文章作者:7all<cis7all_at_msn.cn>
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
注意:文章首发
www.cciss.cn,后由原创作者友情提交到邪恶八进制信息安全团队。
Links2.0 Use libpng Bring On Buffer Overflow
|=---------------=[ Links2.0 found a Vulnerability ]---------------=|
|=-----------------------------------------------------------------=|
|=---------------=[ 7all<cis7all_at_msn.cn> ]=---------------------=|
|=-----------------------------------------------------------------=|
|=---------------=[ 版权所有:
www.cciss.cn ]=-----------------------=|
--] 介绍
links2.0 使用了存在漏洞的libpng库,导致缓冲区溢出.
--] Links官方主页
http://links.twibright.com/
http://tech.groups.yahoo.com/group/links-browser/
--]Links 下载
http://links.twibright.com/download/lin … e23.tar.gz
--] 描述
Links是一个Unix/Linux下面的WEB浏览器.通过ncurses库支持文本模式的WEB浏览.
该浏览器的功能还算凑合,如果在BSD的shell模式下是个不错的选择,并可以下载
指定的文件,下载方式与wget相同.
--] 漏洞描述
昨天,我在分析png图像的时候发现了这个漏洞.libpng在04年就公布了一
系列的漏洞,不过当时没有注意.该漏洞存在与libpng<=1.2.10版本中,并
且在<=1.2.10版本中还存在一些其它的漏洞信息.
该漏洞是在FreeBSD4.7下面使用Links2.0调试而来,因为没有时间去测试
最新的Links版本,希望有兴趣的朋友可以自己拿来调试下.
因为这样的漏洞太过于简单,本来没有发布该漏洞的想法,今天想来可能对
一些想学习溢出和漏洞挖掘的朋友有帮助,于是把.core文件一起打包提供
下载测试,希望对大家有些帮助.
昨天在发现该漏洞时着实有些兴奋,因为很多软件都采用了libpng.调试了
几十分钟确认漏洞后,就去google是否已公布该漏洞.可怜的很,居然04年
已经公布了libpng的这些漏洞信息,可见每天看漏洞公布信息是多么的重
要:)
--] 调试
注意:使用gdb加载links elf文件与links.core文件一起调试.
也可以使用gdb下断点,然后浏览png文件来触发该漏洞
从而可以动态跟踪调试.
links.core文件可以在该页面的下载区下载.
#gdb /usr/local/bin/links links.core
#login gdb application
...
gdb print some debug messages.
...
bt
#0 0x8066af9 in png_read_end()
#1 0x3177 in ??()
#2 0x80af95b in png_read_end()
#3 0x80af548 in png_read_end()
#4 0x80add3e in png_read_end()
...
#14 0x804b8e5 in png_read_end()
/*
use x/20x $esp and x/20x $esp to look at stack message
use i reg or i reg $register to look at register message
*/
---------------------English version-----------------------
/*
My english is very poorly,but i hopely cciss(cis) can be
seasoned with internationalization.
These days i learned english very hard,yet, i'm old:)))
*/
==www.cciss.cn.==
==bbs.cciss.cn.==
Links2.0 Use libpng Bring On Buffer Overflow
|=---------------=[ Links2.0 found a Vulnerability ]---------------=|
|=-----------------------------------------------------------------=|
|=---------------=[ 7all<cis7all_at_msn.cn> ]=---------------------=|
|=-----------------------------------------------------------------=|
|=---------------=[ Copyright:
www.cciss.cn ]=----------------------=|
--] Intro
links2.0 libpng Buffer Overflow.
--] Links HomePage
http://links.twibright.com/
http://tech.groups.yahoo.com/group/links-browser/
--]Links Download
http://links.twibright.com/download/lin … e23.tar.gz
--] Description
Lynx-like text and graphics WWW browser.links is a text mode www
browser with ncurses interface,supporting colors,correct table
rendering.background downloading,menu driven configuration interface
and slim code.
--] Vulnerable
Yesterday,i found this vulnerability when analyzed png images.
This vulnerability caused by libpng.lipng <= 1.2.10 has this
vulnerability and some another vulnerability.
I found this vulnerability at links2.0(FrssBSD4.7),No time dig
links newly version,if you interested in this vulnerability,you
can dig newly version.
I don't want to release this vulnerability,because this is very
simpleness:)but i think this could help someone.
--] Debug
Note:Use gdb and links.core file,you can download links.core
file at this webpage download area:-)
#gdb /usr/local/bin/links links.core
#login gdb application
...
gdb print some debug messages.
...
bt
#0 0x8066af9 in png_read_end()
#1 0x3177 in ??()
#2 0x80af95b in png_read_end()
#3 0x80af548 in png_read_end()
#4 0x80add3e in png_read_end()
...
#14 0x804b8e5 in png_read_end()
/*
use x/20x $esp and x/20x $esp to look at stack message
use i reg or i reg $register to look at register message
*/
-----
下载地址:
http://www.cciss.cn/uploadFiles/linksbug.rar
