受影响系统:
Kingsoft Corp WPS Office
描述:
BUGTRAQ ID: 59529
CVE(CAN) ID: CVE-2012-4886
WPS Office 是金山软件公司的一套办公软件。
WPS Office 2012 及其他版本中,Wpsio.dll模块存在栈缓冲区溢出漏洞,该漏洞源于文件内的某BSTR类型的字符串被复制到栈缓冲区时没有检查长度。攻击者可利用此漏洞造成受影响软件崩溃,可能执行任意代码。
<*来源:Zhangjiantao 链接:http://seclists.org/fulldisclosure/2013/Apr/247 *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
摘录自
http://seclists.org/fulldisclosure/2013/Apr/247
POC
==================
http://seclists.org/fulldisclosure/2013/Apr/att-247/poc_zip.bin
崩溃信息
==================
crash info:
(b70.eb8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012c0a4 ebx=770f4b39 ecx=90909090 edx=0012be00 esi=0012c0a4 edi=0018bd54
eip=45e25208 esp=0012bdec ebp=0012bdf8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
wpsio!TxExport+0x37b1:
45e25208 ff5114 call dword ptr [ecx+14h] ds:0023:909090a4=????????
module info:
start end module name
45e00000 4606f000 wpsio (export symbols) C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
Loaded symbol image file: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
Image path: C:\Program Files\Kingsoft\WPS Office Personal\office6\wpsio.dll
Image name: wpsio.dll
Timestamp: Mon May 28 04:10:12 2012 (4FC28A24)
CheckSum: 0026D933
ImageSize: 0026F000
File version: 8.1.0.3238
Product version: 8.1.0.3238
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0
CompanyName: Zhuhai Kingsoft Office-software Co.,Ltd
ProductName: Kingsoft Office
InternalName: wpsio
OriginalFilename: wpsio.dll
ProductVersion: 8,1,0,3238
FileVersion: 8,1,0,3238
FileDescription: wpsio
LegalCopyright: Copyright©1988-2011 Kingsoft Corporation. All rights reserved.
溢出点代码
==================
In sub_45E2CC84:
.text:45E2CC84 var_210 = byte ptr -210h ;buffer size 0x200
.text:45E2CC84 var_4 = dword ptr -4
.text:45E2CDB3 push [ebp+Src] ; BSTR
.text:45E2CDB9 call esi ; SysStringLen
.text:45E2CDBB mov [ebp+var_244], eax
.text:45E2CDC1 add eax, eax ;size is 0x170
.text:45E2CDC3 push eax ; Size
.text:45E2CDC4 push [ebp+Src] ; Src
.text:45E2CDCA lea eax, [ebp+var_210]
.text:45E2CDD0 push eax ; Dst
.text:45E2CDD1 call memcpy
First time,copy 0x170 bytes to buffer var_210.
.text:45E2CE16 push edi ; BSTR
.text:45E2CE17 mov [ebp+var_234], ax
.text:45E2CE1E call esi ; SysStringLen
.text:45E2CE20 add eax, eax
.text:45E2CE22 push eax ; Size
.text:45E2CE23 movzx eax, [ebp+var_234] ;length
.text:45E2CE2A lea eax, [ebp+eax*2+var_210]
.text:45E2CE31 push edi ; Src
.text:45E2CE32 push eax ; Dst
.text:45E2CE33 call memcpy
Second time,copy the same string, placed after the first string. var_234 is the length of the string. Total copy 0x2e0
bytes.
After copy,return address and SEH record has been overwritten.
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c070 90909090 wpsio!TxExport+0xb3e1
0012c148 45e2a113 0x90909090
0:000> !exchain
0012c064: 90909090
Invalid exception stack at 90909090
The source data of memcpy is from the file poc.wps,offset 0x41d7.
建议:
厂商补丁:
Kingsoft Corp
————-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
www.wps.cn
评论关闭。