Sina UC ActiveX Multiple Remote Stack Overflow By Sowhat of Nevis Labs Date: 2007.01.09 http://www.nevisnetworks.com http://secway.org/advisory/20070109EN.txt http://secway.org/advisory/20070109CN.txt CVE: NO-CVE-Num Vendor Sina Inc. <=UC2006 are vulnerable Overview: Sina UC is one of most popular IM in China. http://www.51uc.com Details: The specific flaws exists due to the lack of input validation on various ActiveX control parameters installed by Sina UC. Succssfully exploiting this vulnerability allows attackers to execute arbitrary code on vulnerable installation Successful exploitation requires that the target user browse to a malicious web page. Various ActiveX are vulnerable to simple stack overflow. Including but not limited to: 1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384 C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll Sub SendChatRoomOpt ( ByVal astrVerion As String , ByVal astrUserID As String , ByVal asDataType As Integer , ByVal alTypeID As Long ) when the 1st arg takes a long string (~5000 works), There will be a simple stack overflow, resulting completely SEH overwritten. (534.674): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000041 ebx=00000000 ecx=0000037d edx=00000002 esi=02849ada edi=00130000 eip=02b97c76 esp=0012d2cc ebp=0012d2d4 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000212 *** WARNING: Unable to verify checksum for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\sina\UC\ActiveX\BROWSE~1.DLL - BROWSE_1!DllUnregisterServer+0x662c: 02b97c76 f3a5 rep movsd ds:02849ada=41414141 es:00130000=78746341 0:000> g (534.674): C++ EH exception - code e06d7363 (first chance) (534.674): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=77f79bb8 esi=00000000 edi=00000000 eip=41414141 esp=0012c8b8 ebp=0012c8d8 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ??? Vulnerable Code: ext:100076A2 add dword ptr [esi+4], 2 .text:100076A6 mov eax, [esi+4] .text:100076A9 movzx ecx, word ptr [ebp-14h] .text:100076AD push ecx ; size_t .text:100076AE push dword ptr [ebp+8] ; void * .text:100076B1 mov ecx, [esi+8] .text:100076B4 add ecx, eax .text:100076B6 push ecx ; void * .text:100076B7 call _memcpy | | v .text:10007C30 LeadUp1: ; DATA XREF: .text:10007C24o .text:10007C30 and edx, ecx .text:10007C32 mov al, [esi] .text:10007C34 mov [edi], al .text:10007C36 mov al, [esi+1] .text:10007C39 mov [edi+1], al .text:10007C3C mov al, [esi+2] .text:10007C3F shr ecx, 2 .text:10007C42 mov [edi+2], al .text:10007C45 add esi, 3 .text:10007C48 add edi, 3 .text:10007C4B cmp ecx, 8 .text:10007C4E jb short loc_10007C1C .text:10007C50 rep movsd .text:10007C52 jmp ds:off_10007D08[edx*4] .text:10007C52 ; ---------------------------------------------------------------------- .text:10007C59 align 4 .text:10007C5C .text:10007C5C LeadUp2: ; DATA XREF: .text:10007C28o .text:10007C5C and edx, ecx .text:10007C5E mov al, [esi] .text:10007C60 mov [edi], al .text:10007C62 mov al, [esi+1] .text:10007C65 shr ecx, 2 .text:10007C68 mov [edi+1], al .text:10007C6B add esi, 2 .text:10007C6E add edi, 2 .text:10007C71 cmp ecx, 8 .text:10007C74 jb short loc_10007C1C .text:10007C76 rep movsd -------------Exception here. 2. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384 C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll Sub SendDownLoadFile ( ByVal astrDownDir As String ) When the astrDownDir set to a long string, SEH will be overwritten. 3. ... Workaround: Set a killbit for All the ActiveX used by UC, or, Use other IMs. Vendor Response: 2007.01.08 Vendor notified via ucservice@51uc.com 2007.01.08 No response, drop another email 2007.01.09 Advisory release -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"