RootSSV:2463Microsoft Jet数据库引擎MDB文件解析远程缓冲区溢出漏洞
Microsoft Jet DataBase Engine是一款Access数据库引擎。
Microsoft Jet数据库引擎处理MDB文件时存在缓冲区溢出,远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。
当Microsoft Office Access解析MDB文件时,会调用Jet Engine (msjet40.dll)来解析它,通过构建恶意的MDB,会触发一个栈的缓冲区溢出:
(C:\\Windows\\System32\\msjet40.dll, version is 4.0.8618.0)
.text:1B0B72BB mov ecx, edx ; ecx=0x5200
.text:1B0B72BD mov esi, edi ; esi point
to the datas
.text:1B0B72BF mov ebp, ecx ; which
can be find in the mdb file
.text:1B0B72C1 lea edi, [esp+40h] ; edi point
to stack memory
.text:1B0B72C5 shr ecx, 2
.text:1B0B72C8 rep movsd ; stack overflow!!
.text:1B0B72CA mov ecx, ebp
.text:1B0B72CC mov eax, [eax+1]
.text:1B0B72CF and ecx, 3
.text:1B0B72D2 rep movsb
调试信息如下:
eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12
edi=0013db60
eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0 nv up ei pl
nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000216
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
0:000> u eip
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
1b0b72c8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
1b0b72ca 8bcd mov ecx,ebp
1b0b72cc 8b4001 mov eax,dword ptr [eax+1]
1b0b72cf 83e103 and ecx,3
1b0b72d2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
1b0b72d4 8bb424d4000000 mov esi,dword ptr [esp+0D4h]
1b0b72db 8b4b28 mov ecx,dword ptr [ebx+28h]
0:000> db esi
05f5cd12 00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41 .O.S.~.1.\\.V.B.A
05f5cd22 00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42 .\\.V.B.A.6.\\.V.B
05f5cd32 00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56 .E.6…D.L.L.#.V
05f5cd42 00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61 .i.s.u.a.l. .B.a
05f5cd52 00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20 .s.i.c. .F.o.r.
05f5cd62 00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74 .A.p.p.l.i.c.a.t
05f5cd72 00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00 .i.o.n.s…
05f5cd82 00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34 …*.\\.G.{.4
0:000> db edi
0013db60 09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b …Q…
0013db70 86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00 …
0013db80 22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05 \"|…
0013db90 3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05 <…x…
0013dba0 e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b …|8x…
0013dbb0 80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b …
0013dbc0 9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00 .x…L…L…
0013dbd0 01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00 …`…
0x5200长度足以写数据到SEH处理指针,因此通过重些SEH处理器可导致跳转到相应的SHELLCODE而执行任意指令。在一些可以上传.asp和.mdb文件的WEB空间,可通过服务对象\"ADODB.Connection\"来触发。
Microsoft JET 4.0 SP7
Microsoft JET 4.0 SP6
Microsoft JET 4.0 SP5
Microsoft JET 4.0 SP4
Microsoft JET 4.0 SP3
Microsoft JET 4.0 SP2
Microsoft JET 4.0 SP1
Microsoft JET 4.0
- Microsoft Access 2000
Microsoft JET 3.51 SP3
Microsoft JET 3.51 - Microsoft Excel 95
- Microsoft Excel 97
Microsoft JET 3.5 - Microsoft Access 95
- Microsoft Access 97
Microsoft JET 3.0 - Microsoft Access 95
Microsoft JET 2.5 - Microsoft Access 2.0 SP1
Microsoft JET 2.0 - Microsoft Access 2.0
Microsoft Access 2003
Microsoft Access 2002 SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Access 2002 SP1
Microsoft Access 2002
- Microsoft Office XP
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Access 2000 SR1
Microsoft Access 2000 SP3 - Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Access 2000 SP2
Microsoft Access 2000
- Microsoft Office 2000
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
目前没有解决方案提供:
<a href target=“\"_blank\"”>http://www.microsoft.com/</a>
<a href=http://www.sebug.net/exploit/2579 target=_blank>http://www.sebug.net/exploit/2579</a>