Microsoft Windows MFC库文档标题更新栈溢出漏洞
SEBUG-ID:19920
SEBUG-Appdir:Microsoft Windows
Published:2010-07-05
Vulnerable:
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows 2000 SP4
Discription:
BUGTRAQ ID: 41333
Microsoft Windows是微软发布的非常流行的操作系统。
Windows mfc42.dll库中CFrameWnd类的UpdateFrameTitleForDocument()函数在更新文档标题时存在栈溢出漏洞,用户受骗打开了恶意的档案文件并向该函数传送了超长的标题字符串参数就可以触发这个溢出,导致执行任意代码。
<*References
978K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5%4g2F1K9h3q4Q4x3X3g2U0L8$3#2Q4x3V1k6S2k6s2k6A6M7$3!0J5K9h3g2K6i4K6u0r3y4o6l9J5z5e0S2Q4x3V1j5`.
*>
SEBUG Solution:
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
2e4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8Y4c8W2j5$3S2F1k6i4c8Q4x3V1k6K6k6h3y4#2M7X3W2@1P5g2)9J5c8R3`.`.
// sebug.net [2010-07-07]
void CFrameWnd::UpdateFrameTitleForDocument(LPCTSTR lpszDocName)
{
CString WindowText;
if (GetStyle() & FWS_PREFIXTITLE)
{
// get name of currently active view
if (lpszDocName != NULL)
{
WindowText += lpszDocName;
// add current window # if needed
if (m_nWindow > 0)
{
TCHAR szText[32];
// :%d will produce a maximum of 11 TCHARs
wsprintf(szText, _T(":%d"), m_nWindow);
WindowText += szText;
}
WindowText += _T(" - ");
}
WindowText += m_strTitle;
}
else
{
// get name of currently active view
WindowText += m_strTitle;
if (lpszDocName != NULL)
{
WindowText += _T(" - ");
WindowText += lpszDocName;
// add current window # if needed
if (m_nWindow > 0)
{
TCHAR szText[32];
// :%d will produce a maximum of 11 TCHARs
wsprintf(szText, _T(":%d"), m_nWindow);
WindowText += szText;
}
}
}
// set title if changed, but don't remove completely
// Note: will be excessive for MDI Frame with maximized child
AfxSetWindowText(m_hWnd, (LPCTSTR) WindowText);
}
