CVE-2005-4667
CVSS3.7
发布时间 :2005-12-31 00:00:00
修订时间 :2015-01-09 21:59:21
NMCOS    

[原文]Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.


[CNNVD]Info-ZIP UnZip文件名缓冲区溢出漏洞(CNNVD-200512-812)

        UnZip 5.50及更早版本存在缓冲区溢出,用户协助式攻击者可以通过长文件名命令行参数来执行任意代码。

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:info-zip:unzip:5.42
cpe:/a:info-zip:unzip:5.40
cpe:/a:info-zip:unzip:5.50
cpe:/a:info-zip:unzip:5.2
cpe:/a:info-zip:unzip:5.31
cpe:/a:info-zip:unzip:5.32
cpe:/a:info-zip:unzip:5.3
cpe:/a:info-zip:unzip:5.41

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11252Buffer overflow in UnZip 5.50 and earlier allows user-assisted attackers to execute arbitrary code via a long filename command line argument...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4667
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-812
(官方数据源) CNNVD

- 其它链接及资源

http://www.ubuntulinux.org/support/documentation/usn/usn-248-2
(PATCH)  UBUNTU  USN-248-2
http://www.ubuntulinux.org/support/documentation/usn/usn-248-1
(PATCH)  UBUNTU  USN-248-1
http://www.trustix.org/errata/2006/0006
(VENDOR_ADVISORY)  TRUSTIX  2006-0006
http://www.securityfocus.com/archive/1/archive/1/430300/100/0/threaded
(PATCH)  FEDORA  FLSA:180159
http://www.debian.org/security/2006/dsa-1012
(VENDOR_ADVISORY)  DEBIAN  DSA-1012
http://www.securityfocus.com/bid/15968
(UNKNOWN)  BID  15968
http://www.redhat.com/support/errata/RHSA-2007-0203.html
(UNKNOWN)  REDHAT  RHSA-2007:0203
http://www.osvdb.org/22400
(UNKNOWN)  OSVDB  22400
http://www.info-zip.org/FAQ.html
(UNKNOWN)  CONFIRM  http://www.info-zip.org/FAQ.html
http://secunia.com/advisories/25098
(UNKNOWN)  SECUNIA  25098
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0930.html
(UNKNOWN)  FULLDISC  20051219 Unzip *ALL* verisons ;))
http://www.mandriva.com/security/advisories?name=MDKSA-2006:050
(UNKNOWN)  MANDRIVA  MDKSA-2006:050

- 漏洞信息

Info-ZIP UnZip文件名缓冲区溢出漏洞
低危 缓冲区溢出
2005-12-31 00:00:00 2007-10-03 00:00:00
远程  
        UnZip 5.50及更早版本存在缓冲区溢出,用户协助式攻击者可以通过长文件名命令行参数来执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        Info-ZIP UnZip 5.50
        Debian unzip_5.50-1woody6_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_alpha.deb
        Debian unzip_5.50-1woody6_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_arm.deb
        Debian unzip_5.50-1woody6_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_hppa.deb
        Debian unzip_5.50-1woody6_i386.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_i386.deb
        Debian unzip_5.50-1woody6_ia64.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_ia64.deb
        Debian unzip_5.50-1woody6_m68k.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_m68k.deb
        Debian unzip_5.50-1woody6_mips.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_mips.deb
        Debian unzip_5.50-1woody6_mipsel.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_mipsel.deb
        Debian unzip_5.50-1woody6_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_powerpc.deb
        Debian unzip_5.50-1woody6_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_s390.deb
        Debian unzip_5.50-1woody6_sparc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.50-1woody6_sparc.deb
        Mandrake unzip-5.50-9.3.C30mdk.i586.rpm
        Corporate 3.0:
        http://wwwnew.mandriva.com/en/downloads/
        Mandrake unzip-5.50-9.3.C30mdk.x86_64.rpm
        Corporate 3.0:
        http://wwwnew.mandriva.com/en/downloads/
        Mandrake unzip-5.50-9.3.M20mdk.i586.
        Multi Network Firewall 2.0:
        http://wwwnew.mandriva.com/en/downloads/
        Mandrake unzip-5.50-9.3.M20mdk.i586.rpm
        Multi Network Firewall 2.0:
        http://wwwnew.mandriva.com/en/downloads/
        RedHat unzip-5.50-31.1.legacy.i386.rpm
        Red Hat Linux 7.3:
        http://download.fedoralegacy.org/redhat/7.3/updates/i386/unzip-5.50-31.1.legacy.i386.rpm
        RedHat unzip-5.50-33.1.legacy.i386.rpm
        Red Hat Linux 9:
        http://download.fedoralegacy.org/redhat/9/updates/i386/unzip-5.50-33.1.legacy.i386.rpm
        RedHat unzip-5.50-35.1.legacy.i386.rpm
        Fedora Core 1:
        http://download.fedoralegacy.org/fedora/1/updates/i386/unzip-5.50-35.1.legacy.i386.rpm
        RedHat unzip-5.50-37.1.legacy.i386.rpm
        Fedora Core 2:
        http://download.fedoralegacy.org/fedora/2/updates/i386/unzip-5.50-37.1.legacy.i386.rpm
        Info-ZIP UnZip 5.51
        Mandrake unzip-5.51-1.3.102mdk.i586.rpm
        Mandriva Linux 10.2:
        http://wwwnew.mandriva.com/en/downloads/
        Mandrake unzip-5.51-1.3.102mdk.x86_64.rpm
        Mandriva Linux 10.2:
        http://wwwnew.mandriva.com/en/downloads/
        RedHat unzip-5.51-4.fc3.1.legacy.i386.rpm
        Fedora Core 3:
        http://download.fedoralegacy.org/fedora/3/updates/i386/unzip-5.51-4.fc3.1.legacy.i386.rpm
        RedHat unzip-5.51-4.fc3.1.legacy.x86_64.rpm
        Fedora Core 3:
        http://download.fedoralegacy.org/fedora/3/updates/x86_64/unzip-5.51-4.fc3.1.legacy.x86_64.rpm
        Info-ZIP UnZip 5.52
        Debian unzip_5.52-1sarge4_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge4_alpha.deb
        Debian unzip_5.52-1sarge4_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge4_amd64.deb
        Debian unzip_5.52-1sarge4_arm.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge4_arm.deb
        Debian unzip_5.52-1sarge4_hppa.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/u/unzip/unzip_5.52-1sarge4_hppa.deb
        Debian unzip_5.52-1sarge4_i386.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.deb

- 漏洞信息

22400
UnZip File Name Processing Overflow
Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Unknown Vendor Verified

- 漏洞描述

UnZip contains an overflow condition in the handling of filenames. The issue is triggered as user-supplied input is not properly validated when handling filenames. With a specially crafted request containing an overly long filename, a context-dependent attacker can cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

- 时间线

2006-01-01 Unknow
Unknow 2005-02-28

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 5.52, or higher, to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Boundary Condition Error 15968
Yes No
2005-12-19 12:00:00 2007-09-19 10:30:00
c0ntex <c0ntexb@gmail.com> disclosed this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Info-ZIP UnZip 5.52
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Trustix Secure Linux 3.0
Info-ZIP UnZip 5.51
+ Trustix Secure Linux 2.2
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Info-ZIP UnZip 5.50
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG 1.1
+ OpenPKG OpenPKG Current
+ Red Hat Linux 6.2
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ Slackware Linux 9.0
+ Slackware Linux -current
+ Sun Linux 5.0.6
Info-ZIP UnZip 5.42
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Red Hat Linux 6.2
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ Sun Linux 5.0
Info-ZIP UnZip 5.41
Info-ZIP UnZip 5.40
Info-ZIP UnZip 5.32
Info-ZIP UnZip 5.31
Info-ZIP UnZip 5.3
Info-ZIP UnZip 5.2
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0
Avaya Messaging Storage Server MSS 3.0
Avaya Message Networking MN 3.1
Avaya Message Networking
Avaya IA770 Voice Mail 0
Avaya Aura Application Enablement Services 4.0.1
Avaya Aura Application Enablement Services 3.1.3
Avaya Aura Application Enablement Services 3.0
Avaya AES 4.0
Avaya AES 3.1

- 漏洞讨论

Info-ZIP 'unzip' is susceptible to a filename buffer-overflow vulnerability. The application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

This issue allows attackers to execute arbitrary machine code in the context of users running the affected application.

- 漏洞利用

The following example command will demonstrate this issue:

unzip `perl -e 'print "A" x 50000'`

An exploit by DVDMAN is available:

- 解决方案

Please see the referenced vendor advisories for details on obtaining and applying fixes.


Info-ZIP UnZip 5.50

Info-ZIP UnZip 5.51

Info-ZIP UnZip 5.52

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站