GKrellM Newsticker远程命令执行漏洞发布时间:2003-04-23 更新时间:2003-04-23 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:7415 CVE(CAN) ID:CAN-2003-0205 受影响系统 GKrellM Newsticker GKrellM Newsticker 0.3详细描述 gkrellm-newsticker是gkrellm系统监视程序的插件。 通过点击TICKER标题,gkrellm-newsticker会启动WEB浏览,但是对于URI包含的恶意字符缺少正确过滤,可能导致任意命令在客户端执行。 测试代码 尚无 解决方案 采用如下补丁: diff -ur gkrellm-newsticker-0.3.orig/newsticker.c gkrellm-newsticker-0.3/newsticker.c --- gkrellm-newsticker-0.3.orig/newsticker.c Sun Jan 20 21:02:40 2002 +++ gkrellm-newsticker-0.3/newsticker.c Sat Apr 5 09:37:18 2003 @@ -292,7 +292,12 @@ pt = strchr(pt, '>'); pt++; pt2 = strstr(buf, "</link>"); - nt->link = g_strndup(pt, (pt2 - pt)); + /* Can't handle multiple lines properly, but at least make some + * effort. */ + if (pt2) + nt->link = g_strndup(pt, (pt2 - pt)); + else + nt->link = g_strdup(pt); flag++; continue; } @@ -306,10 +311,20 @@ pt = strchr(pt, '>'); pt++; pt2 = strstr(buf, "</title>"); - if (flag == 2) - nt->headline = g_strndup(pt, (pt2 - pt)); - else - nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL); + /* Again, let's not fail completely when the element spans more + * than one line. */ + if (pt2) + { + if (flag == 2) + nt->headline = g_strndup(pt, (pt2 - pt)); + else + nt->headline = g_strconcat(nt->headline, " --- ", g_strndup(pt, (pt2 - pt)), NULL); + } else { + if (flag == 2) + nt->headline = g_strdup(pt); + else + nt->headline = g_strconcat(nt->headline, " --- ", g_strdup(pt), NULL); + } flag++; if (flag > (num_headlines+1)) break; @@ -474,10 +489,36 @@ return FALSE; } +/* Make a URI suitable for use in a shell command. */ +static gchar *escape_uri(gchar *uri) +{ + gchar *cur, *result, *resultcur; + int count = 1; + + for (cur = uri; *cur; cur++) + count += (*cur == '\'') ? 3 : 1; + + result = g_malloc(count); + for (cur = uri, resultcur = result; *cur; cur++) + { + if (*cur == '\'') + { + *resultcur++ = '%'; + *resultcur++ = '2'; + *resultcur++ = '7'; + } + else + *resultcur++ = *cur; + } + *resultcur = '\0'; + + return result; +} static gint panel_click_event(GtkWidget *widget, GdkEventButton *ev) { gchar *command; + gchar *link; GList *list; Newsticker *nt; @@ -490,7 +531,9 @@ { if ((ev->button == 1) && (strcmp(nt->link, "NULL"))) { - command = g_strdup_printf(browser, nt->link); + link = escape_uri(nt->link); + command = g_strdup_printf(browser, link); + g_free(link); command = g_strconcat(command, " &", NULL); system(command); g_free(command); 相关信息 参考:http://www.securityfocus.com/advisories/5315 http://www.securityfocus.com/archive/1/319491 相关主页:https://sourceforge.net/projects/gk-newsticker/ |
