Delphi及C++ Builder VCL库堆缓冲区溢出漏洞(CVE-2014-0994)
发布日期:2014-09-16
更新日期:2014-09-18
受影响系统:Embarcadero Technologies C++Builder XE6 Version 20.0.15596.9843
Embarcadero Technologies Delphi 20.0.15596.9843
描述:
BUGTRAQ ID:
69845
CVE(CAN) ID:
CVE-2014-0994
Delphi及C++ Builder都是编程语言。
Delphi及C++ Builder开发的应用在处理畸形的BMP文件时存在安全漏洞,该漏洞位于VCL内,可使攻击者利用此漏洞导致堆缓冲区溢出并执行任意代码。
<*来源:Marcos Accossatto
链接:
http://www.coresecurity.com/advisories/delphi-and-c-builder-vcl-library-heap-buffer-overflow
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Marcos Accossatto ()给出了问题代码,漏洞测试代码未公开。
The ReadDIB function in the VCL library processes the BMP header in the following way: it first allocates memory to copy the header, plus 1024 bytes for the color table:
mov eax, [ebp+HeaderSize] ; eax => 40 // Header size read from file
add eax, 0Ch ; eax => eax + 12
add eax, 400h ; eax => eax + (256 * 4)
call @System@@GetMem$qqri ; // Alloc necessary memory for the BMP header and color table
Later, a pointer is calculated, off 40 bytes (HeaderSize), from the first pointer; this new pointer is going to be used when working with the color table later on:
mov eax, [ebp+BitmapInfo_] ; eax => BitmapInfo
add eax, [ebp+HeaderSize] ; eax => eax + HeaderSize
mov [ebp+ColorTablePtr], eax
That pointer is finally used to copy from the file to the allocated region in the heap, with a user controlled size of (biClrUsed * 4):
mov ecx, [ebx+20h] ; ecx => biClrUsed
movzx edi, [ebp+OS2Format]
movzx eax, byte_5F90E8[edi] ; eax => 4 // When edi is 0
imul ecx, eax ; ecx => biClrUsed * 4 // How much to copy to allocated memory
mov edx, [ebp+ColorTablePtr]
mov eax, [ebp+Stream]
call Stream_ReadBuffer ; Stream.ReadBuffer(ColorTablePtr, biClrUsed * 4);
Thus creating a heap buffer overflow and potentially allowing code execution.
建议:
厂商补丁:
Embarcadero Technologies
------------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.embarcadero.com/products/interbase-smp浏览次数:1984
严重程度:0(网友投票)