CVE-2005-0161
CVSS2.1
发布时间 :2005-02-22 00:00:00
修订时间 :2008-09-05 16:45:29
NMCOPS    

[原文]Multiple directory traversal vulnerabilities in unace 1.2b allow attackers to overwrite arbitrary files via an ACE archive containing (1) ../ sequences or (2) absolute pathnames.


[CNNVD]Winace UnAce ACE归档远程目录遍历漏洞(CNNVD-200502-084)

        Winace UnAce 一款ACE文件的归档工具。
        unace 1.2b中的多个目录遍历漏洞,可让攻击者通过包含(1)../序列或(2)绝对路径名的的ACE归档覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0161
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0161
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-084
(官方数据源) CNNVD

- 其它链接及资源

http://www.novell.com/linux/security/advisories/2005_16_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:016
http://secunia.com/advisories/14359
(VENDOR_ADVISORY)  SECUNIA  14359
http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031908.html
(VENDOR_ADVISORY)  FULLDISC  20050222 unace-1.2b multiple buffer overflows and directory traversal bugs
http://www.securityfocus.com/bid/12628
(UNKNOWN)  BID  12628

- 漏洞信息

Winace UnAce ACE归档远程目录遍历漏洞
低危 路径遍历
2005-02-22 00:00:00 2005-10-20 00:00:00
远程  
        Winace UnAce 一款ACE文件的归档工具。
        unace 1.2b中的多个目录遍历漏洞,可让攻击者通过包含(1)../序列或(2)绝对路径名的的ACE归档覆盖任意文件。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.ghisler.com/download.htm

- 漏洞信息 (F36372)

Gentoo Linux Security Advisory 200502-32 (PacketStormID:F36372)
2005-03-01 00:00:00
Gentoo  security.gentoo.org
advisory,overflow
linux,gentoo
CVE-2005-0160,CVE-2005-0161
[点击下载]

Gentoo Linux Security Advisory GLSA 200502-32 - Ulf Harnhammar discovered that UnAce suffers from buffer overflows when testing, unpacking or listing specially crafted ACE archives. He also found out that UnAce is vulnerable to directory traversal attacks, if an archive contains ./.. sequences or absolute filenames.

--nextPart1930179.iUpjmnCVZS
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200502-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: UnAce: Buffer overflow and directory traversal
            vulnerabilities
      Date: February 28, 2005
      Bugs: #81958
        ID: 200502-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

UnAce is vulnerable to several buffer overflow and directory traversal
attacks.

Background
==========

UnAce is an utility to extract, view and test the contents of an ACE
archive.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  app-arch/unace       <= 1.2b                          *>= 1.2b-r1
     app-arch/unace       >= 2.0                           *>= 1.2b-r1

Description
===========

Ulf Harnhammar discovered that UnAce suffers from buffer overflows when
testing, unpacking or listing specially crafted ACE archives
(CAN-2005-0160). He also found out that UnAce is vulnerable to
directory traversal attacks, if an archive contains "./.." sequences or
absolute filenames (CAN-2005-0161).

Impact
======

An attacker could exploit the buffer overflows to execute malicious
code or the directory traversals to overwrite arbitrary files.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All UnAce users should upgrade to the latest available 1.2 version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-arch/unace-1.2b-r1"

References
==========

  [ 1 ] CAN-2005-0160
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0160
  [ 2 ] CAN-2005-0161
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0161

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200502-32.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

--nextPart1930179.iUpjmnCVZS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBCI0jnzKC5hMHO6rkRArJBAKCQwJWbORdjcTiLHgJrcGY1uyD41gCbBZGF
HlRJP0FMx3NJDKEHm4Y3jPo=
=hHce
-----END PGP SIGNATURE-----

--nextPart1930179.iUpjmnCVZS--
    

- 漏洞信息 (F36286)

unace.txt (PacketStormID:F36286)
2005-02-26 00:00:00
 
advisory,overflow
CVE-2005-0160,CVE-2005-0161
[点击下载]

unace-1.2b is susceptible to multiple buffer overflows and directory traversal bugs.

I have found multiple security vulnerabilities in unace-1.2b. (It is
the last free version. The later versions are just binaries for the
x86 processor, which is unhelpful if you want to use free software or
if your computer has a non-x86 processor.)

There are two buffer overflows when extracting, testing or listing
specially prepared ACE archives. They are caused by wrong usage of
strncpy() with the third parameter coming from the archive. In both
cases, the attacker controls the EIP register.

There are also two buffer overflows when (a) dealing with long (>15600
characters) command line arguments for archive names, and (b) when
preparing a string for printing Ready for next volume messages.

Furthermore, there are directory traversal bugs when extracting ACE
archives. They are both of the absolute ("/etc/nologin") and the relative
("../../../../../../../etc/nologin") type.

All buffer overflows have the identifier CAN-2005-0160, and the directory
traversal bugs have the identifier CAN-2005-0161.

I have attached a ZIP archive containing some test archives and a patch.
I wrote a small Perl script to create the test archives, after having
read ACE.txt. I didn't have the time to create archives that work on
unace-2.x, so I haven't really tested whether later versions of unace
are vulnerable to any of these bugs.

The vendor and the distributors have been contacted, and the 22nd of
February was agreed upon as the release date.

// Ulf H    

- 漏洞信息

14060
unace ACE Archive Extraction Traversal
Local / Remote Input Manipulation
Loss of Integrity
Exploit Public Coordinated Disclosure

- 漏洞描述

unace contains a flaw that allows a local or remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g. ../../) or absolute paths supplied via the filenames in ACE archives. This directory traversal attack would allow the attacker to create files in arbitrary directories on the system.

- 时间线

2005-02-22 Unknow
2005-02-22 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability for unace. Upgrade to avast! Home/Professional Edition version 4.6.691 or higher, avast! Server Edition version 4.6.489 or higher, or avast! Managed Client version 4.6.394 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Winace UnAce ACE Archive Remote Directory Traversal Vulnerability
Input Validation Error 12628
Yes No
2005-02-23 12:00:00 2007-05-17 09:58:00
Ulf Harnhammar is credited with the discovery of this issue.

- 受影响的程序版本

Winace UnAce 1.2 b
Winace UnAce 1.1
Winace UnAce 1.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
Pardus Linux 2007.1
Gentoo Linux
Christian Ghisler Total Commander 0
Christian Ghisler Total Commander 6.54a

- 不受影响的程序版本

Christian Ghisler Total Commander 6.54a

- 漏洞讨论

A remotely exploitable client-side directory-traversal vulnerability affects Winace unace. The application fails to properly sanitize file and directory names contained within malicious ACE format archives.

An attacker may leverage this issue by distributing malicious ACE archives to unsuspecting users. This issue will allow an attacker to write files to arbitrary locations on the filesystem with the privileges of an unsuspecting user that extracts the malicious ACE archive.

- 漏洞利用

No exploit is required to leverage this issue. The following proof-of-concept examples have been made available. The referenced ZIP file contains two ACE format archives designed to test for the vulnerability. Note that Symantec has not verified the included ACE files.

- 解决方案

Please see the referenced vendor advisories for more information.

Total Commander contains the affected RAR library. A new version has been released to address various issues. The latest version of Total Commander can be downloaded from:
http://www.ghisler.com/download.htm

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站