安全研究

安全漏洞
GKrellM Newsticker远程命令执行漏洞

发布日期:2003-04-23
更新日期:2003-04-30

受影响系统:
GKrellM Newsticker GKrellM Newsticker 0.3
描述:
BUGTRAQ  ID: 7415
CVE(CAN) ID: CVE-2003-0205

gkrellm-newsticker是gkrellm系统监视程序的插件。

newsticker在查看'ticker'标题时对SHELL元字符缺少正确过滤,远程攻击者可以利用这个漏洞构建恶意标题,诱使用户访问,可能以用户进程权限在系统上执行任意命令。

当用户使用newsticker点击URI提供的'ticker'标题时,由于软件对特殊SHELL字符缺少充分过滤,攻击者提供恶意的标题,当用户点击时,可在客户端机器上执行任意SHELL命令。

<*来源:Brian Campbell
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105111327000755&w=2
        http://marc.theaimsgroup.com/?l=bugtraq&m=105111643906186&w=2
*>

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* Brian Campbell提供如下第三方补丁:

diff -ur gkrellm-newsticker-0.3.orig/newsticker.c gkrellm-newsticker-0.3/newsticker.c
--- gkrellm-newsticker-0.3.orig/newsticker.c Sun Jan 20 21:02:40 2002
+++ gkrellm-newsticker-0.3/newsticker.c Sat Apr 5 09:37:18 2003
@@ -292,7 +292,12 @@
pt = strchr(pt, '>');
pt++;
pt2 = strstr(buf, "</link>");
- nt->link = g_strndup(pt, (pt2 - pt));
+ /* Can't handle multiple lines properly, but at least make some
+ * effort. */
+ if (pt2)
+ nt->link = g_strndup(pt, (pt2 - pt));
+ else
+ nt->link = g_strdup(pt);
flag++;
continue;
}
@@ -306,10 +311,20 @@
pt = strchr(pt, '>');
pt++;
pt2 = strstr(buf, "</title>");
- if (flag == 2)
- nt->headline = g_strndup(pt, (pt2 - pt));
- else
- nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL);
+ /* Again, let's not fail completely when the element spans more
+ * than one line. */
+ if (pt2)
+ {
+ if (flag == 2)
+ nt->headline = g_strndup(pt, (pt2 - pt));
+ else
+ nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL);
+ } else {
+ if (flag == 2)
+ nt->headline = g_strdup(pt);
+ else
+ nt->headline = g_strconcat(nt->headline, " --- ", g_strdup(pt), NULL);
+ }
flag++;
if (flag > (num_headlines+1))
break;
@@ -474,10 +489,36 @@
return FALSE;
}

+/* Make a URI suitable for use in a shell command. */
+static gchar *escape_uri(gchar *uri)
+{
+ gchar *cur, *result, *resultcur;
+ int count = 1;
+
+ for (cur = uri; *cur; cur++)
+ count += (*cur == '\'') ? 3 : 1;
+
+ result = g_malloc(count);
+ for (cur = uri, resultcur = result; *cur; cur++)
+ {
+ if (*cur == '\'')
+ {
+ *resultcur++ = '%';
+ *resultcur++ = '2';
+ *resultcur++ = '7';
+ }
+ else
+ *resultcur++ = *cur;
+ }
+ *resultcur = '\0';
+
+ return result;
+}

static gint panel_click_event(GtkWidget *widget, GdkEventButton *ev)
{
gchar *command;
+ gchar *link;
GList *list;
Newsticker *nt;

@@ -490,7 +531,9 @@
{
if ((ev->button == 1) && (strcmp(nt->link, "NULL")))
{
- command = g_strdup_printf(browser, nt->link);
+ link = escape_uri(nt->link);
+ command = g_strdup_printf(browser, link);
+ g_free(link);
command = g_strconcat(command, " &", NULL);
system(command);
g_free(command);

厂商补丁:

Debian
------
Source archives:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.dsc
      Size/MD5 checksum:      736 48df0aef0622167773057cd7bf0fd17f
    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.diff.gz
      Size/MD5 checksum:     2468 bc17c9c128b8a2550f7812dae9f4b163
    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3.orig.tar.gz
      Size/MD5 checksum:    25849 41a647c4671f6801ed9b3a3de7d414ca

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_alpha.deb
      Size/MD5 checksum:    43506 47726e8c350b581bbf453f5d5c231dbd

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_arm.deb
      Size/MD5 checksum:    37756 addfe4f87f35f0243a83b0e5e9286646

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_i386.deb
      Size/MD5 checksum:    36030 48cc15c0da005d6b53757dfcee318dd0

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_ia64.deb
      Size/MD5 checksum:    47160 f195d6caee4c186ed2ee6921eb454daa

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_hppa.deb
      Size/MD5 checksum:    43974 5140d9e63e1647ff314c0c4044ddd4d3

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_m68k.deb
      Size/MD5 checksum:    42164 3a2f0b85e3c7d6ee741c121f719c33ad

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mips.deb
      Size/MD5 checksum:    36786 84ba4b61bd0c3c32459829a27ed1b010

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mipsel.deb
      Size/MD5 checksum:    35532 ead6c8290f38890b11188406c990180d

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_powerpc.deb
      Size/MD5 checksum:    41210 cb1ee388ea55ce2d4e5e7d7f2af1cf52

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_s390.deb
      Size/MD5 checksum:    42644 1c1bc26dcf280c12df5785c6ba6afe24

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_sparc.deb
      Size/MD5 checksum:    39512 4a731f1d3ff438ab0d8b2fd3852a45a0

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

浏览次数:3326
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障