Location:
Search - DEP
Search - DEP
鉴于此漏洞的危险性,作为美国微软在国内的安全服务提供商,我们已第一时间发布公告并且分析出漏洞细节,并提交给美国微软相关部门,这里不再公布具体细节。
知道安全团队(KnownSec team)于近期捕获利用IE7一个内存越界的漏洞进行攻击的恶意代码。此漏洞于11月在小范围内泄露,于12月9日前后才完全出售流通在黑色产业,并且有人赶制出网马生成器,相信会在短期内十分流行。
由于该漏洞在我们监控系统最初捕获时我们团队没有很详细地分析,以为是已经被修补的漏洞,并且在网络上发现了很多网马以及代码帖子,以为不是0DAY漏洞,便在内部共享粘贴流出了网络上流传的代码以及挂马页面的代码。这是我们的失误:(
历史:
IE7的XML里存在可以导致内存越界的漏洞,通过编写畸形XML代码并且使用JavaScript脚本操作SHELLCODE去执行任意代码。
在2008年下半年开始有流传IE7的漏洞,并于10月份左右开始流出私人买卖,于11月份流入黑市买卖,开始有人面谈出售。
最终出现在网络的具体时间为12月份,大量二手三手漏洞在黑产运作层流通,并且于12月份初开始有大量的人购买二手代码去开发生成器,在9号开始出现在挂马利用上。
分析:
影响版本:
系统:
WINDOWS XP
WINDOWS 2003
浏览器:
IE7
描述:
由于SDHTML里处理对象存在在错误导致内存紊乱。
构造某种条件可以使得SDHTML检测到错误释放已被分配的对象,但是释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行,如 果这些内存又被分配给其他用途,将导致SDHTML把这些内存当作一个对象来操作。0DAY挂马里使用了XML的SRC字符串对象占用了这些释放对象的空 间,而对象指针里包含函数例程指针,最终导致代码执行 。
由于该漏洞尚未被修补,具体细节请等待微软官方发布补丁的详细参考。
防御:
1.请关注微软官方网站及时下载补丁。
2. 开启DEP保护:
系统属性——高级——性能——数据执行保护
可以防止恶意攻击。
sigma smp8634/8635 toolchain rootfs building source.
=================
Readme.txt
=================
This is the Sigma Designs customization of the root file system for the
SMP86xx family of chips.
This package is of course heavily depending on the toolchain and kernel
packages.
Quick HOW-TO
============
a) You need to have a working toolchain package. Once you have built your
toolchain, be sure to source toolchain-path.env. This is required for you to
be able to build the rootfs package.
b) Untar the rootfs package.
c) First, configure your root file system: 'make menuconfig'. All the options
in the configuration menus have detailed help. Once you are satisfied with
your choice of options, exit and save the configuration.
d) If you are using the toolchain composed of gcc 3.4.2, binutils 2.15.91.0.2,
and uClibc 0.9.27 (defined in the toolchain package) then you must select
Busybox 1.00 from the 'Package Selection for the target --->' menu.
If on the other hand you are using the toolchain composed of gcc 4.0.4,
binutils 2.17, and uClibc 0.9.28.3 then you must select Busybox 1.5 from
the 'Package Selection for the target --->' menu.
e) If you chose to customize your root file system (option 'customize' in
submenu 'Package Selection for the target'), be sure to prepare your custom
files now.
f) Run 'make' to produce your root file system.
IMPORTANT NOTE: as of this release, the only supported option in the 'Target
Options' menu is 'cramfs root filesystem for the target device' (with all its
suboptions). Any other option is currently unsupported and some are known to
not work.
Once you are through with step e), your root file system is available in the
main directory of the package as 'root_fs_mipsel.cramfs'.
Note about the integration with the toolchain and the kernel source packages
============================================================================
The rootfs package is now integrated with the toolchain package and the
kernel source package and is able to interact with them in the following
ways:
a) it can grab the necessary runtime libraries from the toolchain package.
b) it can receive the kernel modules and support files from the kernel source
package.
c) the kernel source package can use the produced rootfs image for its initial
RAM disk.
For interaction a) to take place, the SMP86XX_TOOLCHAIN_PATH environment
variable must be defined and it must point to the main directory of the
produced toolchain. The easiest way to achieve that is by sourcing the
'toolchain-path.env' environment file after it is produced at the end of the
toolchain production.
Note that defining SMP86XX_TOOLCHAIN_PATH is not optional. The build will not
go through unless the environment variable is defined and points to a correct
location. This is because, even if the build went through, the resulting root
file system would be unusable as it would not provide *any* run time library.
For interactions b) and c) to take place, the SMP86XX_ROOTFS_PATH environment
variable must be defined and must point to the main directory of the rootfs
package. The easiest way to achieve that is by sourcing the 'rootfs-path.env'
environment file after it is produced, right after your run 'make' or
'make menuconfig' for the first time.
When SMP86XX_ROOTFS_PATH is defined and points to a valid location, the kernel
source package is able to:
b) install its modules to the correct location under the customization
directory ('package/customize/source') in the rootfs package. In order to
then make sure the modules end up in the produced rootfs image, you must
select the 'customize' option under the 'Package Selection for the target'
menu in 'make menuconfig'.
c) grab the produced rootfs image (root_fs_mipsel.cramfs) and use it for its
initial RAM disk.
Thus, in order to produce a rootfs holding the kernel modules and use it as the
kernel initial RAM disk, you need to go through the following steps in order
(note: this is convoluted):
1) optionally build the toolchain (or use an existing one, more recent than
2.6.90.0)
2) source toolchain-path.env in the toolchain package directory
3) configure the rootfs package with the 'customize' option on in the
'Package Selection for the target' menu
4) source 'rootfs-path.env' in the rootfs package directory
5) configure the kernel, review what is configured as modules, 'make dep'
6) 'make modules' in the kernel source directory
7) the 'modules_install' target for the kernel needs that the system map be
already produced. In order to achieve that, build a first version of the
kernel: 'make vmlinux'
8) 'make modules_install' in the kernel source directory. The modules are now
installed in the rootfs package customization directory.
9) 'make' in the rootfs package directory. You have now produced a rootfs
image holding the kernel modules.
10) 'make' in the kernel source directory. You have now produced a linux ZBF
image with an initrd holding the kernel modules.
Coming features
===============
N/A
Troubleshooting
===============
a) when building the cramfs utility tool, the compiler complains that it can't
find 'zlib.h' or '-lz'.
You need to have the development version of zlib installed on your system.
How to do that depends on your distribution.