Compression Plus 栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193619 漏洞类型 缓冲区溢出
发布时间 2006-09-05 更新时间 2006-09-06
CVE编号 CVE-2006-4554 CNNVD-ID CNNVD-200609-039
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://cxsecurity.com/issue/WLB-2006090026
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-039
|漏洞详情
CompressionPlus库用于压缩/解压各种流行的文档格。CompressionPlus库的代码在处理ZOO文档时存在漏洞,成功利用这个漏洞的攻击者可能以当前执行用户权限执行任意指令。CompressionPlus库中ReadFile()函数的nNumberOfBytesToRead参数是由用户提供的,但没有执行任何长度检查。对ReadFile()最多可传送7FFFh的值,但指定39Ch字节就可以覆盖栈中的函数返回指针,如下:.text:1040A71Bmovsxeax,wordptr[ebp+ZooHeader+24h].text:1040A71Fpusheax;nNumberOfBytesToRead.text:1040A720leaeax,[ebp+var_394].text:1040A726pusheax;lpBuffer.text:1040A727push[ebp+ZooHeader+88h].text:1040A72Acall_ReadFileWrapper任何使用了这个库的其他程序都会受这个漏洞的影响。
|漏洞EXP
The Compression Plus library is designed to handle de/compression of
popular archiving formats such as ARC, ARK, PAK, ARJ, CAB, GZ, LBR, TAR,
TAZ, TGZ, Z, ZIP, and ZOO. The code fails to properly validate input
while processing specially crafted ZOO files, which results in a
stack-based buffer overflow. Software products that implement the
Compression Plus library are vulnerable to local or remote code
execution, depending on the nature of the calling process.

Details are available from the following URL:

http://www.mnin.org/advisories/2006_cp5_tweed.pdf
|参考资料

来源:MISC
链接:http://www.mnin.org/advisories/2006_cp5_tweed.pdf
来源:BUGTRAQ
名称:20060831CompressionPlusandTumblweedEMFStackOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/444881/100/0/threaded
来源:www.becubed.com
链接:http://www.becubed.com/downloads/compfix.txt
来源:XF
名称:compressionplus-zoo-bo(28693)
链接:http://xforce.iss.net/xforce/xfdb/28693
来源:BID
名称:19796
链接:http://www.securityfocus.com/bid/19796
来源:VUPEN
名称:ADV-2006-3439
链接:http://www.frsirt.com/english/advisories/2006/3439
来源:VUPEN
名称:ADV-2006-3438
链接:http://www.frsirt.com/english/advisories/2006/3438
来源:VUPEN
名称:ADV-2006-3437
链接:http://www.frsirt.com/english/advisories/2006/3437
来源:VUPEN
名称:ADV-2006-3429
链接:http://www.frsirt.com/english/advisories/2006/3429
来源:VUPEN
名称:ADV-2006-3428
链接:http://www.frsirt.com/english/advisories/2006/3428
来源:SREASON
名称:1498
链接:http://securityreason.com/securityalert/1498
来源:SECUNIA
名称:21751
链接:http://secunia.com/advisories/21751
来源:SECUNIA
名称:21750
链接:http://secunia.com/advisories/21750
来源:SEC