CVE-2008-1092 (CNNVD-200803-401)

CRITICAL
中文标题:
Microsoft Jet数据库引擎MDB文件解析远程栈溢出漏洞
英文标题:
Buffer overflow in msjet40.dll before 4.0.9505.0 in Microsoft Jet Database Engine allows remote atta...
CVSS分数: 9.3
发布时间: 2008-03-25 16:00:00
漏洞类型: 授权问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Microsoft Jet数据库是MS Office应用程序中广泛使用的轻型数据库。 Jet数据库在处理畸形MDB文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱使用户处理恶意文件,控制服务器。 Office Access在解析MDB文件时会调用Jet数据库引擎(msjet40.dll),如果解析了恶意的MDB文件就会在以下代码中触发栈溢出: C:\Windows\System32\msjet40.dll,版本为4.0.8618.0 .text:1B0B72BB mov ecx, edx ; ecx=0x5200 .text:1B0B72BD mov esi, edi ; esi point to the datas .text:1B0B72BF mov ebp, ecx ; which can be find in the mdb file .text:1B0B72C1 lea edi, [esp+40h] ; edi point to stack memory .text:1B0B72C5 shr ecx, 2 .text:1B0B72C8 rep movsd ; stack overflow!! .text:1B0B72CA mov ecx, ebp .text:1B0B72CC mov eax, [eax+1] .text:1B0B72CF and ecx, 3 .text:1B0B72D2 rep movsb 以下为调试信息: eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12 edi=0013db60 eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 msjet40!Ordinal55+0x23cd8: 1b0b72c5 c1e902 shr ecx,2 0:000> u eip msjet40!Ordinal55+0x23cd8: 1b0b72c5 c1e902 shr ecx,2 1b0b72c8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 1b0b72ca 8bcd mov ecx,ebp 1b0b72cc 8b4001 mov eax,dword ptr [eax+1] 1b0b72cf 83e103 and ecx,3 1b0b72d2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 1b0b72d4 8bb424d4000000 mov esi,dword ptr [esp+0D4h] 1b0b72db 8b4b28 mov ecx,dword ptr [ebx+28h] 0:000> db esi 05f5cd12 00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41 .O.S.~.1.\.V.B.A 05f5cd22 00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42 .\.V.B.A.6.\.V.B 05f5cd32 00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56 .E.6...D.L.L.#.V 05f5cd42 00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61 .i.s.u.a.l. .B.a 05f5cd52 00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20 .s.i.c. .F.o.r. 05f5cd62 00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74 .A.p.p.l.i.c.a.t 05f5cd72 00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00 .i.o.n.s........ 05f5cd82 00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34 .......*.\.G.{.4 0:000> db edi 0013db60 09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b .............Q.. 0013db70 86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00 ................ 0013db80 22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05 "|.............. 0013db90 3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05 <............x.. 0013dba0 e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b .......|8x...... 0013dbb0 80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b ................ 0013dbc0 9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00 .x......L...L... 0013dbd0 01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00 ....`........... 请注意由于这是Jet引擎中的漏洞,因此一些网络空间供应商也可能受影响。攻击者可以上传.asp和.mdb文件,并通过ADODB.Connection服务器对象利用这个漏洞。

英文描述:

Buffer overflow in msjet40.dll before 4.0.9505.0 in Microsoft Jet Database Engine allows remote attackers to execute arbitrary code via a crafted Word file, as exploited in the wild in March 2008. NOTE: as of 20080513, Microsoft has stated that this is the same issue as CVE-2007-6026.

CWE类型:
CWE-119
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
microsoft word 2000 - - cpe:2.3:a:microsoft:word:2000:sp3:*:*:*:*:*:*
microsoft word 2002 - - cpe:2.3:a:microsoft:word:2002:sp3:*:*:*:*:*:*
microsoft word 2003 - - cpe:2.3:a:microsoft:word:2003:sp2:*:*:*:*:*:*
microsoft word 2003_sp3 - - cpe:2.3:a:microsoft:word:2003_sp3:*:*:*:*:*:*:*
microsoft word 2007 - - cpe:2.3:a:microsoft:word:2007:*:*:*:*:*:*:*
microsoft word 2007_sp1 - - cpe:2.3:a:microsoft:word:2007_sp1:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
1019686 vdb-entry
cve.org
访问
VU#936529 third-party-advisory
cve.org
访问
MS08-028 vendor-advisory
cve.org
访问
microsoft-jet-msjet40-bo(41380) vdb-entry
cve.org
访问
SSRT080071 vendor-advisory
cve.org
访问
950627 vendor-advisory
cve.org
访问
CVSS评分详情
9.3
CRITICAL
CVSS向量: AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS版本: 2.0
机密性
COMPLETE
完整性
COMPLETE
可用性
COMPLETE
时间信息
发布时间:
2008-03-25 16:00:00
修改时间:
2024-08-07 08:08:57
创建时间:
2025-11-11 15:32:50
更新时间:
2025-11-11 15:49:25
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2008-1092 2025-11-11 15:17:59 2025-11-11 07:32:50
NVD nvd_CVE-2008-1092 2025-11-11 14:52:33 2025-11-11 07:41:37
CNNVD cnnvd_CNNVD-200803-401 2025-11-11 15:08:59 2025-11-11 07:49:25
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:49:25
vulnerability_type: 未提取 → 授权问题; cnnvd_id: 未提取 → CNNVD-200803-401; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 授权问题
  • cnnvd_id: 未提取 -> CNNVD-200803-401
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:41:37
severity: SeverityLevel.MEDIUM → SeverityLevel.CRITICAL; cvss_score: 未提取 → 9.3; cvss_vector: NOT_EXTRACTED → AV:N/AC:M/Au:N/C:C/I:C/A:C; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 6; references_count: 7 → 6; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.CRITICAL
  • cvss_score: 未提取 -> 9.3
  • cvss_vector: NOT_EXTRACTED -> AV:N/AC:M/Au:N/C:C/I:C/A:C
  • cvss_version: NOT_EXTRACTED -> 2.0
  • affected_products_count: 0 -> 6
  • references_count: 7 -> 6
  • data_sources: ['cve'] -> ['cve', 'nvd']