发布日期：2007-01-10
更新日期：2007-01-12

受影响系统：

Sina UC <= UC2006

描述：

---

BUGTRAQ  ID: 21958

新浪UC是融合了P2P思想的、开放式的即时通讯和娱乐平台。

新浪UC所安装的BROWSER2UC.DLL ActiveX控件存在多个栈溢出漏洞，远程攻击者可能利用此漏洞控制用户机器。

具体漏洞包括：

1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll

Sub SendChatRoomOpt (
    ByVal astrVerion  As String ,
    ByVal astrUserID  As String ,
    ByVal asDataType  As Integer ,
    ByVal alTypeID  As Long
)

如果对第一个参数传送了大于5000字节的超长字符串的话，就会触发栈溢出，导致完全的SEH覆盖。

(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00000000 ecx=0000037d edx=00000002 esi=02849ada edi=00130000
eip=02b97c76 esp=0012d2cc ebp=0012d2d4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000212
*** WARNING: Unable to verify checksum for
C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL -
BROWSE_1!DllUnregisterServer+0x662c:
02b97c76 f3a5            rep  movsd ds:02849ada=41414141 es:00130000=78746341
0:000> g
(534.674): C++ EH exception - code e06d7363 (first chance)
(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77f79bb8 esi=00000000 edi=00000000
eip=41414141 esp=0012c8b8 ebp=0012c8d8 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
41414141 ??               ???

有漏洞代码：

ext:100076A2                 add     dword ptr [esi+4], 2
.text:100076A6                 mov     eax, [esi+4]
.text:100076A9                 movzx   ecx, word ptr [ebp-14h]
.text:100076AD                 push    ecx             ; size_t
.text:100076AE                 push    dword ptr [ebp+8] ; void *
.text:100076B1                 mov     ecx, [esi+8]
.text:100076B4                 add     ecx, eax
.text:100076B6                 push    ecx             ; void *
.text:100076B7                 call    _memcpy

|
|
v

.text:10007C30 LeadUp1:                                ; DATA XREF:
.text:10007C24o
.text:10007C30                 and     edx, ecx
.text:10007C32                 mov     al, [esi]
.text:10007C34                 mov     [edi], al
.text:10007C36                 mov     al, [esi+1]
.text:10007C39                 mov     [edi+1], al
.text:10007C3C                 mov     al, [esi+2]
.text:10007C3F                 shr     ecx, 2
.text:10007C42                 mov     [edi+2], al
.text:10007C45                 add     esi, 3
.text:10007C48                 add     edi, 3
.text:10007C4B                 cmp     ecx, 8
.text:10007C4E                 jb      short loc_10007C1C
.text:10007C50                 rep movsd
.text:10007C52                 jmp     ds:off_10007D08[edx*4]
.text:10007C52 ;
----------------------------------------------------------------------
.text:10007C59                 align 4
.text:10007C5C
.text:10007C5C LeadUp2:                                ; DATA XREF:
.text:10007C28o
.text:10007C5C                 and     edx, ecx
.text:10007C5E                 mov     al, [esi]
.text:10007C60                 mov     [edi], al
.text:10007C62                 mov     al, [esi+1]
.text:10007C65                 shr     ecx, 2
.text:10007C68                 mov     [edi+1], al
.text:10007C6B                 add     esi, 2
.text:10007C6E                 add     edi, 2
.text:10007C71                 cmp     ecx, 8
.text:10007C74                 jb      short loc_10007C1C
.text:10007C76                 rep movsd
-------------Exception here.

2.  clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll

Sub SendDownLoadFile (
    ByVal astrDownDir  As String
)

如果将astrDownDir设置为超长字符串的话，就会覆盖SEH。

<*来源：Sowhat （smaillist@gmail.com）
  
  链接：http://secunia.com./advisories/23638/
        http://marc.theaimsgroup.com/?l=bugtraq&m=116836395926624&w=2
*>

建议：

---

厂商补丁：

Sina
----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://download.51uc.com/uc_download.shtml?tool_0

浏览次数：4288
严重程度：0（网友投票）