1. 极安网首页
  2. 网络安全技术

金山WPSOffice远程堆溢出漏洞分析(CVE-2020-25291)

WPS Office软件中存在一个远程执行代码漏洞,是当Office软件在分析特制Office文件时不正确地处理内存中的对象时引起的。成功利用此漏洞的攻击者可以在当前用户的上下文中运行任意代码。

观察堆栈,可以看到以下执行:

  1. 004f1a38 6ba3cb98 QtCore4!path_gradient_span_gen::path_gradient_span_gen+0x6a74
  2. 004f1a3c c45adfbc
  3. 004f1a40 00000048
  4. 004f1a44 00000000
  5. 004f1a48 6f13830f verifier!DphCommitMemoryForPageHeap+0x16f
  6. 004f1a4c 004f5cc8
  7. 004f1a50 00000000
  8. 004f1a54 00000000
  9. 004f1a58 00000000
  10. 004f1a5c 00000000
  11. 004f1a60 004f65a0
  12. 004f1a64 004f662c
  13. 004f1a68 00000000
  14. 004f1a6c 779eae8e ntdll!RtlAllocateHeap+0x3e

如果我们反汇编6ba3cb98,则可以看到以下反汇编代码,真正的漏洞根本原因在于此代码。

  1. 6ba3cb89 8b96b4000000    mov     edx,dword ptr [esi+0B4h]
  2. 6ba3cb8f 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
  3. 6ba3cb92 52              push    edx
  4. 6ba3cb93 8bd7            mov     edx,edi
  5. 6ba3cb95 ff5580          call    dword ptr [ebp-80h]
  6. 6ba3cb98 8b4e7c          mov     ecx,dword ptr [esi+7Ch]
  7. C pseudo code
  8. grad = *(&ptr_grad);
  9. if ( grad > 0.0099999998 )
  10. {
  11.    input_value = grad_size(check, size, input);
  12.    ptr_grad = *(input);
  13.    ... cut here ...

我们在6ba3cb89地址上设置断点并观察ESI + 0xB4,我们可以看到一个指针指向另一个位置:

  1. 0:000> r
  2. eax=00000000 ebx=00791878 ecx=00000005 edx=00793938 esi=cb07de18 edi=0000001c
  3. eip=6ba3cb89 esp=00791780 ebp=00791870 iopl=0         nv up ei pl nz na po nc
  4. cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
  5. QtCore4!path_gradient_span_gen::path_gradient_span_gen+0x6a65:
  6. 6ba3cb89 8b96b4000000    mov     edx,dword ptr [esi+0B4h] ds:002b:cb07decc=cf69afbc
  7. 0:000> dc esi+0B4h
  8. cb07decc  cf69afbc c0c0c000 00000000 00000100  ..i.............
  9. cb07dedc  c0c0c0c0 00000000 00000000 00000000  ................
  10. cb07deec  00000000 00000000 00000000 00000000  ................
  11. cb07defc  00000000 cf030fd0 00000000 00000000  ................
  12. cb07df0c  00000000 00000000 00000000 00000000  ................
  13. cb07df1c  c0c0c0c0 00000000 3ff00000 00000000  ...........?....
  14. cb07df2c  00000000 00000000 00000000 00000000  ................
  15. cb07df3c  00000000 00000000 3ff00000 00000000  ...........?....
  16. 0:000> dc cf69afbc
  17. cf69afbc  c88baf80 d1326100 00000003 00000280  .....a2.........
  18. cf69afcc  0000055f 00000012 c0c0c0c0 1c3870e2  _............p8.
  19. cf69afdc  40ad870e 1c3870e2 40ad870e 00000000  ...@.p8....@....
  20. cf69afec  00000000 c0c0c0c1 6c1d12c0 00000000  ...........l....
  21. cf69affc  c0c0c0c0 ???????? ???????? ????????  ....????????????
  22. cf69b00c  ???????? ???????? ???????? ????????  ????????????????
  23. cf69b01c  ???????? ???????? ???????? ????????  ????????????????
  24. cf69b02c  ???????? ???????? ???????? ????????  ????????????????
  25. 0:000> dc c88baf80
  26. c88baf80  00000001 0000001c 00000010 00000001  ................
  27. c88baf90  ff000000 ff800000 ff008000 ff808000  ................
  28. c88bafa0  ff000080 ff800080 ff008080 ff808080  ................
  29. c88bafb0  ffc0c0c0 ffff0000 ff00ff00 ffffff00  ................
  30. c88bafc0  ff0000ff ffff00ff ff00ffff ffffffff  ................
  31. c88bafd0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................
  32. c88bafe0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................
  33. c88baff0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

原创文章,作者: Admin ,转载请注明出处:https://secvery.com/3192.html