
MS04-007:ASN.1 Vulnerability Could Allow Code Execution (828028)
鏈接:
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp

補(bǔ)丁下載:

Microsoft Windows NT? Workstation 4.0 Service Pack 6a

http://www.microsoft.com/downloads/details.aspx?FamilyId=92400199-B3D5-4826-98D4-F134849F5249&displaylang=en

Microsoft Windows NT Server 4.0 Service Pack 6a

http://www.microsoft.com/downloads/details.aspx?FamilyId=E8315430-90CD-4B20-8F54-58527932B588&displaylang=en

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6

http://www.microsoft.com/downloads/details.aspx?FamilyId=D83B39D3-FF13-4D0B-B406-A225AED0D659&displaylang=en

Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft 2000 Windows Service Pack 4

http://www.microsoft.com/downloads/details.aspx?FamilyId=191853C4-A4D2-4797-A8C6-A2E663A53698&displaylang=en

Microsoft Windows XP, Microsoft Windows XP Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyId=0CC30297-D4AE-48E9-ACD0-1343D89CCBBA&displaylang=en

Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyId=383C397F-9318-4AD5-9C2C-0577118A1E68&displaylang=en

Microsoft Windows XP 64-Bit Edition Version 2003, Microsoft Windows XP 64-Bit
Edition Version 2003 Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F-958F-E178C3F61F7C&displaylang=en

Microsoft Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?FamilyId=3D7FFFF9-A497-42FF-90E7-283732B2E117&displaylang=en

Microsoft Windows Server 2003 64-Bit Edition

http://www.microsoft.com/downloads/details.aspx?FamilyId=FA280168-66E1-4B5F-958F-E178C3F61F7C&displaylang=en