受影响系统:
StoneTrip S3DPlayer Web v1.6.0.0
StoneTrip S3DPlayer StandAlone v1.7.0.1
StoneTrip S3DPlayer StandAlone v1.6.2.4
描述:
BUGTRAQ ID: 35105
CVE(CAN) ID: CVE-2009-1792
Ston3D是StoneTrip开发的跨平台技术,允许各种媒体运行ShiVa平台的应用程序。
Ston3D技术提供了一个基于Lua编程语言的脚本接口,该接口中如下定义了system.openURL函数:
/———–
Prototype
system.openURL(sURL, sTarget) –Call this function to open an URL.
– ———–/
在当前的实现中,以设置为file://path/command的sURL参数调用system.openURL(sURL, sTarget)最终会执行相当于以下的调用:
/———–
system("open path/command");
– ———–/
通过使用平台特定的分割字符,这可能允许执行任意代码。以下是各种平台上的相关代码段:
*Windows*
/———–
.text:1000D64D test esi, esi
.text:1000D64F mov eax, esi
.text:1000D651 jnz short loc_1000D658
.text:1000D653
.text:1000D653 loc_1000D653: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1CB
.text:1000D653 mov eax, offset Name
.text:1000D658
.text:1000D658 loc_1000D658: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1D1
.text:1000D658 push 1
.text:1000D65A push offset Name ; lpDirectory
.text:1000D65F push ecx ; lpParameters
.text:1000D660 push eax ; lpFile
.text:1000D661 push offset Operation ; "open"
.text:1000D666 push 0 ; hwnd
.text:1000D668 call ds:ShellExecuteA
.text:1000D66E
.text:1000D66E loc_1000D66E: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1B0
.text:1000D66E test edi, edi
.text:1000D670 jbe short loc_1000D67F
.text:1000D672 test esi, esi
.text:1000D674 jz short loc_1000D67F
.text:1000D676 add esi, 0FFFFFFFCh
.text:1000D679 push esi ; Memory
.text:1000D67A call ebp ; __imp_free
– ———–/
*Linux*
/———–
.text:08371334 mov [esp+5Ch+var_58], offset aOpen ; "open "
.text:0837133C lea eax, [esp+5Ch+var_34]
.text:08371340 mov [esp+5Ch+command], eax
.text:08371343 call sub_8109FC0
.text:08371348 lea eax, [esp+5Ch+var_1C]
.text:0837134C mov [esp+5Ch+var_58], eax
.text:08371350 lea eax, [esp+5Ch+var_34]
.text:08371354 mov [esp+5Ch+command], eax
.text:08371357 call sub_8108F10
.text:0837135C lea eax, [esp+5Ch+var_34]
.text:08371360 mov [esp+5Ch+command], eax
.text:08371363 call sub_80DF660
.text:08371368 mov [esp+5Ch+command], eax
.text:0837136B call _system
.text:08371370 lea eax, [esp+5Ch+var_34]
.text:08371374 mov [esp+5Ch+command], eax
.text:08371377 call sub_80D92F0
.text:0837137C jmp short loc_8371398
– ———–/
*Mac OS X(x86)*
/———–
__text:0005995B lea eax, (aOpen – 597ECh)[ebx] ; "open "
__text:00059961 lea esi, [esp+5Ch+var_44]
__text:00059965 mov [esp+5Ch+var_58], eax
__text:00059969 mov [esp+5Ch+var_5C], esi
__text:0005996C call __ZN7Pandora10EngineCore6StringC1EPKc ;
Pandora::EngineCore::String::String(char const*)
__text:00059971 mov [esp+5Ch+var_58], edi
__text:00059975 mov [esp+5Ch+var_5C], esi
__text:00059978 call __ZN7Pandora10EngineCore6StringpLERKS1_
__text:0005997D mov edx, [esp+5Ch+var_44]
__text:00059981 test edx, edx
__text:00059983 jz loc_59A5F
__text:00059989 mov eax, [esp+5Ch+var_40]
__text:0005998D test eax, eax
__text:0005998F jz loc_59A5F
__text:00059995
__text:00059995 loc_59995: ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const&,Pandora::EngineCore::String const&)+295
__text:00059995 mov [esp+5Ch+var_5C], eax
__text:00059998 call _system
__text:0005999D mov eax, [esp+5Ch+var_44]
__text:000599A1 test eax, eax
__text:000599A3 jnz loc_59AB2
__text:000599A9 nop dword ptr [eax+00000000h]
– ———–/
*Mac OS X(PPC)*
/———–
__text:00053D6C addi %r30, %sp, 0x90+var_38
__text:00053D70 addis %r4, %r31, 0x3F
__text:00053D74 addi %r4, %r4, -0x29DC
__text:00053D78 mr %r3, %r30
__text:00053D7C bl __ZN7Pandora10EngineCore6StringC1EPKc #
Pandora::EngineCore::String::String(char const*)
__text:00053D80 mr %r3, %r30
__text:00053D84 mr %r4, %r29
__text:00053D88 bl __ZN7Pandora10EngineCore6StringpLERKS1_
__text:00053D8C lwz %r0, 0x90+var_38(%sp)
__text:00053D90 cmpwi cr7, %r0, 0
__text:00053D94 beq cr7, loc_53DA4
__text:00053D98 lwz %r3, 0x90+var_34(%sp)
__text:00053D9C cmpwi cr7, %r3, 0
__text:00053DA0 bc 5, 4*cr7+eq, loc_53DAC
__text:00053DA4
__text:00053DA4 loc_53DA4: # CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const&,Pandora::EngineCore::String const&)+394
__text:00053DA4 addis %rtoc, %r31, 0x3F
__text:00053DA8 addi %r3, %rtoc, -0x5620
__text:00053DAC
__text:00053DAC loc_53DAC: # CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const&,Pandora::EngineCore::String const&)+3A0
__text:00053DAC bl _system
__text:00053DB0 lwz %r0, 0x90+var_38(%sp)
__text:00053DB4 cmpwi cr7, %r0, 0
__text:00053DB8 beq cr7, loc_53E24
__text:00053DBC b loc_53DF8
– ———–/
<*来源:Diego Juarez
链接:http://marc.info/?l=bugtraq&m=124354674006662&w=2
*>
建议:
厂商补丁:
StoneTrip
———
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
0 条评论。