AOH :: HP Unsorted S :: C07-1762.HTM

Sina UC ActiveX Multiple Remote Stack Overflow



Sina UC ActiveX Multiple Remote Stack Overflow
Sina UC ActiveX Multiple Remote Stack Overflow



Sina UC ActiveX Multiple Remote Stack Overflow



By Sowhat of Nevis Labs
Date: 2007.01.09


http://www.nevisnetworks.com 
http://secway.org/advisory/20070109EN.txt 
http://secway.org/advisory/20070109CN.txt 


CVE:=09NO-CVE-Num

Vendor

Sina Inc.

<=UC2006  are vulnerable


Overview:
Sina UC is one of most popular IM in China.
http://www.51uc.com 

Details:

The specific flaws exists due to the lack of input validation on
various ActiveX control parameters installed
by Sina UC.
Succssfully exploiting this vulnerability allows attackers to execute
arbitrary code on vulnerable installation
Successful exploitation requires that the target user browse to a
malicious web page.


Various ActiveX are vulnerable to simple stack overflow.

Including but not limited to:

1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll

Sub SendChatRoomOpt (
 =09ByVal astrVerion  As String ,
 =09ByVal astrUserID  As String ,
 =09ByVal asDataType  As Integer ,
 =09ByVal alTypeID  As Long
)

when the 1st arg takes a long string (~5000 works), There will be a
simple stack overflow, resulting completely
SEH overwritten.

(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00000000 ecx=0000037d edx=00000002 esi=02849ada edi=00130000
eip=02b97c76 esp=0012d2cc ebp=0012d2d4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000212
*** WARNING: Unable to verify checksum for
C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL -
BROWSE_1!DllUnregisterServer+0x662c:
02b97c76 f3a5            rep  movsd ds:02849ada=41414141 es:00130000=78746341
0:000> g
(534.674): C++ EH exception - code e06d7363 (first chance)
(534.674): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77f79bb8 esi=00000000 edi=00000000
eip=41414141 esp=0012c8b8 ebp=0012c8d8 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
41414141 ??               ???

Vulnerable Code:

ext:100076A2                 add     dword ptr [esi+4], 2
.text:100076A6                 mov     eax, [esi+4]
.text:100076A9                 movzx   ecx, word ptr [ebp-14h]
.text:100076AD                 push    ecx             ; size_t
.text:100076AE                 push    dword ptr [ebp+8] ; void *
.text:100076B1                 mov     ecx, [esi+8]
.text:100076B4                 add     ecx, eax
.text:100076B6                 push    ecx             ; void *
.text:100076B7                 call    _memcpy

|
|
v

.text:10007C30 LeadUp1:                                ; DATA XREF:
.text:10007C24=18o
.text:10007C30                 and     edx, ecx
.text:10007C32                 mov     al, [esi]
.text:10007C34                 mov     [edi], al
.text:10007C36                 mov     al, [esi+1]
.text:10007C39                 mov     [edi+1], al
.text:10007C3C                 mov     al, [esi+2]
.text:10007C3F                 shr     ecx, 2
.text:10007C42                 mov     [edi+2], al
.text:10007C45                 add     esi, 3
.text:10007C48                 add     edi, 3
.text:10007C4B                 cmp     ecx, 8
.text:10007C4E                 jb      short loc_10007C1C
.text:10007C50                 rep movsd
.text:10007C52                 jmp     ds:off_10007D08[edx*4]
.text:10007C52 ;
----------------------------------------------------------------------
.text:10007C59                 align 4
.text:10007C5C
.text:10007C5C LeadUp2:                                ; DATA XREF:
.text:10007C28=18o
.text:10007C5C                 and     edx, ecx
.text:10007C5E                 mov     al, [esi]
.text:10007C60                 mov     [edi], al
.text:10007C62                 mov     al, [esi+1]
.text:10007C65                 shr     ecx, 2
.text:10007C68                 mov     [edi+1], al
.text:10007C6B                 add     esi, 2
.text:10007C6E                 add     edi, 2
.text:10007C71                 cmp     ecx, 8
.text:10007C74                 jb      short loc_10007C1C
.text:10007C76                 rep movsd
-------------Exception here.



2.  clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384
C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll

Sub SendDownLoadFile (
 =09ByVal astrDownDir  As String
)

When the astrDownDir set to a long string, SEH will be overwritten.




3. ...




Workaround:
Set a killbit for All the ActiveX used by UC, or,
Use other IMs.



Vendor Response:

2007.01.08 Vendor notified via ucservice@51uc.com 
2007.01.08 No response, drop another email
2007.01.09 Advisory release








-- 
Sowhat
http://secway.org 
"Life is like a bug, Do you know how to exploit it ?"

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.