Vulnerabilities > CVE-2007-0099 - Race Condition vulnerability in Microsoft Internet Explorer and XML Core Services

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-362

critical

nessus

NVD

Published: 2007-01-08

Updated: 2018-10-16

Summary

Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft XML Core Services 3.0 Microsoft Internet Explorer 6	2

Common Weakness Enumeration (CWE)

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Msbulletin

bulletin_id	MS08-069
bulletin_url
date	2008-11-11T00:00:00
impact	Remote Code Execution
knowledgebase_id	955218
knowledgebase_url
severity	Critical
title	Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS08-069.NASL
description	The remote host is running a version of Windows that contains a flaw in the Windows XML Core Services. An attacker may be able to execute arbitrary code on the remote host by constructing a malicious script and enticing a victim to visit a website or view a specially crafted email message.
last seen	2020-06-01
modified	2020-06-02
plugin id	34744
published	2008-11-12
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/34744
title	MS08-069: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(34744); script_version("1.29"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2007-0099", "CVE-2008-4029", "CVE-2008-4033"); script_bugtraq_id(21872, 32155, 32204); script_xref(name:"MSFT", value:"MS08-069"); script_xref(name:"MSKB", value:"951550"); script_xref(name:"MSKB", value:"955069"); script_xref(name:"IAVA", value:"2008-A-0084"); script_name(english:"MS08-069: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)"); script_summary(english:"Determines the presence of update 955218"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web or email client."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Windows that contains a flaw in the Windows XML Core Services. An attacker may be able to execute arbitrary code on the remote host by constructing a malicious script and enticing a victim to visit a website or view a specially crafted email message."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-069"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, 7, and 2008 R2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(200, 362); script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/04"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:xml_core_services"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("audit.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS08-069'; kbs = make_list("951550", "955069"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); if (is_accessible_share()) { if (hotfix_check_sp(win2k:6, xp:4, win2003:3, vista:3, win7:2) > 0) { if ( ( hotfix_check_fversion(file:"system32\Msxml3.dll", version:"8.100.1048.0", bulletin:bulletin, kb:'955069') == HCF_OLDER ) \|\| ( hotfix_check_fversion(file:"system32\Msxml4.dll", version:"4.20.9870.0", bulletin:bulletin, kb:'954430') == HCF_OLDER ) \|\| ( hotfix_check_fversion(file:"system32\Msxml5.dll", version:"5.20.1087.0", bulletin:bulletin, kb:'951535') == HCF_OLDER ) \|\| ( hotfix_check_fversion(file:"system32\Msxml6.dll", version:"6.20.1099.0", bulletin:bulletin, kb:'954459') == HCF_OLDER ) ) { set_kb_item(name:"SMB/Missing/MS08-069", value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } hotfix_check_fversion_end(); } office_version = hotfix_check_office_version (); if ( !office_version ) exit(0); rootfiles = hotfix_get_officecommonfilesdir(); if ( ! rootfiles ) exit(0); if (!office_version["11.0"] && !office_version["12.0"]) exit (0); vuln = FALSE; if (office_version["11.0"]) { if (typeof(rootfiles) == 'array') rootfile = rootfiles["11.0"]; else rootfile = rootfiles; if (office_version["11.0"] && hotfix_check_fversion(path:rootfile["11.0"], file:"\Microsoft Shared\Office11\msxml5.dll", version:"5.20.1087.0", bulletin:bulletin, kb:'951550') == HCF_OLDER ) vuln = TRUE; } else if (office_versions["12.0"]) { if (typeof(rootfiles) == 'array') rootfile = rootfiles["12.0"]; else rootfile = rootfiles; if (office_version["12.0"] && hotfix_check_fversion(path:rootfile["12.0"], file:"\Microsoft Shared\Office11\msxml5.dll", version:"5.20.1087.0", bulletin:bulletin, kb:'951550') == HCF_OLDER ) vuln = TRUE; } if (vuln) { set_kb_item(name:"SMB/Missing/MS08-069", value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2008-12-29T04:00:25.122-05:00

class

vulnerability

contributors

name	Sudhir Gandhe
organization	Secure Elements, Inc.

definition_extensions

comment	Microsoft XML Core Services 3 is installed
oval	oval:org.mitre.oval:def:415

description

family

windows

oval:org.mitre.oval:def:5793

status

accepted

submitted

2008-11-19T14:19:00

title

MSXML Memory Corruption Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 21872 CVE(CAN) ID: CVE-2007-0099 Microsoft XML Core Services（MSXML）允许使用JScript、VBScript和Visual Studio 6.0的用户开发基于XML的应用，以与其他遵循XML 1.0标准的应用程序交互操作。 Microsoft XML Core Services解析XML内容的方式中存在一个竞争条件错误。如果用户浏览的网页或HTML电子邮件包含有大量嵌套标签（10到1000个），则在IFRAME中显示时JavaScript定时器会反复中断渲染进程，强制帧大约每50到100毫秒重载一次。成功利用此漏洞的攻击者可以完全控制受影响的系统。攻击者可随后安装程序；查看、更改或删除数据，或者创建拥有完全用户权限的新帐户。那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小 Microsoft XML Core Services 3.0 临时解决方法： * 限制对msxml3.dll的访问对于Windows XP Service Pack 2和Windows XP Service Pack 3： 1. 从提升的管理员命令提示符处运行下列命令： cacls %windir%\system32\msxml3.dll /E /P everyone:N 2. 重新启动对于Windows Vista、Windows Vista Service Pack 1和Windows Server 2008（用于32位系统）： 1. 从提升的管理员命令提示符处运行下列命令： takeown /f %windir%\system32\msxml3.dll icacls %windir%\system32\msxml3.dll /save %TEMP%\MSXML3 _ACL.TXT icacls %windir%\system32\msxml3.dll /deny everyone:(F) 2. 重新启动厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS08-069）以及相应补丁: MS08-069：Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218) 链接：<a href=http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx?pf=true</a>
id	SSV:4440
last seen	2017-11-19
modified	2008-11-13
published	2008-11-13
reporter	Root
title	Microsoft XML Core Services竞争条件内存破坏漏洞（MS08-069）

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

References