Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:1862
HistoryJun 14, 2007 - 12:00 a.m.

Microsoft Windows SChannel单字节堆溢出漏洞(MS07-031)

2007-06-1400:00:00
Root
www.seebug.org
17
JSON

Microsoft Windows是微软发布的非常流行的操作系统。

Windows的安全通道(SChannel)库在实现客户端SSLv3握手协议时存在单字节堆溢出漏洞,远程攻击者可能利用此漏洞控制服务器或造成拒绝服务。

具体来讲,在处理服务器密钥交换SSL握手记录时没有充分地检查长度字段设置为0的畸形服务器端数字签名,导致在有效的堆地址上分配0长度的堆缓冲区,然后执行的逆向内存拷贝将0长度减1拷贝数字签名,这会触发整数下溢,导致堆缓冲区指针退到起始地址之前,最终导致将1字节的用户控制值覆盖到堆控制块。

漏洞代码位于_ReverseMemCopy()函数中,可从Ssl3ParseServerKeyExchange()通过SPProcessHandshake()->PkcsGenerateClientExchangeValue()访问:

; On WinXP-SP1, the code below is located at 0x767FF976 (no symbols
available)
Ssl3ParseServerKeyExchange()

.text:767FFFC8 movzx ebx, byte ptr [esi] ;
MSB-byte of malformed signature length field
.text:767FFFCB movzx eax, byte ptr [esi+1] ;
LSB-byte of malformed signature length field
.text:767FFFCF shl ebx, 8
.text:767FFFD2 add ebx, eax
.text:767FFFD4 push ebx ; size=0
.text:767FFFD5 call _SPExternalAlloc@4 ;
HeapAlloc will return a valid 0-length heap buffer address
.text:767FFFDA test eax, eax
.text:767FFFDC mov [ebp+pbSignature], eax
.text:767FFFDF jz loc_768000B9
.text:767FFFE5 push ebx ; size=0
.text:767FFFE6 lea ecx, [esi+2] ;
address of the signature data in our malformed record
;
containing 0xFF,0x41,0x41…
.text:767FFFE9 push ecx
.text:767FFFEA push eax ;
0-length heap buffer
.text:767FFFEB call _ReverseMemCopy@12
_ReverseMemCopy()
.text:767FF46F mov edi, edi
.text:767FF471 push ebp
.text:767FF472 mov ebp, esp
.text:767FF474 mov eax, [ebp+arg_8]
.text:767FF477 mov ecx, [ebp+arg_4]
.text:767FF47A push esi
.text:767FF47B mov esi, [ebp+arg_0]
.text:767FF47E lea eax, [esi+eax-1]
; EAX=0, ESI which points to 0-length heap buffer

; is decremented to, before start of heap buffer
.text:767FF482 mov dl, [ecx]
.text:767FF484 mov [eax], dl
; Off-by-one overwrite with 0xFF from our signature data
.text:767FF486 dec eax
.text:767FF487 inc ecx
.text:767FF488 cmp eax, esi
.text:767FF48A jnb short loc_767FF482
; Just one-byte overwrite!
.text:767FF48C pop esi
.text:767FF48D pop ebp
.text:767FF48E retn 0Ch

如果用户使用Internet Web浏览器查看特制网页或使用利用SSL/TLS的应用程序,则此漏洞可能允许远程执行代码。 但是,利用此漏洞的尝试最有可能导致Internet Web浏览器或应用程序退出。重新启动系统之前,系统不能使用SSL或TLS连接到网站或资源。

Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 SP1
Microsoft Windows 2000SP4
厂商补丁:

Microsoft

Microsoft已经为此发布了一个安全公告(MS07-031)以及相应补丁:
MS07-031:Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)
链接:<a href=“http://www.microsoft.com/technet/security/Bulletin/ms07-031.mspx?pf=true” target=“_blank”>http://www.microsoft.com/technet/security/Bulletin/ms07-031.mspx?pf=true</a>

JSON