Vulnerabilities > CVE-2008-1092 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Word
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in msjet40.dll before 4.0.9505.0 in Microsoft Jet Database Engine allows remote attackers to execute arbitrary code via a crafted Word file, as exploited in the wild in March 2008. NOTE: as of 20080513, Microsoft has stated that this is the same issue as CVE-2007-6026.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 | |
| Application | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 26468 CVE(CAN) ID: CVE-2007-6026,CVE-2008-1092 Microsoft Jet数据库是MS Office应用程序中广泛使用的轻型数据库。 Jet数据库在处理畸形MDB文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱使用户处理恶意文件,控制服务器。 Office Access在解析MDB文件时会调用Jet数据库引擎(msjet40.dll),如果解析了恶意的MDB文件就会在以下代码中触发栈溢出: C:\Windows\System32\msjet40.dll,版本为4.0.8618.0 .text:1B0B72BB mov ecx, edx ; ecx=0x5200 .text:1B0B72BD mov esi, edi ; esi point to the datas .text:1B0B72BF mov ebp, ecx ; which can be find in the mdb file .text:1B0B72C1 lea edi, [esp+40h] ; edi point to stack memory .text:1B0B72C5 shr ecx, 2 .text:1B0B72C8 rep movsd ; stack overflow!! .text:1B0B72CA mov ecx, ebp .text:1B0B72CC mov eax, [eax+1] .text:1B0B72CF and ecx, 3 .text:1B0B72D2 rep movsb 以下为调试信息: eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12 edi=0013db60 eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 msjet40!Ordinal55+0x23cd8: 1b0b72c5 c1e902 shr ecx,2 0:000> u eip msjet40!Ordinal55+0x23cd8: 1b0b72c5 c1e902 shr ecx,2 1b0b72c8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 1b0b72ca 8bcd mov ecx,ebp 1b0b72cc 8b4001 mov eax,dword ptr [eax+1] 1b0b72cf 83e103 and ecx,3 1b0b72d2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 1b0b72d4 8bb424d4000000 mov esi,dword ptr [esp+0D4h] 1b0b72db 8b4b28 mov ecx,dword ptr [ebx+28h] 0:000> db esi 05f5cd12 00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41 .O.S.~.1.\.V.B.A 05f5cd22 00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42 .\.V.B.A.6.\.V.B 05f5cd32 00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56 .E.6...D.L.L.#.V 05f5cd42 00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61 .i.s.u.a.l. .B.a 05f5cd52 00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20 .s.i.c. .F.o.r. 05f5cd62 00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74 .A.p.p.l.i.c.a.t 05f5cd72 00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00 .i.o.n.s........ 05f5cd82 00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34 .......*.\.G.{.4 0:000> db edi 0013db60 09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b .............Q.. 0013db70 86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00 ................ 0013db80 22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05 "|.............. 0013db90 3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05 <............x.. 0013dba0 e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b .......|8x...... 0013dbb0 80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b ................ 0013dbc0 9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00 .x......L...L... 0013dbd0 01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00 ....`........... 请注意由于这是Jet引擎中的漏洞,因此一些网络空间供应商也可能受影响。攻击者可以上传.asp和.mdb文件,并通过ADODB.Connection服务器对象利用这个漏洞。 Microsoft msjet40.dll 4.0.8618.0 Microsoft Access 2003 - Microsoft Windows XP SP2 临时解决方法: 如果您不能立刻安装补丁或者升级,SEBUG建议您采取以下措施以降低威胁: * 限制对任何应用程序运行Microsoft Jet数据库引擎,在命令提示符处输入下列命令: echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N * 使用组策略限制对任何应用程序运行Microsoft Jet数据库引擎 1. 创建以下脚本,命名为JetCacls.cmd: @echo off if exist %systemdrive%\Cacls.log goto end cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N > nul 2>&1 echo %date% %time%: Msjet Cacls updated > %systemdrive%\Cacls.log :end exit 2. 将JetCacls.cmd复制到Netlogon共享文件夹,或域控制器上JetCacls.cmd将从 其中运行的其他共享文件夹。 3. 设置JetCacls.cmd。在Active Directory用户和计算机MMC管理单元中,右键 单击域名,然后单击“属性”。 4. 单击“组策略”选项卡。 5. 单击“新建”创建新的组策略对象(GPO),然后输入JetCacls作为策略名称。 6. 单击新策略,然后单击“编辑”。 7. 展开“计算机配置的Windows设置”,然后单击“脚本”。 8. 双击“登录”,然后单击“添加”。此时出现“添加脚本”对话框。 9. 在“脚本名称”框中键入\\servername\sharename\JetCacls.cmd。 10. 单击“确定”,然后单击“应用”。 11. 然后重新启动作为此域的成员的客户端计算机。 * 阻止通过邮件基础结构处理MDB文件 * 配置Outlook 2007在纯文本中阅读邮件。 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Jet或Microsoft Word文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS08-028)以及相应补丁: MS08-028:Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749) 链接:<a href=http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx?pf=true</a> |
| id | SSV:3287 |
| last seen | 2017-11-19 |
| modified | 2008-05-17 |
| published | 2008-05-17 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-3287 |
| title | Microsoft Jet数据库引擎MDB文件解析远程栈溢出漏洞(ms08-028) |
References
- http://marc.info/?l=bugtraq&m=121129490723574&w=2
- http://www.kb.cert.org/vuls/id/936529
- http://www.microsoft.com/technet/security/advisory/950627.mspx
- http://www.securitytracker.com/id?1019686
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-028
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41380