Foxmail的fmrsslink.dll控件里IRss接口AddUrl(URL, Info)方法未检查网页提供的rss链接长度,当用户通过IE右键菜单收藏超长rss链接至Foxmail时,将导致栈溢出. .text:10001044 ; int __stdcall AddUrl(void *this_ptr, LPCWSTR lpURL, LPWSTR lpInfo) .text:10001044 AddUrl proc near ; DATA XREF: .rdata:100041E0o .text:10001044 ; .rdata:10004244o .text:10001044 .text:10001044 str_Vuln = byte ptr -200h .text:10001044 Parameters = byte ptr -100h .text:10001044 this_ptr = dword ptr 8 .text:10001044 lpURL = dword ptr 0Ch .text:10001044 lpInfo = dword ptr 10h .text:10001044 .text:10001044 push ebp .text:10001045 mov ebp, esp .text:10001047 sub esp, 200h .text:1000104D push esi .text:1000104E push edi .text:1000104F push [ebp+lpURL] .text:10001052 call my_wsclen .text:10001057 pop ecx .text:10001058 mov ecx, [ebp+this_ptr] .text:1000105B push eax ; length_lpURL,URL长度,未检查 .text:1000105C push [ebp+lpURL] ; lpURL .text:1000105F lea eax, [ebp+str_Vuln] .text:10001065 push eax ; str_Vuln 只有512字节 .text:10001066 call my_WideCharToMultiByte ; <==...
Foxmail的fmrsslink.dll控件里IRss接口AddUrl(URL, Info)方法未检查网页提供的rss链接长度,当用户通过IE右键菜单收藏超长rss链接至Foxmail时,将导致栈溢出. .text:10001044 ; int __stdcall AddUrl(void *this_ptr, LPCWSTR lpURL, LPWSTR lpInfo) .text:10001044 AddUrl proc near ; DATA XREF: .rdata:100041E0o .text:10001044 ; .rdata:10004244o .text:10001044 .text:10001044 str_Vuln = byte ptr -200h .text:10001044 Parameters = byte ptr -100h .text:10001044 this_ptr = dword ptr 8 .text:10001044 lpURL = dword ptr 0Ch .text:10001044 lpInfo = dword ptr 10h .text:10001044 .text:10001044 push ebp .text:10001045 mov ebp, esp .text:10001047 sub esp, 200h .text:1000104D push esi .text:1000104E push edi .text:1000104F push [ebp+lpURL] .text:10001052 call my_wsclen .text:10001057 pop ecx .text:10001058 mov ecx, [ebp+this_ptr] .text:1000105B push eax ; length_lpURL,URL长度,未检查 .text:1000105C push [ebp+lpURL] ; lpURL .text:1000105F lea eax, [ebp+str_Vuln] .text:10001065 push eax ; str_Vuln 只有512字节 .text:10001066 call my_WideCharToMultiByte ; <== .text:1000106B mov ecx, [ebp+this_ptr] .text:1000106E call sub_100010D6 ; HeapAlloc() .text:10001073 mov edi, eax .text:10001075 mov esi, offset aRss_xml ; "RSS_XML:" .text:1000107A lea eax, [ebp+Parameters] .text:10001080 push esi .text:10001081 push eax .text:10001082 call sub_100038B0 .text:10001087 push esi .text:10001088 call sub_10003830 .text:1000108D mov ecx, 0FFh .text:10001092 sub ecx, eax .text:10001094 lea eax, [ebp+str_Vuln] .text:1000109A push ecx .text:1000109B push eax .text:1000109C lea eax, [ebp+Parameters] .text:100010A2 push eax .text:100010A3 call sub_10003700 .text:100010A8 add esp, 18h .text:100010AB lea eax, [ebp+Parameters] .text:100010B1 push 1 ; nShowCmd .text:100010B3 push offset Directory ; lpDirectory .text:100010B8 push eax ; lpParameters .text:100010B9 push edi ; lpFile .text:100010BA push offset Operation ; "open" .text:100010BF push 0 ; hwnd .text:100010C1 call ds:ShellExecuteA .text:100010C7 push edi .text:100010C8 call sub_100036E7 ; HeapFree() .text:100010CD pop ecx .text:100010CE pop edi .text:100010CF xor eax, eax .text:100010D1 pop esi .text:100010D2 leave .text:100010D3 retn 0Ch .text:100010D3 AddUrl endp Foxmail <= 6.5 beta1(build015) QQ安全中心公告链接: <a href=http://safe.qq.com/affiche/2008/20080314.shtml target=_blank>http://safe.qq.com/affiche/2008/20080314.shtml</a>
