CVE-2005-0644
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:46:54
NMCS    

[原文]Buffer overflow in McAfee Scan Engine 4320 with DAT version before 4436 allows remote attackers to execute arbitrary code via a malformed LHA file with a type 2 header file name field, a variant of CVE-2005-0643.


[CNNVD]LHA缓冲区溢出/目录穿越漏洞(CNNVD-200505-001)

        LHa存在两个缓冲区溢出和两个目录穿越问题,远程攻击者可以利用这些漏洞以进程权限在系统上执行任意指令或破坏系统。
        缓冲区溢出发生在测试(t)或者展开(x)操作时,对超长文件名或目录名进行解析时,get_header()函数会发生缓冲区溢出。精心构建文件名或目录名可以进程权限执行任意指令。
        另外就是对相对路径没有任何保护+B24,可简单使用LHA建立路径类似"../../../../../etc/cron.d/evil"的压缩包,虽然对绝对路径有保护,但可使用类似"//etc/cron.d/evil"的路径形式绕过。攻击者可以构建简单包当LHA操作时破坏系统文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0644
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0644
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-001
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/361180
(VENDOR_ADVISORY)  CERT-VN  VU#361180
http://xforce.iss.net/xforce/alerts/id/190
(VENDOR_ADVISORY)  ISS  20050317 McAfee AntiVirus Library Stack Overflow
http://www.securityfocus.com/bid/12832
(UNKNOWN)  BID  12832
http://www.securityfocus.com/bid/10243
(UNKNOWN)  BID  10243
http://securitytracker.com/id?1013463
(UNKNOWN)  SECTRACK  1013463
http://secunia.com/advisories/14628
(UNKNOWN)  SECUNIA  14628
http://images.mcafee.com/misc/McAfee_Security_Bulletin_05-march-17.pdf
(VENDOR_ADVISORY)  CONFIRM  http://images.mcafee.com/misc/McAfee_Security_Bulletin_05-march-17.pdf

- 漏洞信息

LHA缓冲区溢出/目录穿越漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2006-08-16 00:00:00
远程  
        LHa存在两个缓冲区溢出和两个目录穿越问题,远程攻击者可以利用这些漏洞以进程权限在系统上执行任意指令或破坏系统。
        缓冲区溢出发生在测试(t)或者展开(x)操作时,对超长文件名或目录名进行解析时,get_header()函数会发生缓冲区溢出。精心构建文件名或目录名可以进程权限执行任意指令。
        另外就是对相对路径没有任何保护+B24,可简单使用LHA建立路径类似"../../../../../etc/cron.d/evil"的压缩包,虽然对绝对路径有保护,但可使用类似"//etc/cron.d/evil"的路径形式绕过。攻击者可以构建简单包当LHA操作时破坏系统文件。

- 公告与补丁

        暂无数据

- 漏洞信息

McAfee Antivirus Library LHA Archive Handler Stack Based Buffer Overflow Vulnerability
Boundary Condition Error 12832
Yes No
2005-03-17 12:00:00 2009-07-12 10:56:00
Discovery of this vulnerability is credited to Alex Wheeler of ISS X-Force.

- 受影响的程序版本

McAfee WebShield SMTP 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee WebShield for Solaris 4.0
McAfee Webshield Appliances
McAfee Webshield 3000 4.3.20
McAfee VirusScan Professional
McAfee VirusScan for NetApp
McAfee VirusScan Enterprise 8.0 i
McAfee VirusScan Enterprise 7.1
McAfee VirusScan Command Line
McAfee VirusScan 9.0
McAfee VirusScan 8.0
McAfee VirusScan 7.1
McAfee VirusScan 7.0
McAfee VirusScan 6.0
McAfee VirusScan 5.0
McAfee VirusScan 4.5.1
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
McAfee VirusScan 4.5
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee VirusScan 4.0.3
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
McAfee VirusScan 4.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
McAfee VirusScan 3.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
McAfee VirusScan 2.0
McAfee VirusScan 1.0
McAfee Virex
McAfee SecurityShield for Microsoft ISA Server
McAfee PortalShield for Microsoft SharePoint
McAfee NetShield for Netware
McAfee Managed VirusScan
McAfee LinuxShield
McAfee Internet Security Suite
McAfee GroupShield for Mail Servers with ePO
McAfee GroupShield for Lotus Domino
McAfee GroupShield for Exchange 6.0
McAfee GroupShield for Exchange 5.5
McAfee ASaP VirusScan 0
McAfee Active VirusScan SMB Edition
McAfee Active VirusScan
+ McAfee Internet Security Suite 2005
+ McAfee Internet Security Suite
McAfee Active Virus Defense SMB Edition
McAfee Active Virus Defense
McAfee Active Threat Protection
McAfee Active Mail Protection

- 漏洞讨论

McAfee Antivirus Library is reported prone to a buffer overflow vulnerability. The issue is reported to exist in the LHA archive parser. The affected library does not perform sufficient bounds checking on LHA type two header file name fields before copying the data into a finite process buffer.

Although unclear, it is reported that the LHA archive must be especially malformed and conform to an alternate non-archive file format in order to trigger the vulnerability.

A remote attacker may exploit this vulnerability to execute arbitrary code with SYSTEM privileges on a computer that is running the affected software.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released an updated scan engine in a DAT file to affected customers. It is reported that customers running the 4320 engine and DAT version prior to 4436 are prone to this issue; these customers are advised to contact the vendor for further information regarding obtaining an applying appropriate updates.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站