Xine 文件名处理 远程格式串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110177 漏洞类型 格式化字符串
发布时间 2006-05-01 更新时间 2006-11-24
CVE编号 CVE-2006-2230 CNNVD-ID CNNVD-200605-110
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/27791
https://www.securityfocus.com/bid/17769
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-110
|漏洞详情
Xine是Linux系统下播放VCD/DVD的程序。Xine在处理特制文件名时存在格式串漏洞,远程攻击者可以通过诱骗用户访问包含有格式串的恶意文件名导致执行任意代码。漏洞代码:在src/xitk/main.c中:/*(filenameormrl)*/caseXINE_MSG_FILE_NOT_FOUND:snprintf(buffer,sizeof(buffer),"%s",_("Thespecifiedfileormrlisnot\found.Pleasecheckittwice."));if(data->explanation)sprintf(buffer,"%s(%s)",buffer,(char*)data+data->parameters);break;
|漏洞EXP
source: http://www.securityfocus.com/bid/17769/info

The xine package is susceptible to a remote format-string vulnerability. 

This issue arises when the application handles specially crafted filenames. An attacker can exploit this vulnerability by crafting a malicious filename that contains format specifiers and then coercing unsuspecting users to try to execute the affected application with the malicious filename as an argument.

A successful attack may crash the application or lead to arbitrary code execution. 

Version 0.99.4 of xine is vulnerable to this issue; other versions may also be affected.

The following command is sufficient to demonstrate this issue:
xine %p-%p.mp3

This will result in a file-not-found dialog being displayed. The dialog will report that the file that was not found has a name similar to '0x811ac8e-0xbe1fdabc.mp3'
|受影响的产品
xine xine-ui 0.99.4 xine xine-ui 0.99.3 xine xine-ui 0.99.2 xine xine-ui 0.99.1 + xine xine 0.9.13 + xine xine 0.
|参考资料

来源:BID
名称:17769
链接:http://www.securityfocus.com/bid/17769
来源:BUGTRAQ
名称:20060429XINEformatstringbugswhenhandlingnonexistenfile
链接:http://www.securityfocus.com/archive/1/archive/1/432598/100/0/threaded
来源:DEBIAN
名称:DSA-1093
链接:http://www.debian.org/security/2006/dsa-1093
来源:XF
名称:xine-mainc-format-string(26216)
链接:http://xforce.iss.net/xforce/xfdb/26216