📄 766.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>[AD_LAB-04006] Microsoft Windows winhlp32.exe 堆溢出漏洞 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'><b>焦点公告 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>[AD_LAB-04006] Microsoft Windows winhlp32.exe 堆溢出漏洞</h1><br>创建时间:2004-12-23 更新时间:2004-12-23<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=20515'>flashsky</a> (flashsky1_at_sina.com)<br><br>通告:[AD_LAB-04006] Microsoft Windows winhlp32.exe 堆溢出漏洞<br />
Class: 设计错误<br />
DATE:12/20/2004<br />
CVE编号:CAN-2004-1306<br />
<br />
受威胁的系统:<br />
Windows NT <br />
Windows 2000 SP0<br />
Windows 2000 SP1<br />
Windows 2000 SP2<br />
Windows 2000 SP3<br />
Windows 2000 SP4<br />
Windows XP SP0<br />
Windows XP SP1<br />
Windows XP SP2<br />
Windows 2003<br />
未受威胁的系统:<br />
目前未知<br />
厂商:<br />
<a href='http://www.microsoft.com' target='_blank'>www.microsoft.com</a><br />
<br />
<br />
1.漏洞描述:<br />
Microsoft Windows winhlp32.exe在解析.hlp文件的时候存在着一个堆溢出,这个漏洞是通过对windows .hlp文件<br />
头进行解码处理时触发的。<br />
<br />
2.技术描述<br />
当hlp文件是以分段来进行压缩的,他包含一个以phrase命名的内部文件,这个phrase文件由一个phrase表头和多个<br />
phrase表组成,phrase的表头处于.hlp文件的偏移0x19处,结构定义如下:<br />
unsigned short wNumberOfPhrases;<br />
unsigned short wOneHundred; 0x0100;<br />
long decompressedsize;<br />
<br />
phrases表头后面立即跟着phrases表,每个phrases表项占4个字节,2个字段phrasesHeadOffset和phrasesEndOffset,<br />
分别都是即unsigned short类型。代表phrases的头尾的偏移。<br />
<br />
处理phrases表的函数具有3个参数(在中文2000 sp4上该函数的地址是0x0100A1EF),其中第3个参数为指向phrases表<br />
头的指针,第2个参数指向一个堆内存,用于保存phrases数据.但是在计算数据长度时并没有判断数据长度是否合法,这就<br />
导致可以构造一个.HLP,可以覆盖由第2个参数所指向的堆内存。以下是对该函数的分析:<br />
<br />
0100A1EF sub_100A1EF proc near ; CODE XREF: sub_100A14C+6Fp<br />
.text:0100A1EF<br />
.text:0100A1EF arg_0 = dword ptr 4<br />
.text:0100A1EF arg_4 = dword ptr 8<br />
.text:0100A1EF arg_8 = dword ptr 0Ch<br />
.text:0100A1EF<br />
.text:0100A1EF mov eax, [esp+arg_8] ;arg_8 指向phrase表头<br />
.text:0100A1F3 push ebx<br />
.text:0100A1F4 push esi<br />
.text:0100A1F5 push edi<br />
.text:0100A1F6 movzx edx, word ptr [eax+2] ;[eax+2] -> wOneHundred<br />
.text:0100A1FA mov ecx, [eax+0Ch] ;[eax+0Ch] -> phrase 表<br />
.text:0100A1FD mov eax, [esp+0Ch+arg_0] ;以下计算 phrase表的偏移<br />
.text:0100A201 sub eax, edx<br />
.text:0100A203 mov ebx, [esp+0Ch+arg_4]<br />
.text:0100A207 mov edi, eax<br />
.text:0100A209 shr eax, 1<br />
.text:0100A20B and edi, 1<br />
.text:0100A20E movzx edx, word ptr [ecx+eax*2] ;phrase_offset1<br />
.text:0100A212 movzx esi, word ptr [ecx+eax*2+2] ;phrase_offset2<br />
.text:0100A217 sub esi, edx<br />
.text:0100A219 add ecx, edx<br />
.text:0100A21B push esi ; size_t ;size = phrase_offset2 - phrase_offset1<br />
.text:0100A21C push ecx ; void *<br />
.text:0100A21D push ebx ; void * ;ebx -> 第二个参数,即堆内存<br />
.text:0100A21E call ds:memmove<br />
<br />
在这里,存在着2个导致溢出的问题,<br />
1.整数溢出,如果phrasesEndOffset比phrasesHeadOffset小,phrasesEndOffset-phrasesHeadOffset为一个负数,这里并没有做检查,<br />
实际调用memmove的时候,触发了溢出。<br />
2.另外,在堆分配的时候,并非是根据phrasesEndOffset-phrasesHeadOffset计算时候进行分配的,而是根据hlp文件里的另外字段进行<br />
解码计算和分配的,由于解码和计算过程过于复杂,这里不在详细描述,只要修改一个正常的hlp文件的某个phrases表项,增大phrasesEndOffset<br />
字段也将触发这一漏洞。<br />
<br />
可以通过访问 <a href='http://www.xfocus.net/flashsky/icoExp/index.html' target='_blank'>http://www.xfocus.net/flashsky/icoExp/index.html</a> 来验证此漏洞<br />
<br />
<br />
3.感谢<br />
Keji(yu_keji@venustech.com.cn) 发现并公布了此漏洞,具体的技术分析由keji,flashsky,icbm完成<br />
感谢启明星辰技术信息有限公司积极防御实验室的伙伴和丰收项目小组。<br />
<br />
4.申明:<br />
<br />
The information in this bulletin is provided "AS IS" without warranty of any<br />
kind. In no event shall we be liable for any damages whatsoever including direct,<br />
indirect, incidental, consequential, loss of business profits or special damages. <br />
<br />
Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.<br />
<br />
VENUSTECH Security Lab <br />
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(<a href='http://www.venustech.com.cn' target='_blank'>http://www.venustech.com.cn</a>)<br />
<br />
Security<br />
Trusted {Solution} Provider<br />
Service
</td>
</tr>
</table>
<div class="footer">
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -