CVE-2005-0770
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:14:14
NMCOS    

[原文]Format string vulnerability in DataRescue Interactive Disassembler and Debugger (IDA) Pro 4.7.0.830 allows remote attackers or local users to cause a denial of service (CPU consumption or application crash) and possibly execute arbitrary code via format string specifiers in a dynamic link library (DLL) name.


[CNNVD]DataRescue IDA Pro动态链接库远程格式串处理漏洞(CNNVD-200505-047)

        IDA Pro Disassembler和Debugger是Windows或Linux上的交互式,可编程,可扩展的多处理器反汇编和调试程序。
        一个远程的客户端格式串漏洞可能会影响DataRescue IDA Pro。漏洞的起因是应用程序不能安全地执行格式化打印函数。IDA Debugger试图写入有关加载的动态链接库信息时(也就是出现LOAD_DLL_DEBUG_EVENT/UNLOAD_DLL_DEBUG_EVENT时)会出现这个漏洞。
        以下是范例代码:
         -- snip --
         call a
         db "KERNEL32.DLL",0
         a:
         call LoadLibraryA
         int 3
         -- snip --
        以下代码应返回储存在EAX寄存器中的KERNEL32.DLL库。IDA Debugger将EAX显示为:"EAX=77E60000 -> kernel32.dll:77E60000"(通用寄存器窗口)。但是如果加载的函数库名称中包含有特殊的格式说明符的话,就会出现漏洞。有漏洞的代码如下:
         (disassembly of ida.wll)
         .text:012563F8 mov esi, [ebp+arg_0]
         .text:012563FB push [ebp+arg_C]
         .text:012563FE push dword_12A27C4
         .text:01256404 push 0
         .text:01256406 push ebx ; format
        string
         .text:01256407 lea eax, [ebp+arg_0]
         .text:0125640A push eax
         .text:0125640B push offset sub_12562C0
         .text:01256410 call sub_011D1C78 ; parser
        EBX中包含有攻击者提供的说明符。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0770
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0770
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-047
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111100269512216&w=2
(UNKNOWN)  BUGTRAQ  20050316 ADVISORY: DataRescue Interactive Disassembler Pro Debugger Format String Vulnerability
http://pb.specialised.info/all/adv/ida-debugger-adv.txt
(UNKNOWN)  MISC  http://pb.specialised.info/all/adv/ida-debugger-adv.txt
http://www.datarescue.com/cgi-local/ultimatebb.cgi?ubb=get_topic;f=2;t=000155;p=0
(UNKNOWN)  CONFIRM  http://www.datarescue.com/cgi-local/ultimatebb.cgi?ubb=get_topic;f=2;t=000155;p=0

- 漏洞信息

DataRescue IDA Pro动态链接库远程格式串处理漏洞
高危 格式化字符串
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        IDA Pro Disassembler和Debugger是Windows或Linux上的交互式,可编程,可扩展的多处理器反汇编和调试程序。
        一个远程的客户端格式串漏洞可能会影响DataRescue IDA Pro。漏洞的起因是应用程序不能安全地执行格式化打印函数。IDA Debugger试图写入有关加载的动态链接库信息时(也就是出现LOAD_DLL_DEBUG_EVENT/UNLOAD_DLL_DEBUG_EVENT时)会出现这个漏洞。
        以下是范例代码:
         -- snip --
         call a
         db "KERNEL32.DLL",0
         a:
         call LoadLibraryA
         int 3
         -- snip --
        以下代码应返回储存在EAX寄存器中的KERNEL32.DLL库。IDA Debugger将EAX显示为:"EAX=77E60000 -> kernel32.dll:77E60000"(通用寄存器窗口)。但是如果加载的函数库名称中包含有特殊的格式说明符的话,就会出现漏洞。有漏洞的代码如下:
         (disassembly of ida.wll)
         .text:012563F8 mov esi, [ebp+arg_0]
         .text:012563FB push [ebp+arg_C]
         .text:012563FE push dword_12A27C4
         .text:01256404 push 0
         .text:01256406 push ebx ; format
        string
         .text:01256407 lea eax, [ebp+arg_0]
         .text:0125640A push eax
         .text:0125640B push offset sub_12562C0
         .text:01256410 call sub_011D1C78 ; parser
        EBX中包含有攻击者提供的说明符。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.datarescue.com/idabase/

- 漏洞信息

14831
IDA Pro Debugger Format String Code Execution
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.8 or higher, as it has been reported to fix this vulnerability. In addition, DataRescue has released a patch for some older versions.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

DataRescue IDA Pro Dynamically Linked Library Remote Format String Vulnerability
Input Validation Error 12819
Yes No
2005-03-16 12:00:00 2009-07-12 10:56:00
Piotr Bania <bania.piotr@gmail.com> is credited with the discovery of this issue.

- 受影响的程序版本

DataRescue IDA Pro 4.7 .0.830

- 漏洞讨论

A remote, client-side format string vulnerability affects DataRescue IDA Pro. This issue is due to a failure of the application to securely implement a formatted printing function.

An attacker may leverage this issue to execute arbitrary code with the privileges of an unsuspecting user that executed the vulnerable application.

- 漏洞利用

It has been reported that a proof of concept exploit has been created to exploit this issue, however it is has not been made publicly available. This BID will be updated when new information is made available.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站