首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
openMotif-libUil-Multiple_vulnerability
来源:www.xfocus.net 作者:xfocus 发布时间:2005-12-05  

[xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability

Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability

Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/
bugtraq id: 15678

xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:

1: libUil.so diag_issue_diagnostic buffer overflow

Clients/uil/UilDiags.c
diag_issue_diagnostic()
202 void diag_issue_diagnostic
203 ( int d_message_number, src_source_record_type
*az_src_rec,
204 int l_start_column, ...)
205
206 {
207 va_list ap; /* ptr to variable length parameter */
208 int severity; /* severity of message */
209 int message_number; /* message number */
210 char msg_buffer[132]; /* buffer to onstruct
message */
211 char ptr_buffer[buf_size]; /* buffer to construct pointer */
212 char loc_buffer[132]; /* buffer to construct
location */
213 char src_buffer[buf_size]; /* buffer to hold source line */
......
293 va_start(ap, l_start_column);
294
295 #ifndef NO_MESSAGE_CATALOG
296[1.1] vsprintf( msg_buffer,
297 catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
298 diag_rz_msg_table[ message_number].ac_text),
299 ap );
300 #else
301[1.2] vsprintf( msg_buffer,
302 diag_rz_msg_table[ message_number ].ac_text,
303 ap );

304 #endif
305 va_end(ap);

[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .

2: libUil.so open_source_file buffer voerflow

Clients/uil/UilSrcSrc.c

620 status
621 open_source_file( XmConst char *c_file_name,
622 uil_fcb_type *az_fcb,
623 src_source_buffer_type *az_source_buffer )
624 {
625
626 static unsigned short main_dir_len = 0;
627 boolean main_file;
628 int i; /* loop index through
include files */
629 char buffer[256];
630
631
632 /* place the file name in the expanded_name buffer */
633
634[2.1] strcpy(buffer, c_file_name);
635
636 /* Determine if this is the main file or an include file. */
637
638 main_file = (main_fcb == NULL);
639
[2.1] like above

--EOF


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·构造特殊文件名绕过多个反病毒引
·MS05-010许可证记录服务漏洞允许
·EXCEL 2000/XP表长度缓冲区溢出
·CMailServer邮件系统附件下载模
·MolyX 漏洞分析
·Microsoft Internet Explorer CO
·Microsoft Internet Explorer文
·Mozilla Firefox任意命令执行漏
·Microsoft Internet Explorer HT
·DriverStudio Remote Control远
·Windows Firewall存在缺陷 黑客
·Microsoft Windows异步过程调用
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved