The new sogou input method has fixed multiple security vulnerabilities.

[Vulnerability No.]
CAL_20100625-1

CAL_20100625-2

CAL_20100625-3

[Affected versions]
Sogou_pinyin_50f or earlier

[Announcement]

Hanhai source code audit lab found multiple high-threat security vulnerabilities in the sogou Pinyin input method, which can cause attackers to execute arbitrary code and report the vulnerability to Sohu search Security Department. In early August, sogou pinyin fixed the vulnerability by pushing the client. Now we have released an announcement. Please install the new version of sogou pinyin without using the latest version pushed by sogou pinyin to avoid security threats.

[Vulnerability details]

A high-risk vulnerability exists in the dictionary file submitted by sogou pinyin. Currently, the new version of sogou pinyin prohibits clients from directly associating the dictionary file for installation.

The other two vulnerabilities exist in skin processing. One of the high-risk vulnerabilities is the processing of ZIP compression by sogou pinyin. The skin of sogou Pinyin is a ZIP file, the uncompress len field in the ZIP file is processed incorrectly, causing heap overflow. The details are as follows:

Error point: ZipLib. dll file
When extracting the data, the unzipped data size is added and memory is allocated.
When the size of the extracted data is 0xffffffff, the allocated memory with a length of 0 will appear, and the information in the original memory will be overwritten when it is written into the memory.

1000C466 8B86 B0000000 mov eax, dword ptr [esi + B0]; number of bytes after decompression
1000C46C 40 inc eax; error point
1000C46D 50 push eax
1000C46E E8 08DB0000 call 10019F7B; _ malloc
1000C473 59 pop ecx
1000C474 8986 B4000000 mov dword ptr [esi + B4], eax
1000C47A 8986 B8000000 mov dword ptr [esi + B8], eax
10010E69 8B45 F4 mov eax, dword ptr [ebp-C]
10010E6C 8B8E BC000000 mov ecx, dword ptr [esi + BC]
10010E72 8A57 04 mov dl, byte ptr [edi + 4]
10010E75 881408 mov byte ptr [eax + ecx], dl; write the decompressed data
10010E78 40 inc eax
10010E79 8945 F4 mov dword ptr [ebp-C], eax
10010E7C 3B86 AC000000 cmp eax, dword ptr [esi + AC]

[Verify POC]

Http://www.vdisk.cn/down/index/4801593A1932

Skin ZIP compression Heap Overflow Vulnerability POC

[Old Version Verification]

Http://www.vdisk.cn/down/index/4801585A2645

This version is used to verify this Security Vulnerability

[New soudog pinyin version]

We have detected that the above security issues have been solved in the sogou PinYin Input Method version after January 1, August 2. The latest sogou Pinyin input method is as follows:

Http://ime.sogou.com/dl/sogou_pinyin_50s.exe

[Thanks]

Thanks to Sohu for attaching importance to and timely fixing the vulnerability report

[Timeline]

June 15: hanhaiyuan released a dictionary high-risk security vulnerability

June 13, June 20: hanhaiyuan submitted dictionary high-risk security vulnerabilities to SOHU Security Center

June 13, June 21: hanhaiyuan discovered one high-risk skin vulnerability and one moderate-risk skin vulnerability.

June 13, June 25: hanhaiyuan submitted skin security vulnerabilities to SOHU Security Center

After December 1, August 2: We detected that the above security problems have been solved in the sogou PinYin Input Method versions after December 1, August 2.

June August 21: hanhaiyuan announcement

About Code Audit Labs:
==================================

Code Audit Labs is the Code Audit Department of Nanjing hanhaiyuan Information Technology Co., Ltd, the company is a security company established by international senior security researchers in Nanjing, China to provide professional security testing products/services/consulting training. it aims to provide professional, high-coverage and measurable security testing for various software and hardware manufacturers and industry users to help them improve the security of their own products and systems.
We hope to build the cornerstone of information security for the information industry in the development process and provide security quality, and has become the most professional security testing product and service provider in the world thanks to the value brought to enterprises.