| CVE-2008-1118 |
|
发布时间 :2008-03-14 16:44:00 | ||
| 修订时间 :2008-09-05 00:00:00 | ||||
| NMCOP |
[原文]Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, does not perform input validation before logging information fields taken from packets from a remote peer, which allows remote attackers to generate crafted log entries, and possibly avoid detection of attacks, via modified (1) computer name, (2) user name, and (3) IP address fields.
[CNNVD]Motorola Timbuktu Pro 对端消息包文伪造漏洞(CNNVD-200803-229)
Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。
Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。
以下是反汇编的漏洞代码:
/———–
.text:6063A62E mov edx, [ebp+lp]
.text:6063A631 mov eax, [edx+20h] ; Packet field containing filename
.text:6063A634 push eax ; EAX is also the output buffer
.text:6063A635 call ds:Pascal2C ; Extract filename from packet
.text:6063A63B push '\' ; Char to filter in the filename
.text:6063A63D mov ecx, [ebp+lp]
.text:6063A640 mov edx, [ecx+20h]
.text:6063A643 push edx ; Filename obtained in 0x6063A635
.text:6063A644 call _strrchr ; Search for '\' in the filename
.text:6063A649 add esp, 8 ; At this point, the pointer to the
; position of the '\' is obtained and
; will be stored in a local variable.
.text:6063A64C mov [ebp+pSlashPosition], eax ; Store '\' pointer
.text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!!
.text:6063A653 jnz short loc_6063A669 ; It avoids checking '/' if
; '\' was found, so we must
; send '\' and then as much
; “../” as we want 🙂
.text:6063A655 push '/' ; This check won't be done
.text:6063A657 mov eax, [ebp+lp] ; because the '\' was found
.text:6063A65A mov ecx, [eax+20h]
.text:6063A65D push ecx
.text:6063A65E call _strrchr
.text:6063A663 add esp, 8
.text:6063A666 mov [ebp+pSlashPosition], eax
.text:6063A669 loc_6063A669:
.text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was
;found so
.text:6063A66D jz short loc_6063A68C ; it
copies past it's ;position
.text:6063A66F push 200h
.text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '\' position
and move
.text:6063A677 add edx, 1 ; forward 1 byte to avoid it
.text:6063A67A push edx
.text:6063A67B mov eax, [ebp+lp]
.text:6063A67E add eax, 4B0h
.text:6063A683 push eax
.text:6063A684 call ds:lstrcpynA ; From know on, the filename
.text:6063A68A jmp short loc_6063A6A ; contains something like
; ../a.exe 🙂
. . . . .
– ———–/
–
CVSS (基础分值)
| CVSS分值: | 7.5 | [严重(HIGH)] |
| 机密性影响: | PARTIAL | [很可能造成信息泄露] |
| 完整性影响: | PARTIAL | [可能会导致系统文件被修改] |
| 可用性影响: | PARTIAL | [可能会导致性能下降或中断资源访问] |
| 攻击复杂度: | LOW | [漏洞利用没有访问限制 ] |
| 攻击向量: | NETWORK | [攻击者不需要获取内网访问权或本地访问权] |
| 身份认证: | NONE | [漏洞利用无需身份认证] |
–
CWE (弱点类目)
| CWE-20 | [输入验证不恰当] |
–
CPE (受影响的平台与产品)
| 产品及版本信息(CPE)暂不可用 |
–
OVAL (用于检测的技术细节)
| 未找到相关OVAL定义 |
–
官方数据库链接
–
其它链接及资源
|
http://xforce.iss.net/xforce/xfdb/41330 (UNKNOWN) XF timbuktu-log-security-bypass(41330) |
|
http://www.securityfocus.com/bid/28081 (UNKNOWN) BID 28081 |
|
http://www.securityfocus.com/archive/1/archive/1/489414/100/0/threaded (UNKNOWN) BUGTRAQ 20080311 CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection |
|
http://www.milw0rm.com/exploits/5238 (UNKNOWN) MILW0RM 5238 |
|
http://www.coresecurity.com/?action=item&id=2166 (UNKNOWN) MISC http://www.coresecurity.com/?action=item&id=2166 |
|
http://securityreason.com/securityalert/3742 (UNKNOWN) SREASON 3742 |
|
http://secunia.com/advisories/29316 (VENDOR_ADVISORY) SECUNIA 29316 |
–
漏洞信息
| Motorola Timbuktu Pro 对端消息包文伪造漏洞 | |
| 高危 | 输入验证 |
| 2008-03-14 00:00:00 | 2008-09-05 00:00:00 |
| 远程 | |
| Motorola的Timbuktu Pro是一款远程控制软件,允许远程访问计算机桌面。 Timbuktu直接从用户所发送的报文中获取了一些包含有对等端信息的字段(计算机名、用户名、IP地址等),并在目标机器的屏幕上显示这些信息,攻击者在受害用户的日志行中伪造对等端信息。 以下是反汇编的漏洞代码: /———– .text:6063A62E mov edx, [ebp+lp] .text:6063A631 mov eax, [edx+20h] ; Packet field containing filename .text:6063A634 push eax ; EAX is also the output buffer .text:6063A635 call ds:Pascal2C ; Extract filename from packet .text:6063A63B push '\' ; Char to filter in the filename .text:6063A63D mov ecx, [ebp+lp] .text:6063A640 mov edx, [ecx+20h] .text:6063A643 push edx ; Filename obtained in 0x6063A635 .text:6063A644 call _strrchr ; Search for '\' in the filename .text:6063A649 add esp, 8 ; At this point, the pointer to the ; position of the '\' is obtained and ; will be stored in a local variable. .text:6063A64C mov [ebp+pSlashPosition], eax ; Store '\' pointer .text:6063A64F cmp [ebp+pSlashPosition], 0 ; This is the BUG !!!! .text:6063A653 jnz short loc_6063A669 ; It avoids checking '/' if ; '\' was found, so we must ; send '\' and then as much ; “../” as we want 🙂 .text:6063A655 push '/' ; This check won't be done .text:6063A657 mov eax, [ebp+lp] ; because the '\' was found .text:6063A65A mov ecx, [eax+20h] .text:6063A65D push ecx .text:6063A65E call _strrchr .text:6063A663 add esp, 8 .text:6063A666 mov [ebp+pSlashPosition], eax .text:6063A669 loc_6063A669: .text:6063A669 cmp [ebp+pSlashPosition], 0 ; Check if a slash was ;found so .text:6063A66D jz short loc_6063A68C ; it copies past it's ;position .text:6063A66F push 200h .text:6063A674 mov edx, [ebp+pSlashPosition]; Get the '\' position and move .text:6063A677 add edx, 1 ; forward 1 byte to avoid it .text:6063A67A push edx .text:6063A67B mov eax, [ebp+lp] .text:6063A67E add eax, 4B0h .text:6063A683 push eax .text:6063A684 call ds:lstrcpynA ; From know on, the filename .text:6063A68A jmp short loc_6063A6A ; contains something like ; ../a.exe 🙂 . . . . . – ———–/ |
|
–
公告与补丁
|
目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.motorola.com/ |
–
漏洞信息 (F64510)
| Core Security Technologies Advisory 2008.0204 (PacketStormID:F64510) |
2008-03-13 00:00:00 |
| Core Security Technologies,Sebastian Muniz coresecurity.com |
exploit,remote,vulnerability |
CVE-2008-1117,CVE-2008-1118 |
[点击下载] |
|
Core Security Technologies Advisory – Timbuktu Pro suffers from remote path traversal and log injection vulnerabilities. |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
Timbuktu Pro Remote Path Traversal and Log Injection
*Advisory Information*
Title: Timbuktu Pro Remote Path Traversal and Log Injection
Advisory ID: CORE-2008-0204
Advisory URL: http://www.coresecurity.com/?action=item&id=2166
Date published: 2008-03-11
Date of last update: 2008-03-11
Vendors contacted: Motorola
Release mode: Forced release
*Vulnerability Information*
Class: Remote Path Traversal
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28081
CVE Name: CVE-2008-1117, CVE-2008-1118
*Vulnerability Description*
Timbuktu Pro [1] is a desktop-to-desktop remote control software for the
Windows and Macintosh operating systems. The following vulnerabilities
have been identified in Timbuktu Pro:
1) File transfer directory traversal (CVE-2008-1117): The '\' and '/'
are not properly sanitized when checking the destination filename. The
problem resides in the Notes feature implemented by tb2ftp.dll loaded by
the tb2pro.exe. This is the main issue.
2) Log input manipulation (CVE-2008-1118): Several fields of the packet
containing peer information (computer name, user name and IP address)
are taken from the packet sent to the target and used to display this
information on the screen of the target.
The vulnerabilities discovered allow a remote attacker to upload a file
to an arbitrary location on the victim's machine and forge peer
information on the log lines of the victim's application. For example,
an attacker could write an executable in a startup directory of the
victim's machine and wait for the user to restart his/her machine.
Another example is to write a fake system DLL in an existing program
directory, inducing Windows to load this module instead of the real DLL
from 'C:\WINDOWS\system32\'
*Vulnerable Packages*
. Timbuktu Pro 8.6.5 for Windows.
. Timbuktu Pro 8.7 for Mac OS X may also be vulnerable.
*Non-vulnerable Packages*
*Vendor Information, Solutions and Workarounds*
Contact the vendor for fix information.
*Credits*
This vulnerability was discovered and researched by Sebastian Mu
–
漏洞信息
43545 |
|
| Motorola Timbuktu Pro Multiple Field Crafted Log Entry Manipulation | |
Remote / Network Access |
Input Manipulation |
| Exploit Public | Third-party Verified |
–
漏洞描述
–
时间线
2008-03-10 |
2008-02-07 |
| 2008-03-10 | Unknow |
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
