Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1202967
  • 博文数量: 272
  • 博客积分: 3899
  • 博客等级: 中校
  • 技术积分: 4734
  • 用 户 组: 普通用户
  • 注册时间: 2012-06-15 14:53
文章分类

全部博文(272)

文章存档

2012年(272)

分类: 网络与安全

2012-06-25 17:18:35

看到DM大牛blog上提到了,就看了下,简单做下笔记


几篇文章的汇聚地址可以看dm的blog
http://hi.baidu.com/int3/blog/item/ff3ebb6261e86adae6113a86.html

CVE-2008-5499

flash的一个任意执行命令漏洞,只发生在linux平台上,且需要安装帮助,原文是(a valid helper application)

问题出在这个API调用: ASnative(2201, 2)("validAdobeApp", ";arbitrary command") 

ASnative(2201, n) 本来是个 UnDocumented 的API,后来公开了,成为 System.Product 对象
用于产品升级使用。

这个漏洞属于一个典型的命令注入类型的漏洞

因为该API在Linux上最后会去调用系统的 system() 函数
Let's have a look at the relevant code snippets. First we find the function that handles the 2201 ASnative index in the ASnative reference table (2201 -> 899h).
.data.rel.ro:0095A480 ASnative_table  dd 65h              
.data.rel.ro:0095A484 dd offset sub_19EB50
...
.data.rel.ro:0095A530 dd 899h
.data.rel.ro:0095A534 dd offset ASnative_2201 ; start of path to system
Once we figure out where ASnative(2201, n) lives and how it's called, we can start following relevant code to carve a path to the patched call to system(3) (essentially they moved it to a fork/execve construct in Flash 10).

.text:0024F64C cmp eax, 2 ; 2201, 2
.text:0024F64F nop
.text:0024F650 jz launch_case
...
.text:0024FAE0 launch_case:
...
.text:0024FAF3 call flash9_system
...
.text:004675B0 flash9_system proc near
...
.text:004675F1 call binary_digest_checker
...
.text:00467676 call _system ; \o/


所以就出现了类似 system("xxxx ; rm -rf *");

注意 2201 是 API index,这里需要指定index为2201,2

ASnative(2201, 2) // [System.Product.prototype] Launch - inner function

这个API才能走到system调用去
ASnative(2201, 2)()

红字部分就是注入的
ASnative(2201, 2)("validAdobeApp", ";arbitrary command") 

漏洞已经修补。

分析文章中部分原文如下:

The ASnative(2201, 2)("validAdobeApp", ";arbitrary command") will execute arbitrary commands on vulnerable Flash Player 10r12 browsers, on Linux systems that also have Adobe AIR installed. The latter is a prerequisite only because we need a valid helper application installed in the ~/.macromedia/Flash_Player/ folder that we can launch.
阅读(1252) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~