BaoFeng Storm ActiveX Control ‘OnBeforeVideoDownload()’ Buffer Overflow Vulnerability

BaoFeng Storm ActiveX Control ‘OnBeforeVideoDownload()’ Buffer Overflow Vulnerability

by bugvuln(bugvuln_at_gmail.com)
niklen(niklenxyz_at_gmail.com)

Bugtraq ID: 34869

Vulnerable: BaoFeng Storm 3.9.4 17
BaoFeng Storm 3.9.3 30
BaoFeng Storm 3.9.3 25
BaoFeng Storm 2.7.9 .8
BaoFeng Storm 2.7.9 .10
BaoFeng Storm 2.9
BaoFeng Storm 2.8
BaoFeng Storm 2.8

Description:
==========
BaoFeng Storm(http://www.baofeng.com) is a very popular media player in China.

BaoFeng Storm ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

Details:
==========
clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB
C:\Program Files\StormII\mps.dll
Sub OnBeforeVideoDownload(ByVal URL As String)

sub_10014240
|–.text:1001430A call sub_10014D40
|–sub_10014D40
|–.text:10014E37 call dword ptr [eax+8] ; sub_1005DAF0
|–sub_1005DAF0
|–.text:1005DBA1 call dword ptr [edx+4] ; sub_1005EB50
|–sub_1005EB50
|–.text:1005EB9A call sub_10060320
|–sub_10060320
|–.text:1006033C call ds:lstrcpynA
| add esp, 1348h
|–{ retn 14h

?View Code ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

.text:1005EB6F				 push	ebp
.text:1005EB70				 push	esi
.text:1005EB71				 mov	 esi, [esp+1350h+lpString2]
.text:1005EB78				 push	edi
.text:1005EB79				 push	offset aStormbox_0 ; "stormbox"
.text:1005EB7E				 mov	 ebp, ecx
.text:1005EB80				 push	esi			 ; Str
.text:1005EB81				 call	ds:strstr	   ;检查下传递进来的参数是否含有"stormbox"
.text:1005EB87				 add	 esp, 8
.text:1005EB8A				 test	eax, eax
.text:1005EB8C				 jnz	 loc_1005ED67	;没有!那就xxoo了
.text:1005EB92				 push	esi			 ; lpString2
.text:1005EB93				 lea	 ecx, [esp+1358h+var_1034]
.text:1005EB9A				 call	sub_10060320
...
.text:10060320				 push	esi
.text:10060321				 push	edi
.text:10060322				 mov	 edi, [esp+8+lpString2]
.text:10060326				 mov	 esi, ecx
.text:10060328				 push	edi			 ; lpString
.text:10060329				 mov	 dword ptr [esi], offset off_1007C5A4
.text:1006032F				 call	ds:lstrlenA
.text:10060335				 inc	 eax
.text:10060336				 push	eax			 ; iMaxLength,唉,上面这是最后一次调用函数来进行长度检查,但是这里仅仅是为了这个最大值参数,
			 ; 还是没有考虑合法性-_-
.text:10060337				 lea	 eax, [esi+4]
.text:1006033A				 push	edi			 ; lpString2
.text:1006033B				 push	eax			 ; lpString1
.text:1006033C				 call	ds:lstrcpynA	; 拷贝到eax指向的堆栈区域,为即将到来的溢出做热身运动
.text:10060342				 mov	 eax, esi
.text:10060344				 pop	 edi
.text:10060345				 pop	 esi
.text:10060346				 retn	4
...
.text:1005ED70				 pop	 edi
.text:1005ED71				 pop	 esi
.text:1005ED72				 pop	 ebp
.text:1005ED73				 mov	 large fs:0, ecx
.text:1005ED7A				 add	 esp, 1348h
.text:1005ED80				 retn	14h		; 就这样返回,哦豁了

ModLoad: 41f50000 41fc7000 C:\WINDOWS\system32\mshtmled.dll
ModLoad: 10000000 100e2000 C:\Program Files\StormII\mps.dll
ModLoad: 75ff0000 76055000 C:\Program Files\StormII\MSVCP60.dll
ModLoad: 02c60000 02c96000 C:\Program Files\StormII\meedb.dll
ModLoad: 02ca0000 02d2e000 C:\Program Files\StormII\splayers.dll
ModLoad: 02730000 0274e000 C:\Program Files\StormII\rndrmgr.dll
ModLoad: 02d30000 02e48000 C:\Program Files\StormII\SubDecoder.dll
ModLoad: 4b640000 4b7e6000 C:\WINDOWS\system32\d3d9.dll
ModLoad: 6dd20000 6dd26000 C:\WINDOWS\system32\d3d8thk.dll
ModLoad: 736d0000 73719000 C:\WINDOWS\system32\DDRAW.dll
ModLoad: 73b30000 73b36000 C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 74be0000 74c0c000 C:\WINDOWS\system32\OLEACC.dll
ModLoad: 72f70000 72f96000 C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 76320000 76367000 C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 02eb0000 02ed2000 C:\Program Files\StormII\mediainfo.dll
ModLoad: 719c0000 719fe000 C:\WINDOWS\system32\mswsock.dll
ModLoad: 60fd0000 61025000 C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a00000 71a08000 C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 7cf70000 7d0d8000 C:\WINDOWS\system32\quartz.dll
ModLoad: 63380000 633f8000 C:\WINDOWS\system32\jscript.dll
(a0.8b0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffff00 ebx=01b3f33c ecx=41414141 edx=00142f90 esi=01b3f328 edi=01b3f340
eip=41414141 esp=0175f588 ebp=01b3f338 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
41414141 ?? ???

Solutions:
==========
Update software to newest or save the following text. REG file and import:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ ActiveX Compatibility \ (6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB)]
“Compatibility Flags” = dword: 00000400

Post a Comment