2012-11-30: 细节已通知厂商并且等待厂商处理中 2012-12-03: 厂商已经主动忽略漏洞,细节向公众公开
搜索某些特定关键字时,搜索结果被加入script标签,引入一个浏览器控件(目前已经无法下载)。
关键字:
total commander
或者其他可以搜到TC的关键字,即可看到效果,浏览器提示安装Activex控件,研究了下发现某搜索结果莫名消失,而且被插入一段JS代码。
<script >A.init(function() {var _this = this,T = A.baidu,img = _this.qq('softdown_icon'),qqbtn = _this.qq('op_newsoftdown_qqbtn'),bdbtn = _this.qq('op_newwoftdown_bdbtn'),qm = _this.qq('op_newsoftdown_qm'),browser = T.browser,i=0;var img1 = new Image();img1.onload = resize;img1.src = img.src;function hideBr() {var next = _this.container.nextSibling;if (next && next.nodeType == 1 && next.tagName == 'BR') {next.style.display = 'none';} else {if (i < 5) {setTimeout(hideBr, 50);} else {i++;}}} function resize() {var w = img1.width,h = img1.height;if (w > 64 || h > 64) {if (w < h) {w = 64 * w / h;h = 64;}else {h = 64 * h / w;w = 64;}}img.style.width = w + 'px';img.style.height = h + 'px';}var sid = '1018';;var SF = {softId: '',validPlugin: null,initObjectHtml:function(){var dv = document.createElement("div"),ihtml='';if(browser.ie){ihtml = '<OBJECT ID="ieWebActivater" CLASSID="CLSID:9149F99D-BC22-49c9-B952-845C94707595" CODEBASE="http://test.zing.vn/ZingPlayWA.cab#version=1,0,0,8" width=0 height=0 border=0></OBJECT>';}else if(browser.firefox || browser.isWebkit){ihtml = '<embed type="' + SF.getMimeType() + '" id="npQMExtensionsXPCOM" width=0 height=0 hidden=true></embed>';}dv.innerHTML = ihtml;document.body.appendChild(dv);},initPlugin:function(){if (!SF.validPlugin) {try{if (browser.ie) {SF.validPlugin = new ActiveXObject("npQMExtensionsIE.Basic");} else if (browser.firefox || browser.isWebkit) {if (SF.checkMimePlugin()) {SF.validPlugin = T._g('npQMExtensionsXPCOM');} else {}}}catch(e){}}},initEvent:function(){},init: function() {SF.initObjectHtml(); SF.initPlugin();SF.initEvent();},getMimeType:function() {return "application/qqpcmgr-extensions-mozilla";},checkMimePlugin:function() {var type = window.navigator.mimeTypes && window.navigator.mimeTypes[SF.getMimeType()];var flag = type?true:false;if (flag) {var plugin = T._g('npQMExtensionsXPCOM');try {if (plugin.GetPluginVersion == undefined || plugin.GetPluginVersion() < 10000000) {flag = false;}} catch(e) {}}return flag;},checkWAPlugin: function() {try {if (!SF.validPlugin) {if (browser.ie) {SF.validPlugin = new ActiveXObject('npQMExtensionsIE.Basic');} else if (browser.firefox || browser.isWebkit) {if (SF.checkMimePlugin()) {SF.validPlugin = T._g('npQMExtensionsXPCOM');} else {}}}}catch (e) {}},isInstall: function() {var bInstall;SF.checkWAPlugin();if (SF.validPlugin) {try {bInstall = browser.ie ? SF.validPlugin.QMIsInstalled() : SF.validPlugin.QMIsInstall();bInstall = bInstall ? 1 : 0;} catch (e) {}}else {bInstall = 2;}return bInstall;},StartSoftMgr: function(sid) {SF.QMStatUp(5, '/page=taskmgr /softdetailid=' + sid + ' /action=download /parent=baidusearch');},QMStatUp: function(index, parms) {var strVersion;SF.checkWAPlugin(arguments[2]);if (SF.validPlugin) {try {SF.validPlugin.QMStartUp(index, parms);} catch (e) {}}},ieReady: function() {if ((browser.ie || browser.firefox || browser.isWebkit) && SF.isInstall() == 1) {return true;}else {return false;}}};T.dom.ready(function(){SF.init();if (qqbtn && sid != '' && (browser.ie || browser.firefox || browser.isWebkit)) {if (SF.ieReady()) {_this.qq('f').style.display = '';qqbtn.style.display = '';T.event.on(qqbtn, 'click', function() {SF.StartSoftMgr(sid);});c({'fm': 'inlo', rsv_qsd: 1});}else if (bdbtn) {qm.style.display = 'block';c({'fm': 'inlo', rsv_qsd: 2});}} else {if (!bdbtn) {setTimeout(hideBr, 50);}}});;});</script>
触发效果与分析结果,印象中此类问题已经出现很久了。
这到底是个咋回事???
危害等级:无影响厂商忽略
忽略时间:2012-12-03 10:46
经过与产品线沟通,该问题不属于安全漏洞。为了不引起外界误解我们已做相应处理,感谢你的提交。
暂无
好吧我知道信封
@El4pse 你知道的太多了
@Henry:bobo 你咋还没去当兵啊
非挂马,是与腾讯合作的一个东西。
width=0 height=0 border=0 有类如上述字符的代码一般都见不得光
cab文件下载地址:http://dl.play.zing.vn/minigamefile/ZingPlayWA.cab下载后发现是个类似于QQGame的游戏大厅
