Baidu Soba Remote Code Execute Vulnerability(FGA-2007-10)
hi full-disclosure,
Baidu Soba Remote Code Execute Vulnerability
by cocoruder of Fortinet Security Research Team
http://ruder.cdut.net
Summary:
Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese
web search engine company, like Google, more informations can be found at:
http://www.baidu.com
http://bar.baidu.com/sobar/promotion.html
There exists a remote code execute vulnerability in Baidu Soba's ActiveX
Control "BaiduBar.dll". A remote attacker who successfully exploit these
vulnerabilities can completely take control of the affected system.
Affected Software Versions:
Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)
Details:
This vulnerability exist in the function "DloadDS()" educed by
"BaiduBar.dll", following are some related imformations:
InprocServer32: C:\Program Files\baidu\bar\BaiduBar.dll
ClassID : A7F05EE4-0426-454F-8013-C41E3596E9E9
[id(0x0000001d), helpstring("method DloadDS")]
void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via
"http" protocol, "DloadDS()" will try to download this file to Windows Internet
Explorer temporary directory and try to execute the file named as parameter
"bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ;
lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 push eax ;
lpStartupInfo
.text:1006F412 push esi ;
lpCurrentDirectory
.text:1006F413 push esi ;
lpEnvironment
.text:1006F414 push esi ;
dwCreationFlags
.text:1006F415 push esi ;
bInheritHandles
.text:1006F416 push esi ;
lpThreadAttributes
.text:1006F417 push esi ;
lpProcessAttributes
.text:1006F418 push esi
.text:1006F419 call sub_10004147 ; get
the CommandLine
.text:1006F419
.text:1006F41E push eax ;
lpCommandLine
.text:1006F41F push esi ;
lpApplicationName
.text:1006F420 call ds:CreateProcessA
As we seen, lpCommandLine point to
"C:\DOCUME~1\administrator\LOCALS~1\Temp\calc.exe",Because there is no valid
checks, the attacker can build a CAB file which included a trojan or spy
program and use the function "DloadDS()" for executing it.
Attached File:
Exploit can be found at the following url, please do not use for attacking.
http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html
Solution:
Baidu said they have fixed this fault, but infact, the product downloaded
from "http://bar.baidu.com/sobar/promotion.html" is also affected, we strongly
suggest user set a Killbit for this CLSID.
Disclosure Timeline:
2007.07.19 Vendor notified via email
2007.07.19 Vendor responded
2007.07.23 Vendor noticed me new version is available and they
refuse to release an advisory for this vul
2007.07.24 Vendor say they have not updated the product
successfully
2007.08.01 Vendor noticed me again that new version is available
2007.08.02 But it looks like they are failed too
2007.08.02 Advisory released
Disclaimer:
Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
Fortinet Security Research
secresearch@xxxxxxxxxxxx
http://www.fortinet.com
Best Regards,
cocoruder of Fortinet Security Research Team
hfli@xxxxxxxxxxxx
2007-08-02
*** Disclaimer: This message may contain privileged and/or confidential
information. If you have received this e-mail in error or are not the intended
recipient, you may not use, copy, disseminate or distribute it; do not open any
attachments, delete it immediately from your system and notify the sender
promptly by e-mail that you have done so. Thank you. ***