CVE-2003-0205
CVSS7.5
发布时间 :2003-05-12 00:00:00
修订时间 :2016-10-17 22:30:37
NMCOS    

[原文]gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the ticker title of a URI.


[CNNVD]GKrellM Newsticker远程命令执行漏洞(CNNVD-200305-030)

        
        gkrellm-newsticker是gkrellm系统监视程序的插件。
        newsticker在查看'ticker'标题时对SHELL元字符缺少正确过滤,远程攻击者可以利用这个漏洞构建恶意标题,诱使用户访问,可能以用户进程权限在系统上执行任意命令。
        当用户使用newsticker点击URI提供的'ticker'标题时,由于软件对特殊SHELL字符缺少充分过滤,攻击者提供恶意的标题,当用户点击时,可在客户端机器上执行任意SHELL命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0205
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0205
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-030
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105111327000755&w=2
(UNKNOWN)  BUGTRAQ  20030423 Security problems in gkrellm-newsticker
http://www.debian.org/security/2003/dsa-294
(VENDOR_ADVISORY)  DEBIAN  DSA-294

- 漏洞信息

GKrellM Newsticker远程命令执行漏洞
高危 输入验证
2003-05-12 00:00:00 2005-10-20 00:00:00
远程  
        
        gkrellm-newsticker是gkrellm系统监视程序的插件。
        newsticker在查看'ticker'标题时对SHELL元字符缺少正确过滤,远程攻击者可以利用这个漏洞构建恶意标题,诱使用户访问,可能以用户进程权限在系统上执行任意命令。
        当用户使用newsticker点击URI提供的'ticker'标题时,由于软件对特殊SHELL字符缺少充分过滤,攻击者提供恶意的标题,当用户点击时,可在客户端机器上执行任意SHELL命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Brian Campbell提供如下第三方补丁:
        diff -ur gkrellm-newsticker-0.3.orig/newsticker.c gkrellm-newsticker-0.3/newsticker.c
        --- gkrellm-newsticker-0.3.orig/newsticker.c Sun Jan 20 21:02:40 2002
        +++ gkrellm-newsticker-0.3/newsticker.c Sat Apr 5 09:37:18 2003
        @@ -292,7 +292,12 @@
        pt = strchr(pt, '>');
        pt++;
        pt2 = strstr(buf, "");
        - nt->link = g_strndup(pt, (pt2 - pt));
        + /* Can't handle multiple lines properly, but at least make some
        + * effort. */
        + if (pt2)
        + nt->link = g_strndup(pt, (pt2 - pt));
        + else
        + nt->link = g_strdup(pt);
        flag++;
        continue;
        }
        @@ -306,10 +311,20 @@
        pt = strchr(pt, '>');
        pt++;
        pt2 = strstr(buf, "");
        - if (flag == 2)
        - nt->headline = g_strndup(pt, (pt2 - pt));
        - else
        - nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL);
        + /* Again, let's not fail completely when the element spans more
        + * than one line. */
        + if (pt2)
        + {
        + if (flag == 2)
        + nt->headline = g_strndup(pt, (pt2 - pt));
        + else
        + nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL);
        + } else {
        + if (flag == 2)
        + nt->headline = g_strdup(pt);
        + else
        + nt->headline = g_strconcat(nt->headline, " --- ", g_strdup(pt), NULL);
        + }
        flag++;
        if (flag > (num_headlines+1))
        break;
        @@ -474,10 +489,36 @@
        return FALSE;
        }
        +/* Make a URI suitable for use in a shell command. */
        +static gchar *escape_uri(gchar *uri)
        +{
        + gchar *cur, *result, *resultcur;
        + int count = 1;
        +
        + for (cur = uri; *cur; cur++)
        + count += (*cur == '\'') ? 3 : 1;
        +
        + result = g_malloc(count);
        + for (cur = uri, resultcur = result; *cur; cur++)
        + {
        + if (*cur == '\'')
        + {
        + *resultcur++ = '%';
        + *resultcur++ = '2';
        + *resultcur++ = '7';
        + }
        + else
        + *resultcur++ = *cur;
        + }
        + *resultcur = '\0';
        +
        + return result;
        +}
        static gint panel_click_event(GtkWidget *widget, GdkEventButton *ev)
        {
        gchar *command;
        + gchar *link;
        GList *list;
        Newsticker *nt;
        @@ -490,7 +531,9 @@
        {
        if ((ev->button == 1) && (strcmp(nt->link, "NULL")))
        {
        - command = g_strdup_printf(browser, nt->link);
        + link = escape_uri(nt->link);
        + command = g_strdup_printf(browser, link);
        + g_free(link);
        command = g_strconcat(command, " &", NULL);
        system(command);
        g_free(command);
        厂商补丁:
        Debian
        ------
        Source archives:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.dsc

         Size/MD5 checksum: 736 48df0aef0622167773057cd7bf0fd17f
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.diff.gz

         Size/MD5 checksum: 2468 bc17c9c128b8a2550f7812dae9f4b163
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3.orig.tar.gz

         Size/MD5 checksum: 25849 41a647c4671f6801ed9b3a3de7d414ca
         Alpha architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_alpha.deb

         Size/MD5 checksum: 43506 47726e8c350b581bbf453f5d5c231dbd
         ARM architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_arm.deb

         Size/MD5 checksum: 37756 addfe4f87f35f0243a83b0e5e9286646
         Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_i386.deb

         Size/MD5 checksum: 36030 48cc15c0da005d6b53757dfcee318dd0
         Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_ia64.deb

         Size/MD5 checksum: 47160 f195d6caee4c186ed2ee6921eb454daa
         HP Precision architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_hppa.deb

         Size/MD5 checksum: 43974 5140d9e63e1647ff314c0c4044ddd4d3
         Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_m68k.deb

         Size/MD5 checksum: 42164 3a2f0b85e3c7d6ee741c121f719c33ad
         Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mips.deb

         Size/MD5 checksum: 36786 84ba4b61bd0c3c32459829a27ed1b010
         Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mipsel.deb

         Size/MD5 checksum: 35532 ead6c8290f38890b11188406c990180d
         PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_powerpc.deb

         Size/MD5 checksum: 41210 cb1ee388ea55ce2d4e5e7d7f2af1cf52
         IBM S/390 architecture:
        
        http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_s390.deb

         Size/MD5 checksum: 42644 1c1bc26dcf280c12df5785c6ba6afe24
         Sun Sparc architecture:
        

- 漏洞信息

13488
GKrellM Newsticker Ticker Title Arbitrary Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GKrellM Newsticker Command Execution Vulnerability
Input Validation Error 7415
Yes No
2003-04-23 12:00:00 2009-07-11 09:07:00
Discovery of this issue is credited to Brian Campbell.

- 受影响的程序版本

GKrellM Newsticker GKrellM Newsticker 0.3
- GKrellM GKrellM 2.1.9

- 漏洞讨论

GKrellM Newsticker is prone to a remote command execution vulnerability. The newstricker will launch a browser using a URI supplied by a news feed when the ticker title is clicked by the user. Shell metacharacters will not be sanitized from the URI, which could result in remote command execution in the context of the user running the newsticker software.

- 漏洞利用

There is no exploit required.

- 解决方案

Debian has released an advisory (DSA 294-1) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.


GKrellM Newsticker GKrellM Newsticker 0.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站