xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

W3M 畸形MIME头可导致缓冲溢出


发布时间:2001-11-09
更新时间:2001-11-09
严重程度:
威胁程度:普通用户访问权限
错误类型:输入验证错误
利用方式:客户机模式

受影响系统
W3M W3M 0.1.3
W3M W3M 0.1.4
W3M W3M 0.1.6
W3M W3M 0.1.7
W3M W3M 0.1.8
W3M W3M 0.1.9
   - Conectiva Linux 5.0
   - Conectiva Linux 5.1
W3M W3M 0.1.10
   - Conectiva Linux 6.0
W3M W3M 0.2
W3M W3M 0.2.1
   - Conectiva Linux 7.0
详细描述
W3M是基于TEXT的WWW浏览器类似lynx文本浏览器。

其中在'W3M'客户端程序解析MIME头时候存在缓冲溢出,W3M处理MIME头包含在HTTP会话中的请求/响应上,当W3M接收到基于base64编码格式的MIME头时,如果此编码的头长度超过34个字节,就可以导致堆栈破坏。

测试代码
MIME header:
    =?AAAAAAAAAAAAAA(50 'A' characters in the header)AAAAAAAA?=

  memory dump:
$B!!(B0xbffff8a0: 0x41414141 0x41414141 0x41414141 0x41414141
$B!!(B0xbffff8b0: 0x41414141 0x41414141 0x41414141 0x41414141
$B!!(B0xbffff8c0: 0x41414141 0x41414141 0x41414141 0x41414141
$B!!(B0xbffff8d0: 0xbf0a4141 0x080e0000 0x00000001 0x080792c3

  register:
$B!!(BESP:          0xbffff8d0
$B!!(BEIP:          0x41414141

如果WEB管理员嵌入精心构建的代码就可以导致覆盖返回地址,控制EIP,执行
任意代码。

解决方案
升级程序:

Conectiva Upgrade 5.0 i386 w3m-0.2.1-4U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/w3m-0.2.1-4U50_1cl.i386.rpm

Conectiva Upgrade 5.1 i386 w3m-0.2.1-4U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/w3m-0.2.1-4U51_1cl.i386.rpm

W3M W3M 0.1.10:

Debian Upgrade 2.2 alpha w3m-ssl_0.1.10+0.1.11pre+kokb23-4_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_alpha.deb

Debian Upgrade 2.2 arm w3m_0.1.10+0.1.11pre+kokb23-4_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/w3m_0.1.10+0.1.11pre+kokb23-4_arm.deb

Debian Upgrade 2.2 arm w3m-ssl_0.1.10+0.1.11pre+kokb23-4_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_arm.deb

Debian Upgrade 2.2 i386 w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb

Debian Upgrade 2.2 sparc w3m_0.1.10+0.1.11pre+kokb23-4_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/w3m_0.1.10+0.1.11pre+kokb23-4_sparc.deb

Debian Upgrade 2.2 i386 w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb

Debian Upgrade 2.2 sparc w3m-ssl_0.1.10+0.1.11pre+kokb23-4_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/w3m-ssl_0.1.10+0.1.11pre+kokb23-4_sparc.deb

Debian Upgrade 2.2 alpha w3m_0.1.10+0.1.11pre+kokb23-4_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/w3m_0.1.10+0.1.11pre+kokb23-4_alpha.deb

Conectiva Upgrade 6.0 i386 w3m-0.2.1-4U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/w3m-0.2.1-4U60_1cl.i386.rpm

W3M W3M 0.2:
W3M W3M 0.2.1:

Conectiva Upgrade 7.0 i386 w3m-0.2.1-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/w3m-0.2.1-4U70_1cl.i386.rpm

相关信息
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved