Baidu Hi描述:
BUGTRAQ ID: 31162
百度Hi是在中国非常流行的即时聊天软件。
百度Hi的CSTransfer.dll库没有严格地检查解码的纯文本格式,如果远程攻击者向客户端发送了特制的报文的话,就可以触发缓冲区溢出,导致执行任意指令。
以下是简单的触发过程:
esi
+---------------------+ |
| | \|/
| Malicious input | _______________________________
| ...........> | | | | | | | | |
+---------------------+ |R | |4 |0 | |\r |\n | .... |
|__|__|__|__|__|___|___|_______|
/|\
|
ebp
+---------------------+
| |
| Correct content |
______________________________________________________
| ...........> | | | | | | | | |
| | | | | | |
+---------------------+ | c| m | | 1| . |0 | |R |
|4 |0 | |\r |\n | .... |
loc_10007880:
|__|___|_|__|___|__|___|__|__|__|__|__|___|___|_______|
mov al, [esi-1] /|\ /|\
dec esi | |
cmp al, 20h ebp esi
jnz short loc_10007890
|
+-------+ |---------------------.
| | | |
| \|/ \|/ |
| loc_10007888: |
| mov al, [esi-1] |
| dec esi |
| cmp al, 20h |
| jz short loc_10007888 |
| | | |
|-----------+ | +----------------|
| |
\|/ \|/
loc_10007890:
push 20h
esi edi
push ebp +---------------------+
| |
inc esi | |
\|/ \|/
call ds:strchr | Malicious input |
____________ _______________________________
mov edi, eax ---------> | ...>|
| | | | | | | | |
+---------------------+
|heap struct |R | |4 |0 | |\r |\n | .... |
...........
|____________|__|__|__|__|__|___|___|_______|
/|\
loc_100078EA:
|
sub esi, edi ;esi will be a negative number
ebp
cmp esi, 1Eh
jg loc_100079FD
push esi ; size_t ;esi will be a negative number
lea edx, [esp+44h+var_24]
push edi ; char *
push edx ; char *
call ds:strncpy ; cause buffer overflow
<*来源:Li Gen (superligen@gmail.com)
链接:http://marc.info/?l=bugtraq&m=122132048000769&w=2
*>
建议:
厂商补丁:
Baidu
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://im.baidu.com/