MythControlServer sendToMythTV()函数畸形命令处理缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192291 漏洞类型 缓冲区溢出
发布时间 2006-12-31 更新时间 2007-01-04
CVE编号 CVE-2006-6860 CNNVD-ID CNNVD-200612-666
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2007010012
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-666
|漏洞详情
MytControlServer是一种与MythControl远程遥控软件配合使用的程序。MythControlServer在处理畸形超长的客户端请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。MythControlServer的sendToMythTV()函数处理客户端超长命令里存在栈溢出漏洞,远程攻击者可能通过发送超过256字节长的数据导致溢出执行恶意指令。
|漏洞EXP
Synopsis:  MythControl (MythTV remote control) arbitrary code execution
Product:   MythControl
Version:   <=1.0

Product:
=======

MythControl makes out of your Windows Mobile 5 Smartphone the 
best remote control ever for MythTV (or similar Media Center Products). 
It uses Bluetooth to communicate with your MythTV box and has a 
flexible, customizable user interface.
 
MythControlServer is a small server application for use with MythControl remote clients.
It uses the Bluez RFCOMM interface to listen for client connections and forwards the received
commands to either MythFrontend or shell.

Issue:
======

A critical security vulnerability has been found in the product. It is
possible to execute arbitrary code.

Details:
========
In sendToMythTV the command that is to be sent might overflow
the sendStr string.

Affected Versions
=================

MythControl <= 1.0

Solution
=========

The sent command must be small enough to fit in the prepared 
buffer to send.

Exploitation
============

Exploitation might be conducted by using an overflowed command
variable value.

Kind regards,

Michal Bucko - sapheal
|参考资料

来源:BID
名称:21839
链接:http://www.securityfocus.com/bid/21839
来源:BUGTRAQ
名称:20061230MythControl(MythTVremotecontrol)arbitrarycodeexecution
链接:http://www.securityfocus.com/archive/1/archive/1/455548/100/0/threaded
来源:SECTRACK
名称:1017460
链接:http://securitytracker.com/id?1017460
来源:VUPEN
名称:ADV-2007-0024
链接:http://www.frsirt.com/english/advisories/2007/0024
来源:SREASON
名称:2096
链接:http://securityreason.com/securityalert/2096
来源:SECUNIA
名称:23607
链接:http://secunia.com/advisories/23607
来源:NSFOCUS
名称:9755
链接:http://www.nsfocus.net/vulndb/9755