2008年4月8日星期二

[Advisory]Foxmail fmrsslink.dll RSSLINKLib.Rss AddUrl() Bug

Author: void[at]ph4nt0m[dot]org
Blog: http://hi.baidu.com/54nop
Team: http://www.ph4nt0m.org
Date: 2008-04-09

影响版本:
Foxmail <= 6.5 beta1(build015)

分析:
Foxmail的fmrsslink.dll控件里IRss接口AddUrl(URL, Info)方法未检查网页提供的rss链接长度,当用户通过IE右键菜单收藏超长rss链接至Foxmail时,将导致栈溢出.


.text:
10001044 ; int __stdcall AddUrl(void *this_ptr, LPCWSTR lpURL, LPWSTR lpInfo)
.text:
10001044 AddUrl          proc near               ; DATA XREF: .rdata:100041E0o
.text:
10001044                                         ; .rdata:10004244o
.text:
10001044
.text:
10001044 str_Vuln        = byte ptr -200h
.text:
10001044 Parameters      = byte ptr -100h
.text:
10001044 this_ptr        = dword ptr  8
.text:
10001044 lpURL           = dword ptr  0Ch
.text:
10001044 lpInfo          = dword ptr  10h
.text:
10001044
.text:
10001044                 push    ebp
.text:
10001045                 mov     ebp, esp
.text:
10001047                 sub     esp, 200h
.text:1000104D                 push    esi
.text:1000104E                 push    edi
.text:1000104F                 push    [ebp
+lpURL]
.text:
10001052                 call    my_wsclen
.text:
10001057                 pop     ecx
.text:
10001058                 mov     ecx, [ebp+this_ptr]
.text:1000105B                 push    eax             ; length_lpURL,URL长度,未检查
.text:1000105C                 push    [ebp
+lpURL]     ; lpURL 
.text:1000105F                 lea     eax, [ebp
+str_Vuln]
.text:
10001065                 push    eax             ; str_Vuln 只有512字节
.text:
10001066                 call    my_WideCharToMultiByte ; <==
.text:1000106B                 mov     ecx, [ebp
+this_ptr]
.text:1000106E                 call    sub_100010D6    ; HeapAlloc()
.text:
10001073                 mov     edi, eax
.text:
10001075                 mov     esi, offset aRss_xml ; "RSS_XML:"
.text:1000107A                 lea     eax, [ebp
+Parameters]
.text:
10001080                 push    esi
.text:
10001081                 push    eax
.text:
10001082                 call    sub_100038B0
.text:
10001087                 push    esi
.text:
10001088                 call    sub_10003830
.text:1000108D                 mov     ecx, 0FFh
.text:
10001092                 sub     ecx, eax
.text:
10001094                 lea     eax, [ebp+str_Vuln]
.text:1000109A                 push    ecx
.text:1000109B                 push    eax
.text:1000109C                 lea     eax, [ebp
+Parameters]
.text:100010A2                 push    eax
.text:100010A3                 call    sub_10003700
.text:100010A8                 add     esp, 18h
.text:100010AB                 lea     eax, [ebp
+Parameters]
.text:100010B1                 push    
1                ; nShowCmd
.text:100010B3                 push    offset Directory ; lpDirectory
.text:100010B8                 push    eax              ; lpParameters
.text:100010B9                 push    edi              ; lpFile
.text:100010BA                 push    offset Operation ; 
"open"
.text:100010BF                 push    
0                ; hwnd
.text:100010C1                 call    ds:ShellExecuteA
.text:100010C7                 push    edi
.text:100010C8                 call    sub_100036E7    ; HeapFree()
.text:100010CD                 pop     ecx
.text:100010CE                 pop     edi
.text:100010CF                 xor     eax, eax
.text:100010D1                 pop     esi
.text:100010D2                 leave
.text:100010D3                 retn    0Ch
.text:100010D3 AddUrl          endp
    



解决方法:
2008年1月21日,漏洞上报腾讯.
2008年3月10日,腾讯发布关于此漏洞的修复补丁.用户升级Foxmail即可修复该漏洞.(点击Foxmail菜单"帮助"--->"检查新版本...").
QQ安全中心公告链接: http://safe.qq.com/affiche/2008/20080314.shtml

没有评论: