Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of integer overflow vulnerability CVE-2018-7471 in industrial configuration software, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

0x1 vulnerability information

CNVD-ID:CNVD-2018-00995

CVE ID:CVE-2018-7471

There is an integer overflow vulnerability in the industrial configuration software of a certain company, which is due to the failure of stgopenstorage reading, and the error code returned is beyond the range of int in the 32-bit system. An attacker can use this vulnerability to execute arbitrary code.

Patch information: http://www.kingview.com/news_info.php?num=1000656

Vulnerability release: http://www.cnvd.org.cn/flaw/show/CNVD-2018-00995

0x2 OpenStorage function description

OpenStorage loads the structured stored file, and the function returns a variable of type HRESULT. The function prototype is as follows:

The returned result is a long integer: when the function is read normally, the return value is 0, the read fails, and a long integer is returned.

For more information on functions, please see MSDN:

Https://msdn.microsoft.com/en-us/library/windows/desktop/aa380024(v=vs.85).aspx

0x3 lookup vulnerability function

According to the patch comparison, the vulnerability component is identified as Touchvewocx.ocx. After analysis, five functions of the module have been changed, three of which have been modified and analyzed one by one.

3.1 0x100223C0

CViewManager::LoadDocInfor (CViewManager * this,CPicDocument * pd)

Zooming in, the main thing is to add the judgment program block of the 0x10022780 part.

3.1.1 before patch

.text: 100223C0var814 = dword ptr-814h.text:100223C0var_810 = dword ptr-810h-int 32.text:100223C0 pwcsName = dword ptr-80Ch.text:100223C0 ppstgOpen = dword ptr-808h

Var_810 (v25) is an int32 variable with a negative value (a function call error returns a negative value with a high order of 1). When the system is 64 bits, the negative number extends the high complement F.

3.1.2 after patch

The return value is of type dword. If it is not S_OK, the return value is converted to Cstring (whar_t), and the exception is handled.

.text: 100223C0sc = dword ptr-810h.text:100223C0 lpsz = dword ptr-80Ch.text:100223C0 lpStorage = dword ptr-808h

3.2 0x10039530

After repair:

Change the string to wchar

3.3 0x10151880

Before patching:

After repair:

If (StgIsStorageFile (lpsz) = = 1) {sc = StgCreateDocfile (lpsz, 0x30022u, 0, & lpStorage); if (sc < 0 |! lpStorage) sc = StgCreateDocfile (lpsz, 0x30000u, 0, & lpStorage);} else {sc = StgOpenStorage (lpsz, 0, 0x10022u, 0,0, & lpStorage); if (sc < 0 | |! lpStorage) sc = StgOpenStorage (lpsz, 0, 0x10000u, 0,0, & lpStorage);} if (sc) {sc = 1; V62 = 0 LOBYTE (v114) = 6; AFX_EXCEPTION_LINK::~AFX_EXCEPTION_LINK (& afxExceptionLink); LOBYTE (v114) = 5; CPicDocument::~CPicDocument (& PicDoc); LOBYTE (v114) = 4; CFileException::~CFileException (& e); LOBYTE (v114) = 3; CString (& message); LOBYTE (v114) = 2; CString (& failSz); LOBYTE (v114) = 1; CString (& pd_picName); LOBYTE (v114) = 0; CString (& viewfilename) V114 =-1; CString (& filename); v4 = v62;}

0x4 fragile ActiveX interface identification

The APIs of Touchvewocx are as follows:

Function call path:

You can basically determine that the vulnerability ActiveX interface is SetProjectPath.

The failure of ActiveX component Touchvewocx.ocx interface function SetProjectPath (string*) to call OpenStorage () is that the exception returns a long integer (32-bit system 32-bit int,64-bit system, 64-bit int). The function assigns a dword variable to the returned value, which is just satisfied in the 32-bit system, and is truncated directly in the 64-bit system, resulting in an exception.

After reading the above, do you have any further understanding of the example analysis of integer overflow vulnerability CVE-2018-7471 in industrial configuration software? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.