Secur1ty just lik3 a girl. B0th of th3m h4ve s0me h0les. Y0u alw4ys try to f1nd the h0le, but n0t 3very tim3 y0u c4n 3xpl0it it!
查看文章 |
Flash的 CVE-2008-5499 执行任意命令漏洞笔记
2009-01-05 15:26
看到DM大牛blog上提到了,就看了下,简单做下笔记 几篇文章的汇聚地址可以看dm的blog http://hi.baidu.com/int3/blog/item/ff3ebb6261e86adae6113a86.html CVE-2008-5499 flash的一个任意执行命令漏洞,只发生在linux平台上,且需要安装帮助,原文是(a valid helper application) 问题出在这个API调用: ASnative(2201, 2)("validAdobeApp", ";arbitrary command") ASnative(2201, n) 本来是个 UnDocumented 的API,后来公开了,成为 System.Product 对象 用于产品升级使用。 这个漏洞属于一个典型的命令注入类型的漏洞 因为该API在Linux上最后会去调用系统的 system() 函数 Let's have a look at the relevant code snippets. First we find the function that handles the 2201 ASnative index in the ASnative reference table (2201 -> 899h). .data.rel.ro:0095A480 ASnative_table dd 65h
Once we figure out where ASnative(2201, n) lives and how it's called, we can start following relevant code to carve a path to the patched call to system(3) (essentially they moved it to a fork/execve construct in Flash 10).所以就出现了类似 system("xxxx ; rm -rf *"); 注意 2201 是 API index,这里需要指定index为2201,2 ASnative(2201, 2) // [System.Product.prototype] Launch - inner function 这个API才能走到system调用去 ASnative(2201, 2)() 红字部分就是注入的 ASnative(2201, 2)("validAdobeApp", ";arbitrary command") 漏洞已经修补。 分析文章中部分原文如下: The ASnative(2201, 2)("validAdobeApp", ";arbitrary command") will execute arbitrary commands on vulnerable Flash Player 10r12 browsers, on Linux systems that also have Adobe AIR installed. The latter is a prerequisite only because we need a valid helper application installed in the ~/.macromedia/Flash_Player/www.macromedia.com/bin/ folder that we can launch. |
最近读者:
