Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:2642
HistoryDec 20, 2007 - 12:00 a.m.

Microsoft MFC库CFileFind::FindFile堆溢出漏洞

2007-12-2000:00:00
Root
www.seebug.org
15

0.941 High

EPSS

Percentile

99.2%

JSON

BUGTRAQ ID: 25697
CVE(CAN) ID: CVE-2007-4916

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中所提供的MFC42和MFC71库的CFileFind类在处理FindFile()函数参数时存在堆溢出漏洞,本地攻击者可能利用此漏洞提升自己的权限。

MFC[42|71].dll@CFileFind::FindFile(char const ,unsigned long)
.text:73D6CD3F mov edi, edi
.text:73D6CD41 push ebp
.text:73D6CD42 push esi ; unsigned int
.text:73D6CD43 push edi ; unsigned __int8 *
.text:73D6CD44 mov esi, ecx
.text:73D6CD46 call CFileFind::Close(void)
.text:73D6CD4B push 140h ; int << 320 bytes
.text:73D6CD50 call @operator new(uint) << buffer Allocate [1]
.text:73D6CD55 mov ebp, [esp+14h]
.text:73D6CD59 and dword ptr [esi+10h], 0
.text:73D6CD5D test ebp, ebp
.text:73D6CD5F pop ecx
.text:73D6CD60 mov [esi+8], eax
.text:73D6CD63 jnz short loc_73D6CD6A
.text:73D6CD65 mov ebp, offset a__1 ; "." << si arg_0 == NULL
.text:73D6CD6A loc_73D6CD6A; CODE XREF: CFileFind::FindFile(char const,ulong)+24j
.text:73D6CD6A push ebp ; lpString2
.text:73D6CD6B add eax, 2Ch
.text:73D6CD6E push eax ; lpString1
.text:73D6CD6F call ds:__imp__lstrcpyA@8 ; lstrcpyA(x,x) << [2]
.text:73D6CD75 push dword ptr [esi+8] ; lpFindFileData
.text:73D6CD78 push ebp ; lpFileName
.text:73D6CD79 call ds:__imp__FindFirstFileA@8 ; FindFirstFileA(x,x)
[…]

MFC[42|71]u.dll@CFileFind::FindFile(char const ,unsigned long)
.text:5F817BFC push ebx ; wchar_t
.text:5F817BFD push esi ; wchar_t *
.text:5F817BFE push edi
.text:5F817BFF mov esi, ecx
.text:5F817C01 call CFileFind::Close(void)
.text:5F817C06 push 250h ; int << 592 bytes
.text:5F817C0B call @operator new(uint) << buffer allocate [1]
.text:5F817C10 mov ebx, [esp+14h]
.text:5F817C14 and dword ptr [esi+10h], 0
.text:5F817C18 test ebx, ebx
.text:5F817C1A pop ecx
.text:5F817C1B mov [esi+8], eax
.text:5F817C1E jnz short loc_5F817C25
.text:5F817C20 mov ebx, offset a_ ; "." << si arg_0 == NULL
.text:5F817C25 loc_5F817C25; CODE XREF: CFileFind::FindFile(ushort const,ulong)+22j
.text:5F817C25 push ebx ; lpString2
.text:5F817C26 add eax, 2Ch
.text:5F817C29 push eax ; lpString1
.text:5F817C2A call ds:__imp__lstrcpyW@8 ; lstrcpyW(x,x) << [2]
.text:5F817C30 push dword ptr [esi+8] ; lpFindFileData
.text:5F817C33 push ebx ; lpFileName
.text:5F817C34 call ds:__imp__FindFirstFileW@8 ;
FindFirstFileW(x,x)
[…]

FindFile方式为[1]处的缓冲区分配内存,然后未经检查便储存了[2]处函数的第一个参数的内容。如果用户提交了超长参数的话就可以触发堆溢出,导致执行任意指令。

Microsoft Windows XP SP2

Microsoft

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=“http://www.microsoft.com/technet/security/” target=“_blank”>http://www.microsoft.com/technet/security/</a>

Related

cvelist 1
nvd 1
cert 1
checkpoint_advisories 1
prion 1
cve 1
cvelist
cvelist
CVE-2007-4916
2007-09-17 17:00:00
nvd
nvd
CVE-2007-4916
2007-09-17 17:17:00
cert
cert
Microsoft MFC FindFile function heap buffer overflow
2007-09-20 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows MFC Library FileFind Class Heap Overflow (CVE-2007-4916)
2007-11-05 00:00:00
prion
prion
Heap overflow
2007-09-17 17:17:00
cve
cve
CVE-2007-4916
2007-09-17 17:17:00

0.941 High

EPSS

Percentile

99.2%

JSON
Related for SSV:2642
cvelist1nvd1cert1checkpoint_advisories1prion1cve1