本文详细解析了 VGX.DLL 在处理压缩内容时存在的堆溢出漏洞,介绍了该漏洞如何被利用来执行任意代码,并提供了缓解措施及微软发布的补丁信息。
Release Date:
August 14, 2007
Date Reported:
October 24, 2006
Severity:
High (Code Execution)
Systems Affected:
Internet Explorer 6 SP1 - Windows 2000 SP4
Internet Explorer 6 SP1 - Windows XP SP1
Internet Explorer 6 SP2 - Windows XP SP2
Internet Explorer 6 SP1 - Windows Server 2003 SP1
Internet Explorer 6 SP2 - Windows Server 2003 SP2
Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
VGX.DLL's processing of compressed content referenced from VML. VGX.DLL
is the Microsoft component responsible for rendering VML (Vector Markup
Language) within Internet Explorer.
If a user views a malicious web page or HTML e-mail containing VML that
points to compressed content on an attacker-controlled web server, the
attacker can cause a heap overflow within the viewing application,
leading to the execution of arbitrary code.
(Note that, in order to be exploited directly from HTML e-mail, the
victim must attempt to view the malicious e-mail in the Internet Zone,
or with otherwise equivalent security and privacy settings that allow
internet content to be downloaded and displayed.)
Technical Details:
VGX.DLL contains an implementation of the CDownloadSink class that
processes data downloaded from URLs embedded within VML. For instance,
the following VML will download additional content which will be handled
by VGX.DLL!CDownloadSink::OnDataAvailable:
<v:rect>
<v:imagedata src=" http://malice/compressed.emz">
</v:rect>
An integer underflow vulnerability exists within
VGX.DLL!CDownloadSink::OnDataAvailable that can eventually cause
URLMON.DLL!CMimeFt::SmartRead to overflow a heap buffer, due to a
misreported buffer size when handling compressed content. The second
argument ([EBP+10h]; [EBP+8] is the 'this' pointer) passed into
CDownloadSink::OnDataAvailable is the total length of all raw
(compressed) data received so far, but the function will subtract the
total length of uncompressed data in its buffer from the total length of
raw data when calculating the read limit to be passed to
URLMON.DLL!CReadOnlyStreamDirect::Read. Assuming that the data is
larger uncompressed than compressed, an integer underflow can be made to
occur, causing a very large value (roughly 4GB) to be supplied as the
read limit. If the amount of data subsequently read exceeds the amount
of unused space in the buffer, a heap overflow with arbitrary binary
data will result.
Exploitation requires that CDownloadSink::OnDataAvailable be invoked at
least twice -- once to load the buffer with some non-zero length of
uncompressed data, and a second time to cause the overflow -- so the
compressed data must be received in distinct (e.g., time-separated)
pieces. Since such divisions may occur legitimately, positively
identifying attempts to exploit this vulnerability are difficult, and
conversely, even legitimate web sites may cause a non-malicious heap
overflow to occur.
Internet Explorer 7 silently fixed the vulnerability roughly ten months
ago, due to a change in URLMON.DLL's behavior when reading compressed
content.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS07-050.mspx
Credit:
Discovery: Ben Nagy and Derek Soeder
Research: Derek Soeder
Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
August 14, 2007
Date Reported:
October 24, 2006
Severity:
High (Code Execution)
Systems Affected:
Internet Explorer 6 SP1 - Windows 2000 SP4
Internet Explorer 6 SP1 - Windows XP SP1
Internet Explorer 6 SP2 - Windows XP SP2
Internet Explorer 6 SP1 - Windows Server 2003 SP1
Internet Explorer 6 SP2 - Windows Server 2003 SP2
Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
VGX.DLL's processing of compressed content referenced from VML. VGX.DLL
is the Microsoft component responsible for rendering VML (Vector Markup
Language) within Internet Explorer.
If a user views a malicious web page or HTML e-mail containing VML that
points to compressed content on an attacker-controlled web server, the
attacker can cause a heap overflow within the viewing application,
leading to the execution of arbitrary code.
(Note that, in order to be exploited directly from HTML e-mail, the
victim must attempt to view the malicious e-mail in the Internet Zone,
or with otherwise equivalent security and privacy settings that allow
internet content to be downloaded and displayed.)
Technical Details:
VGX.DLL contains an implementation of the CDownloadSink class that
processes data downloaded from URLs embedded within VML. For instance,
the following VML will download additional content which will be handled
by VGX.DLL!CDownloadSink::OnDataAvailable:
<v:rect>
<v:imagedata src=" http://malice/compressed.emz">
</v:rect>
An integer underflow vulnerability exists within
VGX.DLL!CDownloadSink::OnDataAvailable that can eventually cause
URLMON.DLL!CMimeFt::SmartRead to overflow a heap buffer, due to a
misreported buffer size when handling compressed content. The second
argument ([EBP+10h]; [EBP+8] is the 'this' pointer) passed into
CDownloadSink::OnDataAvailable is the total length of all raw
(compressed) data received so far, but the function will subtract the
total length of uncompressed data in its buffer from the total length of
raw data when calculating the read limit to be passed to
URLMON.DLL!CReadOnlyStreamDirect::Read. Assuming that the data is
larger uncompressed than compressed, an integer underflow can be made to
occur, causing a very large value (roughly 4GB) to be supplied as the
read limit. If the amount of data subsequently read exceeds the amount
of unused space in the buffer, a heap overflow with arbitrary binary
data will result.
Exploitation requires that CDownloadSink::OnDataAvailable be invoked at
least twice -- once to load the buffer with some non-zero length of
uncompressed data, and a second time to cause the overflow -- so the
compressed data must be received in distinct (e.g., time-separated)
pieces. Since such divisions may occur legitimately, positively
identifying attempts to exploit this vulnerability are difficult, and
conversely, even legitimate web sites may cause a non-malicious heap
overflow to occur.
Internet Explorer 7 silently fixed the vulnerability roughly ten months
ago, due to a change in URLMON.DLL's behavior when reading compressed
content.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS07-050.mspx
Credit:
Discovery: Ben Nagy and Derek Soeder
Research: Derek Soeder
Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
