BUGTRAQ ID: 28541
CVE(CAN) ID: CVE-2008-1602
Orbit Downloader是用于从视频共享网站下载流媒体的下载管理器。
Orbit downloader没有正确地将URL ASCII字符串转换为Unicode,如果用户从特制的URL下载了文件的话就可能导致执行任意指令。
如果Orbit无法下载文件的话,就会在通知区域弹出气球控制:
/-----------
.text:004A56D0 sub_4A56D0 proc near ; CODE XREF: sub_42AAC0+321 p
.text:004A56D0 ; sub_439610+321 p ...
.text:004A56D0
.text:004A56D0 String = word ptr -2000h
.text:004A56D0 hDC = dword ptr 4
.text:004A56D0 arg_4 = dword ptr 8
.text:004A56D0 lpRect = dword ptr 0Ch
.text:004A56D0 uFormat = dword ptr 10h
.text:004A56D0
.text:004A56D0 mov eax, 2000h ; reserve 0x2000 (8192)
bytes in the stack
.text:004A56D5 call __alloca_probe
.text:004A56DA push edi
.text:004A56DB mov ecx, 800h
.text:004A56E0 xor eax, eax
.text:004A56E2 lea edi, [esp+2004h+String]
.text:004A56E6 rep stosd
.text:004A56E8 mov eax, [esp+2004h+arg_4]
.text:004A56EF pop edi
.text:004A56F0 mov ecx, [eax+8]
.text:004A56F3 mov eax, [eax+4]
.text:004A56F6 test eax, eax
.text:004A56F8 jnz short loc_4A56FF
.text:004A56FA mov eax, ds:?_C@?1??_Nullstr@? basic_string@DU?
char_traits@D@std@@V? allocator@D@2@@std@@CAPBDXZ@4DB ;
.text:004A56FF
.text:004A56FF loc_4A56FF: ; CODE XREF: sub_4A56D0+28 j
.text:004A56FF lea edx, [esp+2000h+String]
.text:004A5703 push 2000h ; cchWideChar (write up to
16384 bytes to the buffer)
.text:004A5708 push edx ; lpWideCharStr
.text:004A5709 push ecx ; cchMultiByte
.text:004A570A push eax ; lpMultiByteStr
.text:004A570B push 0 ; dwFlags
.text:004A570D push 0 ; CodePage
.text:004A570F call ds:MultiByteToWideChar
.text:004A5715 mov ecx, [esp+2000h+uFormat]
.text:004A571C mov edx, [esp+2000h+lpRect]
.text:004A5723 push ecx ; uFormat
.text:004A5724 mov ecx, [esp+2004h+hDC]
.text:004A572B push edx ; lpRect
.text:004A572C push eax ; nCount
.text:004A572D lea eax, [esp+200Ch+String]
.text:004A5731 push eax ; lpString
.text:004A5732 push ecx ; hDC
.text:004A5733 call ds:DrawTextW
.text:004A5739 add esp, 2000h
.text:004A573F retn
.text:004A573F endp ;sub_4A56D0
- -----------/
Win32 API函数
/-----------
int MultiByteToWideChar(
UINT CodePage,
DWORD dwFlags,
LPCSTR lpMultiByteStr,
int cbMultiByte,
LPWSTR lpWideCharStr,
int cchWideChar
);
- -----------/
的cchWideChar参数应为lpWideCharStr所说明的WCHAR值缓冲区大小。攻击者可以提供大于4096字节的下载URL,如果下载失败的话MultiByteToWideChar就会在栈上溢出8192字节的缓冲区,并最多写入0x2000 WCHAR(16384字节),覆盖内部结构导致执行任意指令。
OrbitDownloader.com Orbit Downloader 2.6.4
OrbitDownloader.com Orbit Downloader 2.6.3
OrbitDownloader.com
-------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe target=_blank>http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe</a>
Unavailable Comments