Author: void[at]ph4nt0m[dot]org
Blog: http://hi.baidu.com/54nop
Team: http://www.ph4nt0m.org
Date: 2008-04-09
影响版本:
Foxmail <= 6.5 beta1(build015)
分析:
Foxmail的fmrsslink.dll控件里IRss接口AddUrl(URL, Info)方法未检查网页提供的rss链接长度,当用户通过IE右键菜单收藏超长rss链接至Foxmail时,将导致栈溢出.
.text:10001044 ; int __stdcall AddUrl(void *this_ptr, LPCWSTR lpURL, LPWSTR lpInfo)
.text:10001044 AddUrl proc near ; DATA XREF: .rdata:100041E0o
.text:10001044 ; .rdata:10004244o
.text:10001044
.text:10001044 str_Vuln = byte ptr -200h
.text:10001044 Parameters = byte ptr -100h
.text:10001044 this_ptr = dword ptr 8
.text:10001044 lpURL = dword ptr 0Ch
.text:10001044 lpInfo = dword ptr 10h
.text:10001044
.text:10001044 push ebp
.text:10001045 mov ebp, esp
.text:10001047 sub esp, 200h
.text:1000104D push esi
.text:1000104E push edi
.text:1000104F push [ebp+lpURL]
.text:10001052 call my_wsclen
.text:10001057 pop ecx
.text:10001058 mov ecx, [ebp+this_ptr]
.text:1000105B push eax ; length_lpURL,URL长度,未检查
.text:1000105C push [ebp+lpURL] ; lpURL
.text:1000105F lea eax, [ebp+str_Vuln]
.text:10001065 push eax ; str_Vuln 只有512字节
.text:10001066 call my_WideCharToMultiByte ; <==
.text:1000106B mov ecx, [ebp+this_ptr]
.text:1000106E call sub_100010D6 ; HeapAlloc()
.text:10001073 mov edi, eax
.text:10001075 mov esi, offset aRss_xml ; "RSS_XML:"
.text:1000107A lea eax, [ebp+Parameters]
.text:10001080 push esi
.text:10001081 push eax
.text:10001082 call sub_100038B0
.text:10001087 push esi
.text:10001088 call sub_10003830
.text:1000108D mov ecx, 0FFh
.text:10001092 sub ecx, eax
.text:10001094 lea eax, [ebp+str_Vuln]
.text:1000109A push ecx
.text:1000109B push eax
.text:1000109C lea eax, [ebp+Parameters]
.text:100010A2 push eax
.text:100010A3 call sub_10003700
.text:100010A8 add esp, 18h
.text:100010AB lea eax, [ebp+Parameters]
.text:100010B1 push 1 ; nShowCmd
.text:100010B3 push offset Directory ; lpDirectory
.text:100010B8 push eax ; lpParameters
.text:100010B9 push edi ; lpFile
.text:100010BA push offset Operation ; "open"
.text:100010BF push 0 ; hwnd
.text:100010C1 call ds:ShellExecuteA
.text:100010C7 push edi
.text:100010C8 call sub_100036E7 ; HeapFree()
.text:100010CD pop ecx
.text:100010CE pop edi
.text:100010CF xor eax, eax
.text:100010D1 pop esi
.text:100010D2 leave
.text:100010D3 retn 0Ch
.text:100010D3 AddUrl endp
解决方法:
2008年1月21日,漏洞上报腾讯.
2008年3月10日,腾讯发布关于此漏洞的修复补丁.用户升级Foxmail即可修复该漏洞.(点击Foxmail菜单"帮助"--->"检查新版本...").
QQ安全中心公告链接: http://safe.qq.com/affiche/2008/20080314.shtml