Baidu Hi 两个可能被利用的漏洞曝光!_派派后花园

用户中心 游戏论坛 社区服务
发帖 回复
阅读:771 回复:1

Baidu Hi 两个可能被利用的漏洞曝光!

刷新数据 楼层直达
qaws1222

ZxID:1256126


等级: 热心会员
只要铁锹使得好丶    哪有墙角挖不倒丶
举报 只看楼主 使用道具 楼主   发表于: 2008-03-30 0
我现在对百度的新聊天工具进行了稍微深入的分析,再下一步的分析工作就是在汇编调试里面展开的了。先说下我发现的可能威胁:

1、Swf文件跨站漏洞

在Baidu Hi 的安装文件夹里的MovieData文件夹里面有3个swf文件,分别是loginCarton.swf,videoConnectingBig.swf和videoConnectingSmall.swf。其中,loginCarton.swf的可能别利用漏洞最大,这点上百度不如腾讯,没有做好swf文件的内嵌工作,让swf文件暴露在外面。病毒可以感染并放入恶意的swf文件来覆盖他们。loginCarton.swf是baiduhi的启动画面,这是非常危险的,因为swf木马在网上非常流行。还有,病毒要获取这个目录非常简单,只要以system来读取注册表就好,路径会保存在注册表的[HKEY_LOCAL_MACHINESOFTWARE3D SoftWare]下的"path"键值里面,如果修改注册表,人为改变该键值,可能引发更大的危机!



2、自动升级漏洞

该漏洞目前没有测试,不过应该将来会盛行的。因为目前大家的Baidu HI都是最新版,不需要升级。将来如果需要升级的时候,这个漏洞就很危险了。Baidu Hi 的升级文件在AutoUpdate文件夹里面,




BaiduHiUpdate.exe文件通过调用config.ini文件来升级,我们来看config.ini文件的代码:

[AutoUpdate]
ConfigFileUrl=http://update.im.baidu.com/AutoUpdate/AutoUpdate.xml
IsAutoUpdate=1
ConfigFileKey1=3F26F386EB827C141DF8FE539B7ECDF4
ConfigFileKey2=128509257100000000
LSTm_AutoUpdate=1206596754

看来使用的是下载http://update.im.baidu.com/AutoUpdate/AutoUpdate.xml这个文件,我下载下来打开一看,这个文件和AutoUpdate文件夹里面的那个AutoUpdate.xml文件内容相同。代码都是如下的:
<AutoUpdate version="1.0">
<Updater version="1.0.0.8" url="http://update.im.baidu.com/AutoUpdate/updater48-49.cab" md5="8312201dc14e0ff595680f6bcf4d0fb1" hint="update 49">
<File name="atl71.dll" dest="updater:" type="bin" operation="add" />
<File name="AutoInstall.exe" dest="updater:" type="bin" operation="add" />
<File name="AutoUpdateUtil.dll" dest="updater:" type="bin" operation="add" />
<File name="BaiduHiUpdate.exe" dest="updater:" type="bin" operation="add" />
<File name="Basement.dll" dest="updater:" type="bin" operation="add" />
<File name="config.ini" dest="updater:" type="resource" operation="add" />
<File name="msvcp71.dll" dest="updater:" type="bin" operation="add" />
<File name="msvcr71.dll" dest="updater:" type="bin" operation="add" />
<File name="resource.db" dest="updater:" type="resource" operation="add" />
<File name="VersionInfo.xml" dest="updater:" type="resource" operation="add" />
</Updater>
<Module name="BaiduHi" version="1.0.1.0" level="forcePrompt">
<Upgrade versionLow="1.0.0.48" hint="update 49" md5="f684d6220bb2771433410e482287cc58" url="http://update.im.baidu.com/AutoUpdate/upgrade48-49.cab">
<File name="AppUtil.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BaiduHi.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="Basement.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BugReport.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="CSTransfer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="HistoryExplorer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImEngine.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImStorage.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="LocalLog.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="NetService.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="RUDPLib.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="SkinDLL.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="UPnPDll.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="VersionInfo" dest="BaiduHi:" type="resource" operation="add" />
<File name="fmmgr.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="imcs.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="uninst.exe" dest="BaiduHi:" type="bin" operation="add" />
</Upgrade>
<FullPackage hint="update 49" md5="3af7588de47c7fdcb9ca5421de4c444c" url="http://update.im.baidu.com/AutoUpdate/fullpackage48-49.cab">
<File name="AppUtil.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BaiduHi.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="Basement.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BugReport.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="CSTransfer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="HistoryExplorer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImEngine.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImStorage.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="LocalLog.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="MovieDataloginCarton.swf" dest="BaiduHi:MovieData" type="resource" operation="add" />
<File name="MovieDatavideoConnectingBig.swf" dest="BaiduHi:MovieData" type="resource" operation="add" />
<File name="MovieDatavideoConnectingSmall.swf" dest="BaiduHi:MovieData" type="resource" operation="add" />
<File name="NetService.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="RUDPLib.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ServerConfig.dat" dest="BaiduHi:" type="resource" operation="add" />
<File name="SkinDLL.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="SysCustomStatus.xml" dest="BaiduHi:" type="resource" operation="add" />
<File name="UPnPDll.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="VersionInfo" dest="BaiduHi:" type="resource" operation="add" />
<File name="atl71.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="dbghelp.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="fmmgr.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="imcs.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="licence.txt" dest="BaiduHi:" type="resource" operation="add" />
<File name="mediactrl.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="msvcp71.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="msvcr71.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="resource.db" dest="BaiduHi:" type="resource" operation="add" />
<File name="riched20.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="skindefault.db" dest="BaiduHi:skin" type="resource" operation="add" />
<File name="skinrose.db" dest="BaiduHi:skin" type="resource" operation="add" />
<File name="soundmsg.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundonline.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundphone.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundsnapshot.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundsystem.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="sysimageFaceError.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="sysimageFaceLoading.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="sysimageImageError.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="sysimageImageLoading.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="uninst.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="zlib1.dll" dest="BaiduHi:" type="bin" operation="add" />
</FullPackage>
</Module>
</AutoUpdate>

通过AutoUpdate.xml文件来下载http://update.im.baidu.com/AutoUpdate/updater48-49.cab ,我们可以通过构造恶意的config.ini,然后让程序下载我们构造的恶意AutoUpdate.xml,再让程序通过AutoUpdate.xml下载恶意构造好的cab安装包,释放。还是危害挺大的!

最后忠告大家,不要下载除官方以外任何地方的Baidu Hi !否则后够可能很严重,这次我发现的这两个漏洞的利用说容易也容易,说不容易也不容易,本人如上所说只是一点肤浅之见,没什么技术含量,只是觉得软件搞这么明文不好。提醒大家小心一点而已,没有别的意图,更没有哗众取宠的意思。
月神|宗

ZxID:1380412

等级: 寒窗墨者
CS论坛:CSahztt.uu1001.cn 多多支持!
举报 只看该作者 沙发   发表于: 2008-03-30 0
我现在对百度的新聊天工具进行了稍微深入的分析,再下一步的分析工作就是在汇编调试里面展开的了。先说下我发现的可能威胁:

1、Swf文件跨站漏洞

在Baidu Hi 的安装文件夹里的MovieData文件夹里面有3个swf文件,分别是loginCarton.swf,videoConnectingBig.swf和videoConnectingSmall.swf。其中,loginCarton.swf的可能别利用漏洞最大,这点上百度不如腾讯,没有做好swf文件的内嵌工作,让swf文件暴露在外面。病毒可以感染并放入恶意的swf文件来覆盖他们。loginCarton.swf是baiduhi的启动画面,这是非常危险的,因为swf木马在网上非常流行。还有,病毒要获取这个目录非常简单,只要以system来读取注册表就好,路径会保存在注册表的[HKEY_LOCAL_MACHINESOFTWARE3D SoftWare]下的"path"键值里面,如果修改注册表,人为改变该键值,可能引发更大的危机!

[img]http://qq.qqhou.com/upimg/allimg/080329/1126010.jpg[/img]

2、自动升级漏洞

该漏洞目前没有测试,不过应该将来会盛行的。因为目前大家的Baidu HI都是最新版,不需要升级。将来如果需要升级的时候,这个漏洞就很危险了。Baidu Hi 的升级文件在AutoUpdate文件夹里面,


[img]http://qq.qqhou.com/upimg/allimg/080329/1126011.jpg[/img]

BaiduHiUpdate.exe文件通过调用config.ini文件来升级,我们来看config.ini文件的代码:

[AutoUpdate]
ConfigFileUrl=http://update.im.baidu.com/AutoUpdate/AutoUpdate.xml
IsAutoUpdate=1
ConfigFileKey1=3F26F386EB827C141DF8FE539B7ECDF4
ConfigFileKey2=128509257100000000
LSTm_AutoUpdate=1206596754

看来使用的是下载[url]http://update.im.baidu.com/AutoUpdate/AutoUpdate.xml[/url]这个文件,我下载下来打开一看,这个文件和AutoUpdate文件夹里面的那个AutoUpdate.xml文件内容相同。代码都是如下的:
<AutoUpdate version="1.0">
<Updater version="1.0.0.8" url="http://update.im.baidu.com/AutoUpdate/updater48-49.cab" md5="8312201dc14e0ff595680f6bcf4d0fb1" hint="update 49">
<File name="atl71.dll" dest="updater:" type="bin" operation="add" />
<File name="AutoInstall.exe" dest="updater:" type="bin" operation="add" />
<File name="AutoUpdateUtil.dll" dest="updater:" type="bin" operation="add" />
<File name="BaiduHiUpdate.exe" dest="updater:" type="bin" operation="add" />
<File name="Basement.dll" dest="updater:" type="bin" operation="add" />
<File name="config.ini" dest="updater:" type="resource" operation="add" />
<File name="msvcp71.dll" dest="updater:" type="bin" operation="add" />
<File name="msvcr71.dll" dest="updater:" type="bin" operation="add" />
<File name="resource.db" dest="updater:" type="resource" operation="add" />
<File name="VersionInfo.xml" dest="updater:" type="resource" operation="add" />
</Updater>
<Module name="BaiduHi" version="1.0.1.0" level="forcePrompt">
<Upgrade versionLow="1.0.0.48" hint="update 49" md5="f684d6220bb2771433410e482287cc58" url="http://update.im.baidu.com/AutoUpdate/upgrade48-49.cab">
<File name="AppUtil.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BaiduHi.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="Basement.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BugReport.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="CSTransfer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="HistoryExplorer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImEngine.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImStorage.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="LocalLog.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="NetService.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="RUDPLib.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="SkinDLL.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="UPnPDll.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="VersionInfo" dest="BaiduHi:" type="resource" operation="add" />
<File name="fmmgr.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="imcs.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="uninst.exe" dest="BaiduHi:" type="bin" operation="add" />
</Upgrade>
<FullPackage hint="update 49" md5="3af7588de47c7fdcb9ca5421de4c444c" url="http://update.im.baidu.com/AutoUpdate/fullpackage48-49.cab">
<File name="AppUtil.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BaiduHi.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="Basement.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="BugReport.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="CSTransfer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="HistoryExplorer.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImEngine.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ImStorage.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="LocalLog.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="MovieDataloginCarton.swf" dest="BaiduHi:MovieData" type="resource" operation="add" />
<File name="MovieDatavideoConnectingBig.swf" dest="BaiduHi:MovieData" type="resource" operation="add" />
<File name="MovieDatavideoConnectingSmall.swf" dest="BaiduHi:MovieData" type="resource" operation="add" />
<File name="NetService.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="RUDPLib.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="ServerConfig.dat" dest="BaiduHi:" type="resource" operation="add" />
<File name="SkinDLL.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="SysCustomStatus.xml" dest="BaiduHi:" type="resource" operation="add" />
<File name="UPnPDll.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="VersionInfo" dest="BaiduHi:" type="resource" operation="add" />
<File name="atl71.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="dbghelp.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="fmmgr.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="imcs.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="licence.txt" dest="BaiduHi:" type="resource" operation="add" />
<File name="mediactrl.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="msvcp71.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="msvcr71.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="resource.db" dest="BaiduHi:" type="resource" operation="add" />
<File name="riched20.dll" dest="BaiduHi:" type="bin" operation="add" />
<File name="skindefault.db" dest="BaiduHi:skin" type="resource" operation="add" />
<File name="skinose.db" dest="BaiduHi:skin" type="resource" operation="add" />
<File name="soundmsg.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundonline.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundphone.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundsnapshot.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="soundsystem.wav" dest="BaiduHi:sound" type="resource" operation="add" />
<File name="sysimageFaceError.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="sysimageFaceLoading.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="sysimageImageError.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="sysimageImageLoading.gif" dest="BaiduHi:sysimage" type="resource" operation="add" />
<File name="uninst.exe" dest="BaiduHi:" type="bin" operation="add" />
<File name="zlib1.dll" dest="BaiduHi:" type="bin" operation="add" />
</FullPackage>
</Module>
</AutoUpdate>

通过AutoUpdate.xml文件来下载[url]http://update.im.baidu.com/AutoUpdate/updater48-49.cab[/url] ,我们可以通过构造恶意的config.ini,然后让程序下载我们构造的恶意AutoUpdate.xml,再让程序通过AutoUpdate.xml下载恶意构造好的cab安装包,释放。还是危害挺大的!

最后忠告大家,不要下载除官方以外任何地方的Baidu Hi !否则后够可能很严重,这次我发现的这两个漏洞的利用说容易也容易,说不容易也不容易,本人如上所说只是一点肤浅之见,没什么技术含量,只是觉得软件搞这么明文不好。提醒大家小心一点而已,没有别的意图,更没有哗众取宠的意思。
CS天堂论坛http://csahztt.uu1001.cn/!支持啊!顶啊!支持啊!顶啊!不顶是DOG!
发帖 回复