CVE-2008-1118 (CNNVD-200803-229)
中文标题:
Motorola Timbuktu Pro 对端消息包文伪造漏洞
英文标题:
Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, does not perform input validation bef...
漏洞描述
中文描述:
Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。 Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。 以下是反汇编的漏洞代码: /----------- .text:6063A62E mov edx, [ebp+lp] .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename .text:6063A634 push eax ; EAX is also the output buffer .text:6063A635 call ds:Pascal2C ; Extract filename from packet .text:6063A63B push '\' ; Char to filter in the filename .text:6063A63D mov ecx, [ebp+lp] .text:6063A640 mov edx, [ecx+20h] .text:6063A643 push edx ; Filename obtained in 0x6063A635 .text:6063A644 call _strrchr ; Search for '\' in the filename .text:6063A649 add esp, 8 ; At this point, the pointer to the ; position of the '\' is obtained and ; will be stored in a local variable. .text:6063A64C mov [ebp+pSlashPosition], eax ; Store '\' pointer .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!! .text:6063A653 jnz short loc_6063A669 ; It avoids checking '/' if ; '\' was found, so we must ; send '\' and then as much ; "../" as we want :) .text:6063A655 push '/' ; This check won't be done .text:6063A657 mov eax, [ebp+lp] ; because the '\' was found .text:6063A65A mov ecx, [eax+20h] .text:6063A65D push ecx .text:6063A65E call _strrchr .text:6063A663 add esp, 8 .text:6063A666 mov [ebp+pSlashPosition], eax .text:6063A669 loc_6063A669: .text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was ;found so .text:6063A66D jz short loc_6063A68C ; it copies past it's ;position .text:6063A66F push 200h .text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '\' position and move .text:6063A677 add edx, 1 ; forward 1 byte to avoid it .text:6063A67A push edx .text:6063A67B mov eax, [ebp+lp] .text:6063A67E add eax, 4B0h .text:6063A683 push eax .text:6063A684 call ds:lstrcpynA ; From know on, the filename .text:6063A68A jmp short loc_6063A6A ; contains something like ; ../a.exe :) . . . . . - -----------/
英文描述:
Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, does not perform input validation before logging information fields taken from packets from a remote peer, which allows remote attackers to generate crafted log entries, and possibly avoid detection of attacks, via modified (1) computer name, (2) user name, and (3) IP address fields.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| netopia | timbuktu_pro | 8.6.5 | - | - |
cpe:2.3:a:netopia:timbuktu_pro:8.6.5:*:windows:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
cve.org
exploitdb
cve.org
cve.org
CVSS评分详情
AV:N/AC:L/Au:N/C:P/I:P/A:P
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2008-1118 |
2025-11-11 15:17:59 | 2025-11-11 07:32:50 |
| NVD | nvd_CVE-2008-1118 |
2025-11-11 14:52:33 | 2025-11-11 07:41:37 |
| CNNVD | cnnvd_CNNVD-200803-229 |
2025-11-11 15:09:00 | 2025-11-11 07:49:24 |
| EXPLOITDB | exploitdb_EDB-5238 |
2025-11-11 15:05:57 | 2025-11-11 09:02:41 |
版本与语言
安全公告
变更历史
查看详细变更
- references_count: 7 -> 10
- tags_count: 0 -> 5
- data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']
查看详细变更
- vulnerability_type: 未提取 -> 授权问题
- cnnvd_id: 未提取 -> CNNVD-200803-229
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
- cvss_score: 未提取 -> 7.5
- cvss_vector: NOT_EXTRACTED -> AV:N/AC:L/Au:N/C:P/I:P/A:P
- cvss_version: NOT_EXTRACTED -> 2.0
- affected_products_count: 0 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']