Microsoft Jet RCEÎó²îÇ徲ͨ¸æ

Ðû²¼Ê±¼ä 2018-09-25

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºÎÞ£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬CVSS·ÖÖµ£º³§ÉÌ×ÔÆÀ7.3£¬£¬£¬¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Microsoft Jet Database Engine


Îó²î¸ÅÊö


¸ÃÎó²îÊÇJETÊý¾Ý¿âÒýÇæÖеÄÒ»¸öÔ½½ç£¨OOB£©Ð´ÈëÔì³ÉµÄ¡£¡£
΢ÈíµÄOLE DB Provider for JETºÍAccess ODBC½öÖ§³Ö32룬£¬£¬ÕâÒâζ×ÅÔÚ64λµÄÖ÷»úÉÏÎÞ·¨»ñµÃÖ±½ÓʹÓᣡ£
µ«ÔÚ64λÖ÷»úÉÏ¿ÉÒÔͨ¹ýÆô¶¯c£º\ windows \ SysWOW64 \wscript.exe poc.jsÀ´Ê¹ÓÃ32λwscript.exeÀ´´¥·¢¸ÃPoC¡£¡£
ͬʱÕâÖÖ¹¥»÷¿ÉÒÔͨ¹ýInternet Explorer¾ÙÐд¥·¢£¬£¬£¬×ÝÈ»ÔÚ64λWindowsÉÏ£¬£¬£¬Internet ExploreräÖȾÀú³ÌÒ²ÊÇ32λµÄ¡£¡£
µ«ÔÚIE11ÉÏInternetºÍIntranetÇøÓòÖнûÓÃÁËÇå¾²ÉèÖá°¿çÓò»á¼ûÊý¾ÝÔ´¡±£¬£¬£¬Õâ»áµ¼ÖÂJavaScript¹ýʧ¡£¡£ÎÞ·¨´¥·¢Îó²î¡£¡£

ͬʱ´ÓÍâµØÇý¶¯Æ÷£¨»òUSB´ÅÅÌ£©Æô¶¯¶ñÒâpoc.htmlÒ²»á´¥·¢¸ÃÎó²î¡£¡£µ«ÐèÒª»§°´Ï¡°ÔÊÐí×èÖ¹µÄÄÚÈÝ¡±²Å»á´¥·¢¡£¡£


Îó²îÑéÖ¤


PoC£ºhttps://github.com/thezdi/PoC/tree/master/ZDI-18-1075
ÄÚÈÝÈçÏÂ


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø


´¥·¢ºóÒýÆðwscript.exeÍß½â


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø


ÐÞ¸´½¨Òé


¹Ù·½ÉÐδÐû²¼Õë¶ÔµÄ²¹¶¡

ÉóÉ÷ÐÐÊ£¬£¬£¬²»Òª·­¿ªÀ´×Ô²»ÐÅÈÎȪԴµÄÎļþ£¬£¬£¬¸üÐÂIEä¯ÀÀÆ÷°æ±¾£¬£¬£¬×èÖ¹ËæÒâµã»÷ÔÊÐí×èÖ¹ÄÚÈÝ°´Å¥


²Î¿¼Á´½Ó


https://www.zerodayinitiative.com/blog/2018/9/20/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine
https://support.microsoft.com/en-in/help/957570/the-microsoft-ole-db-provider-for-jet-and-the-microsoft-access-odbc-dr