微慑信息网

CVE-2008-1118-漏洞详情

CVE-2008-1118
CVSS 7.5
发布时间 :2008-03-14 16:44:00
修订时间 :2008-09-05 00:00:00
NMCOP    

[原文]Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, does not perform input validation before logging information fields taken from packets from a remote peer, which allows remote attackers to generate crafted log entries, and possibly avoid detection of attacks, via modified (1) computer name, (2) user name, and (3) IP address fields.


[CNNVD]Motorola Timbuktu Pro 对端消息包文伪造漏洞(CNNVD-200803-229)

        Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。


        Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。


        以下是反汇编的漏洞代码:


        /———–


        .text:6063A62E mov edx, [ebp+lp]


        .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename


        .text:6063A634 push eax ; EAX is also the output buffer


        .text:6063A635 call ds:Pascal2C ; Extract filename from packet


        .text:6063A63B push '\' ; Char to filter in the filename


        .text:6063A63D mov ecx, [ebp+lp]


        .text:6063A640 mov edx, [ecx+20h]


        .text:6063A643 push edx ; Filename obtained in 0x6063A635


        .text:6063A644 call _strrchr ; Search for '\' in the filename


        .text:6063A649 add esp, 8 ; At this point, the pointer to the


         ; position of the '\' is obtained and


         ; will be stored in a local variable.


        .text:6063A64C mov [ebp+pSlashPosition], eax ; Store '\' pointer


        .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!!


        .text:6063A653 jnz short loc_6063A669 ; It avoids checking '/' if


         ; '\' was found, so we must


         ; send '\' and then as much


         ; “../” as we want 🙂


        .text:6063A655 push '/' ; This check won't be done


        .text:6063A657 mov eax, [ebp+lp] ; because the '\' was found


        .text:6063A65A mov ecx, [eax+20h]


        .text:6063A65D push ecx


        .text:6063A65E call _strrchr


        .text:6063A663 add esp, 8


        .text:6063A666 mov [ebp+pSlashPosition], eax


        .text:6063A669 loc_6063A669:


        .text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was


         ;found so


        .text:6063A66D jz short loc_6063A68C ; it


        copies past it's ;position


        .text:6063A66F push 200h


        .text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '\' position


        and move


        .text:6063A677 add edx, 1 ; forward 1 byte to avoid it


        .text:6063A67A push edx


        .text:6063A67B mov eax, [ebp+lp]


        .text:6063A67E add eax, 4B0h


        .text:6063A683 push eax


        .text:6063A684 call ds:lstrcpynA ; From know on, the filename


        .text:6063A68A jmp short loc_6063A6A ; contains something like


         ; ../a.exe 🙂


        . . . . .


        – ———–/


        


CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]


CWE (弱点类目)

CWE-20 [输入验证不恰当]


CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用


OVAL (用于检测的技术细节)

未找到相关OVAL定义


官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1118

(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1118

(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200803-229

(官方数据源) CNNVD


其它链接及资源

http://xforce.iss.net/xforce/xfdb/41330


(UNKNOWN)  XF  timbuktu-log-security-bypass(41330)
http://www.securityfocus.com/bid/28081


(UNKNOWN)  BID  28081
http://www.securityfocus.com/archive/1/archive/1/489414/100/0/threaded


(UNKNOWN)  BUGTRAQ  20080311 CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection
http://www.milw0rm.com/exploits/5238


(UNKNOWN)  MILW0RM  5238
http://www.coresecurity.com/?action=item&id=2166


(UNKNOWN)  MISC  http://www.coresecurity.com/?action=item&id=2166
http://securityreason.com/securityalert/3742


(UNKNOWN)  SREASON  3742
http://secunia.com/advisories/29316


(VENDOR_ADVISORY)  SECUNIA  29316


漏洞信息

Motorola Timbuktu Pro 对端消息包文伪造漏洞
高危 输入验证
2008-03-14 00:00:00 2008-09-05 00:00:00
远程  
        Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。


        Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。


        以下是反汇编的漏洞代码:


        /———–


        .text:6063A62E mov edx, [ebp+lp]


        .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename


        .text:6063A634 push eax ; EAX is also the output buffer


        .text:6063A635 call ds:Pascal2C ; Extract filename from packet


        .text:6063A63B push '\' ; Char to filter in the filename


        .text:6063A63D mov ecx, [ebp+lp]


        .text:6063A640 mov edx, [ecx+20h]


        .text:6063A643 push edx ; Filename obtained in 0x6063A635


        .text:6063A644 call _strrchr ; Search for '\' in the filename


        .text:6063A649 add esp, 8 ; At this point, the pointer to the


         ; position of the '\' is obtained and


         ; will be stored in a local variable.


        .text:6063A64C mov [ebp+pSlashPosition], eax ; Store '\' pointer


        .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!!


        .text:6063A653 jnz short loc_6063A669 ; It avoids checking '/' if


         ; '\' was found, so we must


         ; send '\' and then as much


         ; “../” as we want 🙂


        .text:6063A655 push '/' ; This check won't be done


        .text:6063A657 mov eax, [ebp+lp] ; because the '\' was found


        .text:6063A65A mov ecx, [eax+20h]


        .text:6063A65D push ecx


        .text:6063A65E call _strrchr


        .text:6063A663 add esp, 8


        .text:6063A666 mov [ebp+pSlashPosition], eax


        .text:6063A669 loc_6063A669:


        .text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was


         ;found so


        .text:6063A66D jz short loc_6063A68C ; it


        copies past it's ;position


        .text:6063A66F push 200h


        .text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '\' position


        and move


        .text:6063A677 add edx, 1 ; forward 1 byte to avoid it


        .text:6063A67A push edx


        .text:6063A67B mov eax, [ebp+lp]


        .text:6063A67E add eax, 4B0h


        .text:6063A683 push eax


        .text:6063A684 call ds:lstrcpynA ; From know on, the filename


        .text:6063A68A jmp short loc_6063A6A ; contains something like


         ; ../a.exe 🙂


        . . . . .


        – ———–/


        


公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:


        http://www.motorola.com/


漏洞信息 (F64510)

Core Security Technologies Advisory 2008.0204 (PacketStormID:F64510)

2008-03-13 00:00:00
Core Security Technologies,Sebastian Muniz  coresecurity.com

exploit,remote,vulnerability

CVE-2008-1117,CVE-2008-1118

[点击下载]

Core Security Technologies Advisory – Timbuktu Pro suffers from remote path traversal and log injection vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs

Timbuktu Pro Remote Path Traversal and Log Injection


*Advisory Information*

Title: Timbuktu Pro Remote Path Traversal and Log Injection
Advisory ID: CORE-2008-0204
Advisory URL: http://www.coresecurity.com/?action=item&id=2166
Date published: 2008-03-11
Date of last update: 2008-03-11
Vendors contacted: Motorola
Release mode: Forced release


*Vulnerability Information*

Class: Remote Path Traversal
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28081 
CVE Name: CVE-2008-1117, CVE-2008-1118 


*Vulnerability Description*

Timbuktu Pro [1] is a desktop-to-desktop remote control software for the
Windows and Macintosh operating systems. The following vulnerabilities
have been identified in Timbuktu Pro:

 1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.

 2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.

 The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'




*Vulnerable Packages*

. Timbuktu Pro 8.6.5 for Windows.
. Timbuktu Pro 8.7 for Mac OS X may also be vulnerable.


*Non-vulnerable Packages*



*Vendor Information, Solutions and Workarounds*

Contact the vendor for fix information.


*Credits*

This vulnerability was discovered and researched by Sebastian Mu    


漏洞信息


43545
Motorola Timbuktu Pro Multiple Field Crafted Log Entry Manipulation

Remote / Network Access

Input Manipulation
Exploit Public Third-party Verified


漏洞描述


时间线


2008-03-10

2008-02-07
2008-03-10 Unknow


解决方案

本文标题:CVE-2008-1118-漏洞详情
本文链接:
(转载请附上本文链接)
http://vulsee.com/archives/vulsee_2019/0713_3332.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » CVE-2008-1118-漏洞详情
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们