CVE-2006-3178
CVSS5.0
发布时间 :2006-06-22 20:02:00
修订时间 :2011-03-07 21:38:00
NMCOPS    

[原文]Directory traversal vulnerability in extract_chmLib example program in CHM Lib (chmlib) before 0.38 allows remote attackers to overwrite arbitrary files via a CHM archive containing files with a .. (dot dot) in their filename.


[CNNVD]CHM Lib Extract_chmlib 目录遍历漏洞(CNNVD-200606-419)

        CHM Lib (chmlib) 中的extract_chmLib示例程序存在目录遍历漏洞。远程攻击者可以借助包含文件名中带CHM (该参数中包含..)的文件的CHM档案,重写任意文件 。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3178
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3178
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-419
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18511
(PATCH)  BID  18511
http://secunia.com/advisories/20734
(VENDOR_ADVISORY)  SECUNIA  20734
http://morte.jedrea.com/~jedwin/projects/chmlib/
(PATCH)  CONFIRM  http://morte.jedrea.com/~jedwin/projects/chmlib/
http://xforce.iss.net/xforce/xfdb/27278
(UNKNOWN)  XF  chmlib-extract-directory-traversal(27278)
http://www.vupen.com/english/advisories/2006/2430
(UNKNOWN)  VUPEN  ADV-2006-2430
http://www.osvdb.org/26636
(UNKNOWN)  OSVDB  26636
http://securitytracker.com/id?1016343
(UNKNOWN)  SECTRACK  1016343
http://www.debian.org/security/2006/dsa-1144
(UNKNOWN)  DEBIAN  DSA-1144
http://secunia.com/advisories/21406
(UNKNOWN)  SECUNIA  21406

- 漏洞信息

CHM Lib Extract_chmlib 目录遍历漏洞
中危 路径遍历
2006-06-22 00:00:00 2006-07-21 00:00:00
远程  
        CHM Lib (chmlib) 中的extract_chmLib示例程序存在目录遍历漏洞。远程攻击者可以借助包含文件名中带CHM (该参数中包含..)的文件的CHM档案,重写任意文件 。

- 公告与补丁

        目前厂商已经发布了相关补丁,请到厂商的主页下载:
        CHM Lib CHM Lib 0.35
        Debian chmlib-bin_0.35-6sarge3_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_alpha.deb
        Debian chmlib-bin_0.35-6sarge3_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_amd64.deb
        Debian chmlib-bin_0.35-6sarge3_arm.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_arm.deb
        Debian chmlib-bin_0.35-6sarge3_hppa.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_hppa.deb
        Debian chmlib-bin_0.35-6sarge3_i386.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_i386.deb
        Debian chmlib-bin_0.35-6sarge3_ia64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_ia64.deb
        Debian chmlib-bin_0.35-6sarge3_m68k.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_m68k.deb
        Debian chmlib-bin_0.35-6sarge3_mips.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_mips.deb
        Debian chmlib-bin_0.35-6sarge3_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_mipsel.deb
        Debian chmlib-bin_0.35-6sarge3_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_powerpc.deb
        Debian chmlib-bin_0.35-6sarge3_s390.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_s390.deb
        Debian chmlib-bin_0.35-6sarge3_sparc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35- 6sarge3_sparc.deb
        Debian chmlib-dev_0.35-6sarge3_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_alpha.deb
        Debian chmlib-dev_0.35-6sarge3_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_amd64.deb
        Debian chmlib-dev_0.35-6sarge3_arm.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_arm.deb
        Debian chmlib-dev_0.35-6sarge3_hppa.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_hppa.deb
        Debian chmlib-dev_0.35-6sarge3_i386.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_i386.deb
        Debian chmlib-dev_0.35-6sarge3_ia64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_ia64.deb
        Debian chmlib-dev_0.35-6sarge3_m68k.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_m68k.deb
        Debian chmlib-dev_0.35-6sarge3_mips.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_mips.deb
        Debian chmlib-dev_0.35-6sarge3_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_mipsel.deb
        Debian chmlib-dev_0.35-6sarge3_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_powerpc.deb
        Debian chmlib-dev_0.35-6sarge3_s390.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_s390.deb
        Debian chmlib-dev_0.35-6sarge3_sparc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35- 6sarge3_sparc.deb
        Debian chmlib_0.35-6sarge3_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        http://secur

- 漏洞信息 (F49095)

Debian Linux Security Advisory 1144-1 (PacketStormID:F49095)
2006-08-18 00:00:00
Debian  debian.org
advisory
linux,debian
CVE-2006-3178
[点击下载]

Debian Security Advisory 1144-1 - It was discovered that one of the utilities shipped with chmlib, a library for dealing with Microsoft CHM files, performs insufficient sanitizing of filenames, which might lead to directory traversal.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1144-1                    security@debian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
August 7th, 2006                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : chmlib
Vulnerability  : missing input sanitising
Problem-Type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2006-3178

It was discovered that one of the utilities shipped with chmlib, a
library for dealing with Microsoft CHM files, performs insufficient
sanitising of filenames, which might lead to directory traversal.

For the stable distribution (sarge) this problem has been fixed in
version 0.35-6sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 0.38-1.

We recommend that you upgrade your chmlib-bin package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3.dsc
      Size/MD5 checksum:      604 bf863d9f219b275c0b773861e981a917
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3.diff.gz
      Size/MD5 checksum:    16413 b383820343449d33e4297368568b40bf
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35.orig.tar.gz
      Size/MD5 checksum:   368428 8fa0e692b2606a03fb51589f66a82eec

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_alpha.deb
      Size/MD5 checksum:    25796 1892260c61070cfb1c265458150a0ceb
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_alpha.deb
      Size/MD5 checksum:    18782 ec61ba3873d1952af1d1c10b0fe57a4a
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_alpha.deb
      Size/MD5 checksum:    25690 9a5d631b6e977b9c61b731803bbf2d5c

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_amd64.deb
      Size/MD5 checksum:    23868 40d8f17410a02847577fe894c6617e71
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_amd64.deb
      Size/MD5 checksum:    17128 68e0e5e301172ce92648b5cf5efedba2
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_amd64.deb
      Size/MD5 checksum:    22710 931565e32ca29f1a515a3ba48a840d0f

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_arm.deb
      Size/MD5 checksum:    25372 80b7881428f5668208a5ecc06d778f3b
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_arm.deb
      Size/MD5 checksum:    16192 7644e42e9130da35ad344e8504f85e5f
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_arm.deb
      Size/MD5 checksum:    24128 a9ed0802965ea57ffc2683aad90277b8

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_i386.deb
      Size/MD5 checksum:    25026 e567d12fc2dfcaae17973e2a2da40007
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_i386.deb
      Size/MD5 checksum:    16300 d885e6db52cc52a626186869f2e0731b
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_i386.deb
      Size/MD5 checksum:    23030 748d269bb7b3d2ebddc4a459e6136573

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_ia64.deb
      Size/MD5 checksum:    28624 8b8baeec6cc8d30cd6eea8529a4df375
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_ia64.deb
      Size/MD5 checksum:    19558 c8889fc3a5015d928f0bc8bf3e7a4ba0
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_ia64.deb
      Size/MD5 checksum:    27402 24463e0be69ecc330178701bd268364f

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_hppa.deb
      Size/MD5 checksum:    27870 76c09247988d19755408b16e38f86b5b
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_hppa.deb
      Size/MD5 checksum:    18284 bb3013313e96f7f8d4622aad6de21170
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_hppa.deb
      Size/MD5 checksum:    24338 18e0e89cc8379d2d606a92286843c79f

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_m68k.deb
      Size/MD5 checksum:    23242 ab3b883d382341b152d5c2e0eceab044
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_m68k.deb
      Size/MD5 checksum:    16440 54e7c14b32928eb994943d439d9f5c89
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_m68k.deb
      Size/MD5 checksum:    21782 4c03416905d38baadef72f588d1c4aca

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_mips.deb
      Size/MD5 checksum:    26672 36e6ee842cc10c9f76e574a371e51346
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_mips.deb
      Size/MD5 checksum:    23296 60188443d09b77e0efa7b4e980b0c7f0
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_mips.deb
      Size/MD5 checksum:    25234 a14971f943df4051b55594463016e9dc

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_mipsel.deb
      Size/MD5 checksum:    26694 226831a74cf9df7f38a19e1b06e318b7
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_mipsel.deb
      Size/MD5 checksum:    23310 ec018fec09ff44beceb8ac9d7780af5e
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_mipsel.deb
      Size/MD5 checksum:    25218 84e07e66e7f4b816336aa383be318b4f

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_powerpc.deb
      Size/MD5 checksum:    27482 369986825b64b261a961c3ab0588fd71
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_powerpc.deb
      Size/MD5 checksum:    22196 ef565ae91a142079e571a156a96f7f73
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_powerpc.deb
      Size/MD5 checksum:    23712 b1aecf54941743a972afeec9181ab6a2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_s390.deb
      Size/MD5 checksum:    26718 05081b1ccf0b27ccfb68b840547a9495
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_s390.deb
      Size/MD5 checksum:    17652 23af02d4509dce8542171a498200680b
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_s390.deb
      Size/MD5 checksum:    23592 21f1a9e1ce6eafe1e409bfe0d4b30a5c

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/chmlib/chmlib_0.35-6sarge3_sparc.deb
      Size/MD5 checksum:    24446 b978afe8fa6e453156bd841bb85d9b67
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-bin_0.35-6sarge3_sparc.deb
      Size/MD5 checksum:    16286 364c3168d21b385ca98cb7c626ad7e2f
    http://security.debian.org/pool/updates/main/c/chmlib/chmlib-dev_0.35-6sarge3_sparc.deb
      Size/MD5 checksum:    22474 870c35d6c7d66e2517f95eb7f6413c5e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE13jFXm3vHE4uyloRAla4AKDaVbxC/+nNU0wdb/cf2YZL11uLyACfXNrs
tv5YO4zmTv7ZL/+honDtdQk=
=0R87
-----END PGP SIGNATURE-----


    

- 漏洞信息

26636
CHM Lib extract_chmLib Traversal Arbitrary File Overwrite
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

CHM Lib contains a flaw that allows a remote attacker to extract arbitrary files outside of the web path. The issue is due to the 'extract_chmLib' example program not properly sanitizing user input, specifically directory traversal style attacks (../../).

- 时间线

2006-06-16 Unknow
2006-06-16 Unknow

- 解决方案

Upgrade to version 0.38 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

CHM Lib Extract_chmlib Directory Traversal Vulnerability
Input Validation Error 18511
Yes No
2006-06-12 12:00:00 2006-10-06 08:05:00
Sven Tantau is credited with the discovery of this vulnerability.

- 受影响的程序版本

Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
CHM Lib CHM Lib 0.37
CHM Lib CHM Lib 0.36
CHM Lib CHM Lib 0.35
CHM Lib CHM Lib 0.38

- 不受影响的程序版本

CHM Lib CHM Lib 0.38

- 漏洞讨论

CHM Lib is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to place malicious files and to overwrite files in arbitrary locations on the vulnerable system, in the context of the user running the application. Successful exploits may aid in further attacks.

- 漏洞利用

Attackers may exploit this issue by creating a malicious CHM file that includes files with directory-traversal strings ('../') in the names.

- 解决方案

The vendor has addressed this issue in version 0.38. Please contact the vendor for details on obtaining the appropriate updates.

See the referenced advisories for more information.


CHM Lib CHM Lib 0.35

CHM Lib CHM Lib 0.37

CHM Lib CHM Lib 0.36

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站