by cocoruder of Fortinet Security Research Team
http://ruder.cdut.net
Summary:
Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese web search engine company, like Google, more informations can be found at:
http://www.baidu.com
http://bar.baidu.com/sobar/promotion.html
There exists a remote code execute vulnerability in Baidu Soba's ActiveX Control "BaiduBar.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.
Affected Software Versions:
Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)
Details:
This vulnerability exist in the function "DloadDS()" educed by "BaiduBar.dll", following are some related imformations:
InprocServer32: C:/Program Files/baidu/bar/BaiduBar.dll
ClassID : A7F05EE4-0426-454F-8013-C41E3596E9E9
[id(0x0000001d), helpstring("method DloadDS")]
void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 push eax ; lpStartupInfo
.text:1006F412 push esi ; lpCurrentDirectory
.text:1006F413 push esi ; lpEnvironment
.text:1006F414 push esi ; dwCreationFlags
.text:1006F415 push esi ; bInheritHandles
.text:1006F416 push esi ; lpThreadAttributes
.text:1006F417 push esi ; lpProcessAttributes
.text:1006F418 push esi
.text:1006F419 call sub_10004147 ; get the CommandLine
.text:1006F419
.text:1006F41E push eax ; lpCommandLine
.text:1006F41F push esi ; lpApplicationName
.text:1006F420 call ds:CreateProcessA
As we seen, lpCommandLine point to "C:/DOCUME~1/administrator/LOCALS~1/Temp/calc.exe"£¬Because there is no valid checks, the attacker can build a CAB file which included a trojan or spy program and use the function "DloadDS()" for executing it.
Attached File:
Exploit can be found at the following url, please do not use for attacking.
http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html
Solution:
Baidu said they have fixed this fault, but infact, the product downloaded from " http://bar.baidu.com/sobar/promotion.html" is also affected, we strongly suggest user set a Killbit for this CLSID.
Disclosure Timeline:
2007.07.19 Vendor notified via email
2007.07.19 Vendor responded
2007.07.23 Vendor noticed me new version is available and they refuse to release an advisory for this vul
2007.07.24 Vendor say they have not updated the product successfully
2007.08.01 Vendor noticed me again that new version is available
2007.08.02 But it looks like they are failed too
2007.08.02 Advisory released
http://ruder.cdut.net
Summary:
Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese web search engine company, like Google, more informations can be found at:
http://www.baidu.com
http://bar.baidu.com/sobar/promotion.html
There exists a remote code execute vulnerability in Baidu Soba's ActiveX Control "BaiduBar.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.
Affected Software Versions:
Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)
Details:
This vulnerability exist in the function "DloadDS()" educed by "BaiduBar.dll", following are some related imformations:
InprocServer32: C:/Program Files/baidu/bar/BaiduBar.dll
ClassID : A7F05EE4-0426-454F-8013-C41E3596E9E9
[id(0x0000001d), helpstring("method DloadDS")]
void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 push eax ; lpStartupInfo
.text:1006F412 push esi ; lpCurrentDirectory
.text:1006F413 push esi ; lpEnvironment
.text:1006F414 push esi ; dwCreationFlags
.text:1006F415 push esi ; bInheritHandles
.text:1006F416 push esi ; lpThreadAttributes
.text:1006F417 push esi ; lpProcessAttributes
.text:1006F418 push esi
.text:1006F419 call sub_10004147 ; get the CommandLine
.text:1006F419
.text:1006F41E push eax ; lpCommandLine
.text:1006F41F push esi ; lpApplicationName
.text:1006F420 call ds:CreateProcessA
As we seen, lpCommandLine point to "C:/DOCUME~1/administrator/LOCALS~1/Temp/calc.exe"£¬Because there is no valid checks, the attacker can build a CAB file which included a trojan or spy program and use the function "DloadDS()" for executing it.
Attached File:
Exploit can be found at the following url, please do not use for attacking.
http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html
Solution:
Baidu said they have fixed this fault, but infact, the product downloaded from " http://bar.baidu.com/sobar/promotion.html" is also affected, we strongly suggest user set a Killbit for this CLSID.
Disclosure Timeline:
2007.07.19 Vendor notified via email
2007.07.19 Vendor responded
2007.07.23 Vendor noticed me new version is available and they refuse to release an advisory for this vul
2007.07.24 Vendor say they have not updated the product successfully
2007.08.01 Vendor noticed me again that new version is available
2007.08.02 But it looks like they are failed too
2007.08.02 Advisory released
扫一扫
1056
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
