看到DM大牛blog上提到了,就看了下,简单做下笔记
几篇文章的汇聚地址可以看dm的blog
http://hi.baidu.com/int3/blog/item/ff3ebb6261e86adae6113a86.html
CVE-2008-5499
flash的一个任意执行命令漏洞,只发生在linux平台上,且需要安装帮助,原文是(a valid helper application)
问题出在这个API调用: ASnative(2201, 2)("validAdobeApp", ";arbitrary command")
ASnative(2201, n) 本来是个 UnDocumented 的API,后来公开了,成为 System.Product 对象
用于产品升级使用。
这个漏洞属于一个典型的命令注入类型的漏洞
因为该API在Linux上最后会去调用系统的 system() 函数
Let's have a look at the relevant code snippets. First we find the function that handles the 2201 ASnative index in the ASnative reference table (2201 -> 899h).
.data.rel.ro:0095A480 ASnative_table dd 65h
.data.rel.ro:0095A484 dd offset sub_19EB50
...
.data.rel.ro:0095A530 dd 899h
.data.rel.ro:0095A534 dd offset ASnative_2201 ; start of path to systemOnce we figure out where ASnative(2201, n) lives and how it's called, we can start following relevant code to carve a path to the patched call to system(3) (essentially they moved it to a fork/execve construct in Flash 10).
.text:0024F64C cmp eax, 2 ; 2201, 2
.text:0024F64F nop
.text:0024F650 jz launch_case
...
.text:0024FAE0 launch_case:
...
.text:0024FAF3 call flash9_system
...
.text:004675B0 flash9_system proc near
...
.text:004675F1 call binary_digest_checker
...
.text:00467676 call _system ; \o/
所以就出现了类似 system("xxxx ; rm -rf *");
注意 2201 是 API index,这里需要指定index为2201,2
ASnative(2201, 2) // [System.Product.prototype] Launch - inner function
这个API才能走到system调用去
ASnative(2201, 2)()
红字部分就是注入的
ASnative(2201, 2)("validAdobeApp", ";arbitrary command")
漏洞已经修补。
分析文章中部分原文如下:
The ASnative(2201, 2)("validAdobeApp", ";arbitrary command") will execute arbitrary commands on vulnerable Flash Player 10r12 browsers, on Linux systems that also have Adobe AIR installed. The latter is a prerequisite only because we need a valid helper application installed in the ~/.macromedia/Flash_Player/www.macromedia.com/bin/ folder that we can launch.
原创文章如转载,请注明:转载自心动吧黑客BLOG [ http://www.abcxd.com/abcxd/ ]