乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-09: 细节已通知厂商并且等待厂商处理中 2015-04-09: 厂商已经确认,细节仅向厂商公开 2015-04-12: 细节向第三方安全合作伙伴开放 2015-06-03: 细节向核心白帽子及相关领域专家公开 2015-06-13: 细节向普通白帽子公开 2015-06-23: 细节向实习白帽子公开 2015-07-08: 细节向公众公开
企业内部安装的“瑞星杀毒软件网络版”(RavSetup22.01.70.60)通信存在漏洞,可导致局域网内其他计算机可以远程攻击安装有“瑞星杀毒软件网络版”的计算机。 可导致的后果:远程调整瑞星设置、远程启动停止瑞星监控、远程上传文件到目标计算机、远程以SHELL身份执行任意程序。
“瑞星杀毒软件网络版”与服务器通信方式部分在ravsevproxy.dll中,通信方式采用了CORBA作为通信协议来进行网络版客户端和服务器直接通信使用,同时并没有使用SSLIOP进行通信加密导致可通过监听来分析通信数据与命名格式。 在分析出通信协议的具体格式后发现瑞星网络版通信协议并未对发送命令的来源方进行检测导致存在认证漏洞。任意计算机可模仿瑞星网络版服务器对任意客户端发送假冒命令。
该问题是几年前发现,向瑞星反馈无果,考虑到安全性风险,所以一直未公布。现在考虑请求邀请码才将其发布出来。目前所在环境无法运行对应的瑞星程序,所以只能提供代码或截图片段证明。
通信接口代码(片段)
interface Service{ long RunRavProgram(in string filePath); long QuitRavProgram(in string filePath); long InstallSoftware(in long agr1, in string agr2, in string agr3, in string agr4, in long agr5); char InstallControl(in string arg1, in short arg2); char UninstallControl(); DiskInfo GetAllDisk(); DiskInfo GetAllHardDisk(); DiskInfo GetAllHardNetDisk(); char GetFileStatus(in string filePath, out FileState state); long GetFile(in string filePath, in long nPos, out List buffer); long GetFileEx(in string filePath, in long nPos, out List buffer); long ReadFile(in string filePath, in long nPos, out List buffer); long AddTask(in string taskInfo, in long replayCount, in string remoteIP, in long nPort, in string objectName, in string macAddress, in string arg3, in string arg4); long DeleteTask(in long taskId); long QueryTask(in long fastId, in long count, out TaskInfoList askList); long OnFinishTask(in string taskInfo, in string arg1, in long arg2, in string agr3); DiagnoseInfo GetDiagnose(in long type); //List GetRegInfoList(in List info); // SysDef、AppCtrl、ActVirus、RemovMon、WebMon、RsSelf、FileMon、MailMon long CtrlMonitorEx(in InfoValueList arg0); long ReadConfig(in string name, in string arg2, out string retValue); long WriteConfig(in string name, in string arg2, in string value); long GetRsConfig(in long arg0, out List arg1, out long arg2); long SetRsConfig(in long arg0, in List arg1, in long arg2); long GetClientStatus(out ClientInfo info);};
IDA反汇编代码:
case 42: result = remote_Uninstall(v7, (int)readPos, (DWORD)readSize, (char *)readBuffer, (int)writeBuffer); break; case 43: result = remote_UninstallControl(v7, (int)readPos, (int)readSize, (int)readBuffer, (int)writeBuffer); break; case 44: result = remote_UninstallReceiver(v7, (int)readPos, (int)readSize, (int)readBuffer, writeBuffer); break; case 45: result = remote_UninstallSender(v7, (int)readPos, (int)readSize, (int)readBuffer, writeBuffer); break; case 46: result = remote_UpdateClient(v7, (int)readPos, (int)readSize, (int)readBuffer, (int)writeBuffer); break; case 47: result = remote_UpdateStrategy(v7, (int)readPos, (DWORD)readSize, (char *)readBuffer, (int)writeBuffer); break; case 48: result = remote_WriteConfig(v7, (int)readPos, (int)readSize, (char *)readBuffer, writeBuffer); break; default: goto LABEL_52; } } return result;}int __cdecl ServiceCreateProcess(LPCSTR lpString2){ int v1; // eax@1 int result; // eax@4 char ArgList[4]; // [sp+0h] [bp-4h]@1 *(_DWORD *)ArgList = 0; CheckSystemVersion_sub_10001380(ArgList); v1 = (int)GetNCRsLogUtility(); OutputLogToFile_0(v1, "ServiceCreateProcess():%d-%s"); if ( ArgList[0] == 0x93 || ArgList[0] == 0x91 || ArgList[0] == 0x92 ) result = (int)ExecuteProcessAsUser((int)lpString2); else result = ExecuteProcess(lpString2); return result;}
需瑞星公司更新版本增加通信认证机制,同时建议增加通信加密处理。
危害等级:低
漏洞Rank:1
确认时间:2015-04-09 13:09
3Q!
暂无
