对著名快递公司的一次艰难的oracle注入
详解WINRAR的自解压跨站攻击漏洞
June 13, 2008 13:12 | by
by cocoruder(frankruer_at_hotmail.com)
http://ruder.cdut.net
Summary:
Thunder is a very popular downloading software in China, which uses P2SP technology, more details please visit:
http://www.xunlei.com
A remote code execute vulnerability exists in the ActiveX Control of Thunder 5. A remote attacker who successfully exploits this vulnerability can completely take control of the affected system.
Affected Software Versions:
Thunder 5(Version of "DapCtrl*.dll" <= 1.5.578.28)
Details:
The vulnerability exists in the property "Put" educed by ""DapCtrl*.dll", following are some related imformations:
InprocServer32: C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\DapCtrl1.5.578.28.483.dll
ClassID : ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8
[id(0x00000002)]
long Put([in] BSTR name, [in] VARIANT value);
Setting some special values (object) to the first parameter "name" can corrupt the memory, more careful crafted corrupting can make the program run to a special fixed address which can be covered while the attacker using javascript heap spray technology, that makes arbitrary code can be executed reliably.
Solution:
The new edition of Thunder 5 has fixed this vulnerability, the vendor's advisory can be found at:
http://safe.xunlei.com/announce/xl08040501.html
Disclosure Timeline:
http://ruder.cdut.net
Summary:
Thunder is a very popular downloading software in China, which uses P2SP technology, more details please visit:
http://www.xunlei.com
A remote code execute vulnerability exists in the ActiveX Control of Thunder 5. A remote attacker who successfully exploits this vulnerability can completely take control of the affected system.
Affected Software Versions:
Thunder 5(Version of "DapCtrl*.dll" <= 1.5.578.28)
Details:
The vulnerability exists in the property "Put" educed by ""DapCtrl*.dll", following are some related imformations:
InprocServer32: C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\DapCtrl1.5.578.28.483.dll
ClassID : ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8
[id(0x00000002)]
long Put([in] BSTR name, [in] VARIANT value);
Setting some special values (object) to the first parameter "name" can corrupt the memory, more careful crafted corrupting can make the program run to a special fixed address which can be covered while the attacker using javascript heap spray technology, that makes arbitrary code can be executed reliably.
Solution:
The new edition of Thunder 5 has fixed this vulnerability, the vendor's advisory can be found at:
http://safe.xunlei.com/announce/xl08040501.html
Disclosure Timeline:
2008.04.18 Vendor notified
2008.04.18 Vendor responded
2008.04.29(before) The vulnerability was fixed silently in the new edition
2008.04.29 The vendor replied that they need more than 1.5 month to push the patch(!?)
2008.06.13 The vendor's advisory released
2008.06.13 Advisory released
2008.04.18 Vendor responded
2008.04.29(before) The vulnerability was fixed silently in the new edition
2008.04.29 The vendor replied that they need more than 1.5 month to push the patch(!?)
2008.06.13 The vendor's advisory released
2008.06.13 Advisory released
