|
Sina UC BROWSER2UC.DLL ActiveX控件远程栈溢出漏洞
更新日期:2007-01-12
受影响系统: Sina UC <= UC2006描述: BUGTRAQ ID: 21958
新浪UC是融合了P2P思想的、开放式的即时通讯和娱乐平台。
新浪UC所安装的BROWSER2UC.DLL ActiveX控件存在多个栈溢出漏洞,远程攻击者可能利用此漏洞控制用户机器。
具体漏洞包括:
1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll
Sub SendChatRoomOpt (
ByVal astrVerion As String ,
ByVal astrUserID As String ,
ByVal asDataType As Integer ,
ByVal alTypeID As Long
)
如果对第一个参数传送了大于5000字节的超长字符串的话,就会触发栈溢出,导致完全的SEH覆盖。
(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00000000 ecx=0000037d edx=00000002 esi=02849ada edi=00130000
eip=02b97c76 esp=0012d2cc ebp=0012d2d4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000212
*** WARNING: Unable to verify checksum for
C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL -
BROWSE_1!DllUnregisterServer+0x662c:
02b97c76 f3a5 rep movsd ds:02849ada=41414141 es:00130000=78746341
0:000> g
(534.674): C++ EH exception - code e06d7363 (first chance)
(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77f79bb8 esi=00000000 edi=00000000
eip=41414141 esp=0012c8b8 ebp=0012c8d8 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
41414141 ?? ???
有漏洞代码:
ext:100076A2 add dword ptr [esi+4], 2
.text:100076A6 mov eax, [esi+4]
.text:100076A9 movzx ecx, word ptr [ebp-14h]
.text:100076AD push ecx ; size_t
.text:100076AE push dword ptr [ebp+8] ; void *
.text:100076B1 mov ecx, [esi+8]
.text:100076B4 add ecx, eax
.text:100076B6 push ecx ; void *
.text:100076B7 call _memcpy
|
|
v
.text:10007C30 LeadUp1: ; DATA XREF:
.text:10007C24�o
.text:10007C30 and edx, ecx
.text:10007C32 mov al, [esi]
.text:10007C34 mov [edi], al
.text:10007C36 mov al, [esi+1]
.text:10007C39 mov [edi+1], al
.text:10007C3C mov al, [esi+2]
.text:10007C3F shr ecx, 2
.text:10007C42 mov [edi+2], al
.text:10007C45 add esi, 3
.text:10007C48 add edi, 3
.text:10007C4B cmp ecx, 8
.text:10007C4E jb short loc_10007C1C
.text:10007C50 rep movsd
.text:10007C52 jmp ds:off_10007D08[edx*4]
.text:10007C52 ;
----------------------------------------------------------------------
.text:10007C59 align 4
.text:10007C5C
.text:10007C5C LeadUp2: ; DATA XREF:
.text:10007C28�o
.text:10007C5C and edx, ecx
.text:10007C5E mov al, [esi]
.text:10007C60 mov [edi], al
.text:10007C62 mov al, [esi+1]
.text:10007C65 shr ecx, 2
.text:10007C68 mov [edi+1], al
.text:10007C6B add esi, 2
.text:10007C6E add edi, 2
.text:10007C71 cmp ecx, 8
.text:10007C74 jb short loc_10007C1C
.text:10007C76 rep movsd
-------------Exception here.
2. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll
Sub SendDownLoadFile (
ByVal astrDownDir As String
)
如果将astrDownDir设置为超长字符串的话,就会覆盖SEH。
<*来源:Sowhat (smaillist@gmail.com)
链接:http://secunia.com./advisories/23638/
http://marc.theaimsgroup.com/?l=bugtraq&m=116836395926624&w=2
*>
建议: 厂商补丁:
Sina
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://download.51uc.com/uc_download.shtml?tool_0
|
