[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200708020157.l721vDRV024910@mail.apsecure.com>
Date: Thu, 2 Aug 2007 09:57:15 +0800
From: "hfli" <hfli@...tinet.com>
To: "full-disclosure" <full-disclosure@...ts.grok.org.uk>,
"bugtraq" <bugtraq@...urityfocus.com>
Subject: Baidu Soba Remote Code Execute
Vulnerability(FGA-2007-10)
hi full-disclosure,
Baidu Soba Remote Code Execute Vulnerability
by cocoruder of Fortinet Security Research Team
http://ruder.cdut.net
Summary:
Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese web search engine company, like Google, more informations can be found at:
http://www.baidu.com
http://bar.baidu.com/sobar/promotion.html
There exists a remote code execute vulnerability in Baidu Soba's ActiveX Control "BaiduBar.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.
Affected Software Versions:
Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)
Details:
This vulnerability exist in the function "DloadDS()" educed by "BaiduBar.dll", following are some related imformations:
InprocServer32: C:\Program Files\baidu\bar\BaiduBar.dll
ClassID : A7F05EE4-0426-454F-8013-C41E3596E9E9
[id(0x0000001d), helpstring("method DloadDS")]
void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 push eax ; lpStartupInfo
.text:1006F412 push esi ; lpCurrentDirectory
.text:1006F413 push esi ; lpEnvironment
.text:1006F414 push esi ; dwCreationFlags
.text:1006F415 push esi ; bInheritHandles
.text:1006F416 push esi ; lpThreadAttributes
.text:1006F417 push esi ; lpProcessAttributes
.text:1006F418 push esi
.text:1006F419 call sub_10004147 ; get the CommandLine
.text:1006F419
.text:1006F41E push eax ; lpCommandLine
.text:1006F41F push esi ; lpApplicationName
.text:1006F420 call ds:CreateProcessA
As we seen, lpCommandLine point to "C:\DOCUME~1\administrator\LOCALS~1\Temp\calc.exe",Because there is no valid checks, the attacker can build a CAB file which included a trojan or spy program and use the function "DloadDS()" for executing it.
Attached File:
Exploit can be found at the following url, please do not use for attacking.
http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html
Solution:
Baidu said they have fixed this fault, but infact, the product downloaded from "http://bar.baidu.com/sobar/promotion.html" is also affected, we strongly suggest user set a Killbit for this CLSID.
Disclosure Timeline:
2007.07.19 Vendor notified via email
2007.07.19 Vendor responded
2007.07.23 Vendor noticed me new version is available and they refuse to release an advisory for this vul
2007.07.24 Vendor say they have not updated the product successfully
2007.08.01 Vendor noticed me again that new version is available
2007.08.02 But it looks like they are failed too
2007.08.02 Advisory released
Disclaimer:
Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
Fortinet Security Research
secresearch@...tinet.com
http://www.fortinet.com
Best Regards,
cocoruder of Fortinet Security Research Team
hfli@...tinet.com
2007-08-02
*** Disclaimer: This message may contain privileged and/or confidential information. If you have received this e-mail in error or are not the intended recipient, you may not use, copy, disseminate or distribute it; do not open any attachments, delete it immediately from your system and notify the sender promptly by e-mail that you have done so. Thank you. ***
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists