CVE-2005-0160
CVSS5.1
发布时间 :2005-02-22 00:00:00
修订时间 :2008-09-05 16:45:28
NMCOPS    

[原文]Multiple buffer overflows in unace 1.2b allow attackers to execute arbitrary code via (1) 2 overflows in ACE archives, (2) a long command line argument, or (3) certain "Ready for next volume" messages.


[CNNVD]Winace UnAce ACE归档多个远程缓冲区溢出漏洞(CNNVD-200502-082)

        Winace UnAce 一款ACE文件的归档工具。
        unace 1.2b中的多个缓冲区溢出,可让攻击者通过(1)ACE归档中的2个溢出、(2)长命令行参数或(3)某些"下一卷就绪"消息执行任意代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0160
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0160
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-082
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/215006
(UNKNOWN)  CERT-VN  VU#215006
http://www.novell.com/linux/security/advisories/2005_16_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:016
http://secunia.com/advisories/14359
(VENDOR_ADVISORY)  SECUNIA  14359
http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031908.html
(VENDOR_ADVISORY)  FULLDISC  20050222 unace-1.2b multiple buffer overflows and directory traversal bugs
http://www.securityfocus.com/bid/12630
(UNKNOWN)  BID  12630

- 漏洞信息

Winace UnAce ACE归档多个远程缓冲区溢出漏洞
中危 缓冲区溢出
2005-02-22 00:00:00 2005-10-20 00:00:00
远程  
        Winace UnAce 一款ACE文件的归档工具。
        unace 1.2b中的多个缓冲区溢出,可让攻击者通过(1)ACE归档中的2个溢出、(2)长命令行参数或(3)某些"下一卷就绪"消息执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.ghisler.com/download.htm

- 漏洞信息 (F36372)

Gentoo Linux Security Advisory 200502-32 (PacketStormID:F36372)
2005-03-01 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,gentoo
CVE-2005-0160,CVE-2005-0161
[点击下载]

Gentoo Linux Security Advisory GLSA 200502-32 - Ulf Harnhammar discovered that UnAce suffers from buffer overflows when testing, unpacking or listing specially crafted ACE archives. He also found out that UnAce is vulnerable to directory traversal attacks, if an archive contains ./.. sequences or absolute filenames.

--nextPart1930179.iUpjmnCVZS
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200502-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: UnAce: Buffer overflow and directory traversal
            vulnerabilities
      Date: February 28, 2005
      Bugs: #81958
        ID: 200502-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

UnAce is vulnerable to several buffer overflow and directory traversal
attacks.

Background
==========

UnAce is an utility to extract, view and test the contents of an ACE
archive.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  app-arch/unace       <= 1.2b                          *>= 1.2b-r1
     app-arch/unace       >= 2.0                           *>= 1.2b-r1

Description
===========

Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161).

Impact
======

An attacker could exploit the buffer overflows to execute malicious
code or the directory traversals to overwrite arbitrary files.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All UnAce users should upgrade to the latest available 1.2 version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-arch/unace-1.2b-r1"

References
==========

  [ 1 ] CAN-2005-0160
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0160
  [ 2 ] CAN-2005-0161
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0161

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200502-32.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

--nextPart1930179.iUpjmnCVZS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBCI0jnzKC5hMHO6rkRArJBAKCQwJWbORdjcTiLHgJrcGY1uyD41gCbBZGF
HlRJP0FMx3NJDKEHm4Y3jPo=
=hHce
-----END PGP SIGNATURE-----

--nextPart1930179.iUpjmnCVZS--
    

- 漏洞信息 (F36286)

unace.txt (PacketStormID:F36286)
2005-02-26 00:00:00
 
advisory,overflow
CVE-2005-0160,CVE-2005-0161
[点击下载]

unace-1.2b is susceptible to multiple buffer overflows and directory traversal bugs.

I have found multiple security vulnerabilities in unace-1.2b. (It is
the last free version. The later versions are just binaries for the
x86 processor, which is unhelpful if you want to use free software or
if your computer has a non-x86 processor.)

There are two buffer overflows when extracting, testing or listing
specially prepared ACE archives. They are caused by wrong usage of
strncpy() with the third parameter coming from the archive. In both
cases, the attacker controls the EIP register.

There are also two buffer overflows when (a) dealing with long (>15600
characters) command line arguments for archive names, and (b) when
preparing a string for printing Ready for next volume messages.

Furthermore, there are directory traversal bugs when extracting ACE
archives. They are both of the absolute ("/etc/nologin") and the relative
("../../../../../../../etc/nologin") type.

All buffer overflows have the identifier CAN-2005-0160, and the directory
traversal bugs have the identifier CAN-2005-0161.

I have attached a ZIP archive containing some test archives and a patch.
I wrote a small Perl script to create the test archives, after having
read ACE.txt. I didn't have the time to create archives that work on
unace-2.x, so I haven't really tested whether later versions of unace
are vulnerable to any of these bugs.

The vendor and the distributors have been contacted, and the 22nd of
February was agreed upon as the release date.

// Ulf H    

- 漏洞信息

14058
unace ACE Archive Extraction Multiple Overflows
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-02-22 Unknow
2005-02-22 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Winace UnAce ACE Archive Multiple Remote Buffer Overflow Vulnerabilities
Boundary Condition Error 12630
Yes No
2005-02-23 12:00:00 2007-05-17 09:58:00
Ulf Harnhammar is credited with the discovery of this issue.

- 受影响的程序版本

Winace UnAce 2.5
Winace UnAce 2.2
Winace UnAce 2.1
Winace UnAce 2.0 4
Winace UnAce 2.0
Winace UnAce 1.2 b
Winace UnAce 1.1
Winace UnAce 1.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
Pardus Linux 2007.1
Gentoo Linux
Christian Ghisler Total Commander 0
Christian Ghisler Total Commander 6.54a

- 不受影响的程序版本

Christian Ghisler Total Commander 6.54a

- 漏洞讨论

Multiple remotely exploitable client-side buffer-overflow vulnerabilities reportedly affect WinAce unace. These issues are due to the application's failure to properly validate the length of user-supplied strings before copying them into static process buffers.

An attacker may exploit these issues to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

**Update: Versions 2.x of unace are reportedly affected by one of these issues as well. The vulnerability has been confirmed in 2.04, 2.2, and 2.5.

- 漏洞利用

The following proof-of-concept examples have been made available. The referenced ZIP file contains two ACE format archives designed to test for the vulnerability. Note that Symantec has not verified the included ACE files.

- 解决方案

Please see the referenced vendor advisories for more information.

Total Commander contains the affected RAR library. A new version has been released to address various issues. The latest version of Total Commander can be downloaded from:
http://www.ghisler.com/download.htm

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站