站长网_站长创业_站长主页_站长之家_易采站长站

会员投稿 投稿指南 站长资讯通告: TGS CMS 0.3.2r2 Remote Code Execution Exploit
搜索:
您的位置: 主页 > 教程 > 电脑安全 > 黑客漏洞 > » 正文

Anzio Web Print Object

来源: 易采站长站
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 ~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/ ~ Anzio Web Print Object Buffer Overflow
*Advisory Information* Title: Anzio Web Print Object Buffer Overflow
Advisory ID: CORE-2008-0624
Advisory URL:
http://www.coresecurity.com/content/anzio-web-print-object-buffer-overflow
Date published: 2008-08-20
Date of last update: 2008-08-20
Vendors contacted: Anzio
Release mode: Coordinated release
*Vulnerability Information* Class: Buffer overflow
Remotely Exploitable: Yes (client side)
Locally Exploitable: No
Bugtraq ID: 30545
CVE Name: CVE-2008-3480
*Vulnerability Description* Anzio Web Print Object (WePO) is a Windows ActiveX web page component
that, when placed on a web page can "push" a print job from a file or
web server to a user's local printer without having to display the HTML
equivalent to that user. By placing WePO code on a web page, you can
provide a method whereby the viewer of that web page can request a local
print of a host resident print job, archived print job or a report
stream through a server-side script request. Anzio Web Print Object is vulnerable to a buffer overflow attack, which
can be exploited by remote attackers to execute arbitrary code, by
providing a malicious web page with a long "mainurl" parameter for the
WePO ActiveX component.
*Vulnerable Packages* . Anzio Web Print Object 3.2.19
. Anzio Web Print Object 3.2.24
. Anzio Print Wizard Server Edition 3.2.19
. Anzio Print Wizard Personal Edition 3.2.19
. Older versions are probably affected too, but were not checked.
*Non-vulnerable Packages* . Anzio Web Print Object 3.2.30
*Vendor Information, Solutions and Workarounds* Update to Anzio Web Print Object 3.2.30, available at
http://www.anzio.com/download-wepo.htm, or visit the vendor homepage at
http://www.anzio.com.
*Credits* This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
*Technical Description / Proof of Concept Code* The WePO ActiveX component has a parameter named "mainurl" that
indicates the local file name or the URL from where to retrieve the
content to print: /----------- <param name="mainurl" value="http://www.somewhere.com/myreport.pcl"> - -----------/ WePO takes the value of "mainurl" parameter in OLECHAR format and
transforms it to a BSTR string using the API SysAllocStringLen from
oleaut32.dll. The pointer to a BSTR string returned by SysAllocStringLen
is stored in the stack. /----------- 024F64B8 . 51 PUSH ECX
~ ; length of "mainurl" value
024F64B9 . 52 PUSH EDX
~ ; pointer to "mainurl" value
Tags:
最新图文资讯
1 2 3 4 5 6
相关文章列表:
易采站长站 - 联系我们 - 广告服务 - 友情链接 - 网站地图 - 版权声明 - 人才招聘 - 帮助 -