安全研究
安全漏洞
GKrellM Newsticker远程命令执行漏洞
发布日期:2003-04-23
更新日期:2003-04-30
受影响系统:
GKrellM Newsticker GKrellM Newsticker 0.3描述:
BUGTRAQ ID: 7415
CVE(CAN) ID: CVE-2003-0205
gkrellm-newsticker是gkrellm系统监视程序的插件。
newsticker在查看'ticker'标题时对SHELL元字符缺少正确过滤,远程攻击者可以利用这个漏洞构建恶意标题,诱使用户访问,可能以用户进程权限在系统上执行任意命令。
当用户使用newsticker点击URI提供的'ticker'标题时,由于软件对特殊SHELL字符缺少充分过滤,攻击者提供恶意的标题,当用户点击时,可在客户端机器上执行任意SHELL命令。
<*来源:Brian Campbell
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105111327000755&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=105111643906186&w=2
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* Brian Campbell提供如下第三方补丁:
diff -ur gkrellm-newsticker-0.3.orig/newsticker.c gkrellm-newsticker-0.3/newsticker.c
--- gkrellm-newsticker-0.3.orig/newsticker.c Sun Jan 20 21:02:40 2002
+++ gkrellm-newsticker-0.3/newsticker.c Sat Apr 5 09:37:18 2003
@@ -292,7 +292,12 @@
pt = strchr(pt, '>');
pt++;
pt2 = strstr(buf, "</link>");
- nt->link = g_strndup(pt, (pt2 - pt));
+ /* Can't handle multiple lines properly, but at least make some
+ * effort. */
+ if (pt2)
+ nt->link = g_strndup(pt, (pt2 - pt));
+ else
+ nt->link = g_strdup(pt);
flag++;
continue;
}
@@ -306,10 +311,20 @@
pt = strchr(pt, '>');
pt++;
pt2 = strstr(buf, "</title>");
- if (flag == 2)
- nt->headline = g_strndup(pt, (pt2 - pt));
- else
- nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL);
+ /* Again, let's not fail completely when the element spans more
+ * than one line. */
+ if (pt2)
+ {
+ if (flag == 2)
+ nt->headline = g_strndup(pt, (pt2 - pt));
+ else
+ nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL);
+ } else {
+ if (flag == 2)
+ nt->headline = g_strdup(pt);
+ else
+ nt->headline = g_strconcat(nt->headline, " --- ", g_strdup(pt), NULL);
+ }
flag++;
if (flag > (num_headlines+1))
break;
@@ -474,10 +489,36 @@
return FALSE;
}
+/* Make a URI suitable for use in a shell command. */
+static gchar *escape_uri(gchar *uri)
+{
+ gchar *cur, *result, *resultcur;
+ int count = 1;
+
+ for (cur = uri; *cur; cur++)
+ count += (*cur == '\'') ? 3 : 1;
+
+ result = g_malloc(count);
+ for (cur = uri, resultcur = result; *cur; cur++)
+ {
+ if (*cur == '\'')
+ {
+ *resultcur++ = '%';
+ *resultcur++ = '2';
+ *resultcur++ = '7';
+ }
+ else
+ *resultcur++ = *cur;
+ }
+ *resultcur = '\0';
+
+ return result;
+}
static gint panel_click_event(GtkWidget *widget, GdkEventButton *ev)
{
gchar *command;
+ gchar *link;
GList *list;
Newsticker *nt;
@@ -490,7 +531,9 @@
{
if ((ev->button == 1) && (strcmp(nt->link, "NULL")))
{
- command = g_strdup_printf(browser, nt->link);
+ link = escape_uri(nt->link);
+ command = g_strdup_printf(browser, link);
+ g_free(link);
command = g_strconcat(command, " &", NULL);
system(command);
g_free(command);
厂商补丁:
Debian
------
Source archives:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.dsc
Size/MD5 checksum: 736 48df0aef0622167773057cd7bf0fd17f
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.diff.gz
Size/MD5 checksum: 2468 bc17c9c128b8a2550f7812dae9f4b163
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3.orig.tar.gz
Size/MD5 checksum: 25849 41a647c4671f6801ed9b3a3de7d414ca
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_alpha.deb
Size/MD5 checksum: 43506 47726e8c350b581bbf453f5d5c231dbd
ARM architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_arm.deb
Size/MD5 checksum: 37756 addfe4f87f35f0243a83b0e5e9286646
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_i386.deb
Size/MD5 checksum: 36030 48cc15c0da005d6b53757dfcee318dd0
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_ia64.deb
Size/MD5 checksum: 47160 f195d6caee4c186ed2ee6921eb454daa
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_hppa.deb
Size/MD5 checksum: 43974 5140d9e63e1647ff314c0c4044ddd4d3
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_m68k.deb
Size/MD5 checksum: 42164 3a2f0b85e3c7d6ee741c121f719c33ad
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mips.deb
Size/MD5 checksum: 36786 84ba4b61bd0c3c32459829a27ed1b010
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mipsel.deb
Size/MD5 checksum: 35532 ead6c8290f38890b11188406c990180d
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_powerpc.deb
Size/MD5 checksum: 41210 cb1ee388ea55ce2d4e5e7d7f2af1cf52
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_s390.deb
Size/MD5 checksum: 42644 1c1bc26dcf280c12df5785c6ba6afe24
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_sparc.deb
Size/MD5 checksum: 39512 4a731f1d3ff438ab0d8b2fd3852a45a0
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
浏览次数:3326
严重程度:0(网友投票)
绿盟科技给您安全的保障