首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
新浪UC ActiveX多个远程栈溢出漏洞 0-DAY
来源:http://www.nevisnetworks.com 作者:Sowhat 发布时间:2007-01-10  

Sowhat of Nevis Labs
日期: 2007.01.09


http://www.nevisnetworks.com
http://secway.org/advisory/20070109EN.txt
http://secway.org/advisory/20070109CN.txt


CVE: 暂无

厂商

Sina Inc.


受影响的版本:
Sina UC <=UC2006


Overview:
新浪UC是中国非常流行的IM工具之一

http://www.51uc.com


细节:

漏洞的起因是Sina UC的多个ActiveX控件的参数缺乏必要的验证,攻击者构造恶意网页,可以远程完全控制安装了Sina UC
的用户的计算机,

多个控件存在栈溢出问题,包括但不限于:


1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll

Sub SendChatRoomOpt (
ByVal astrVerion As String ,
ByVal astrUserID As String ,
ByVal asDataType As Integer ,
ByVal alTypeID As Long
)

当第1个参数是一个超常字符串时,发生栈溢出,SEH被覆盖,攻击者可以执行任意代码


调试信息:
(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00000000 ecx=0000037d edx=00000002 esi=02849ada edi=00130000
eip=02b97c76 esp=0012d2cc ebp=0012d2d4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000212
*** WARNING: Unable to verify checksum for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL -
BROWSE_1!DllUnregisterServer+0x662c:
02b97c76 f3a5 rep movsd ds:02849ada=41414141 es:00130000=78746341
0:000> g
(534.674): C++ EH exception - code e06d7363 (first chance)
(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77f79bb8 esi=00000000 edi=00000000
eip=41414141 esp=0012c8b8 ebp=0012c8d8 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
41414141 ?? ???

存在问题的代码:
ext:100076A2 add dword ptr [esi+4], 2
.text:100076A6 mov eax, [esi+4]
.text:100076A9 movzx ecx, word ptr [ebp-14h]
.text:100076AD push ecx ; size_t
.text:100076AE push dword ptr [ebp+8] ; void *
.text:100076B1 mov ecx, [esi+8]
.text:100076B4 add ecx, eax
.text:100076B6 push ecx ; void *
.text:100076B7 call _memcpy

|
|
v

.text:10007C30 LeadUp1: ; DATA XREF: .text:10007C24o
.text:10007C30 and edx, ecx
.text:10007C32 mov al, [esi]
.text:10007C34 mov [edi], al
.text:10007C36 mov al, [esi+1]
.text:10007C39 mov [edi+1], al
.text:10007C3C mov al, [esi+2]
.text:10007C3F shr ecx, 2
.text:10007C42 mov [edi+2], al
.text:10007C45 add esi, 3
.text:10007C48 add edi, 3
.text:10007C4B cmp ecx, 8
.text:10007C4E jb short loc_10007C1C
.text:10007C50 rep movsd
.text:10007C52 jmp ds:off_10007D08[edx*4]
.text:10007C52 ; ----------------------------------------------------------------------
.text:10007C59 align 4
.text:10007C5C
.text:10007C5C LeadUp2: ; DATA XREF: .text:10007C28o
.text:10007C5C and edx, ecx
.text:10007C5E mov al, [esi]
.text:10007C60 mov [edi], al
.text:10007C62 mov al, [esi+1]
.text:10007C65 shr ecx, 2
.text:10007C68 mov [edi+1], al
.text:10007C6B add esi, 2
.text:10007C6E add edi, 2
.text:10007C71 cmp ecx, 8
.text:10007C74 jb short loc_10007C1C
.text:10007C76 rep movsd -------------Exception here.


2. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll

Sub SendDownLoadFile (
ByVal astrDownDir As String
)

当astrDownDir参数设置为超常字符串时,发生栈溢出


调试信息:
(57c.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414140 ebx=00000000 ecx=41414140 edx=00000000 esi=0012d974 edi=77dbe2d0
eip=7800268d esp=0012d55c ebp=0012d580 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
RPCRT4!NDRCContextBinding+0x13:
7800268d 81780498badcfe cmp dword ptr [eax+0x4],0xfedcba98 ds:0023:41414144=????????
0:000> g
(57c.1ac): Unknown exception - code 00000006 (first chance)
(57c.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02e9e510 ecx=78079582 edx=00000000 esi=0019535c edi=00000000
eip=41414141 esp=0012dba0 ebp=41414141 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
41414141 ?? ???

3. ............

解决方法:
在厂商没有推出相应的补丁之前,
建议用户通过注册表对相应的CLSID设置Killbit


厂商回应:
2007.01.08 发邮件给ucservice@51uc.com
2007.01.08 新浪不甩我。再发送了一封邮件
2007.01.09 到目前为止,没收到任何回应。发布此公告

Update:
2007.01.09 此公告发布到XFOCUS后,Sina安全部门和UC的运营部门联系了我,表示会尽快开发出相应补丁。

EXP:[url=http://www.vfocus.net/file/2434.html]http://www.vfocus.net/file/2434.html[/url]


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·ICQ Toolbar 1.3 for IE多个安全
·WordPress wp-trackback.php漏洞
·Backdoor.Win32.IRCBot.st 蠕虫
·阿里巴巴淘宝旺旺ActiveX远程栈
·[xfocus-SD-070118]多个操作系统
·Php5 GPC绕过缺陷
·Wu-ftpd S/key验证缓冲区溢出漏
·IE mhtml redirection漏洞利用方
·ipb search.php 漏洞分析及思考
·Microsoft MSN Messenger远程信
·Microsoft Outlook Mailto参数引
·[xfocus-SD-060314]Microsoft Of
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved