Date: 05 March 2003
References: ESB-2003.0169 ESB-2003.0160 ESB-2003.0164
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0145 -- iDEFENSE Security Advisory 03.04.03
Locally Exploitable Buffer Overflow in file(1)
05 March 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: file(1)
Vendor: iDEFENSE
Operating System: Linux
UNIX
Mac OS X
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Comment: CVE Id: CAN-2003-0102
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 03.04.03:
http://www.idefense.com/advisory/03.04.03.txt
Locally Exploitable Buffer Overflow in file(1)
March 4, 2003
I. BACKGROUND
file(1) is an application that utilizes a magic file (typically located in
/usr/share/magic) to classify arbitrary files. The latest version of
file(1) is available for download from: ftp://ftp.astron.com/pub/file .
For example:
$ file
Usage: file [-bcnvzL] [-f namefile] [-m magicfiles] file...
$ file unknown_file
unknown_file: ASCII text
II. DESCRIPTION
The file(1) command contains a buffer overflow vulnerability that can be
leveraged by an attacker to execute arbitrary code under the privileges of
another user.
The crux of the problem lies in the following call to doshn() from
tryelf() on line 587 in readelf.c:
doshn(class, swap,
fd,
getu32(swap, elfhdr.e_shoff),
getu16(swap, elfhdr.e_shnum),
getu16(swap, elfhdr.e_shentsize));
The final argument to doshn() 'elfhdr.e_shentsize' is later used in a call
to read() as can be see here on line 133 in readelf.c:
if (read(fd, sh_addr, size) == -1)
The call to read() will copy 'size' bytes into the variable 'sh_addr'
which is defined on line 92 in readelf.c:
#define sh_addr (class == ELFCLASS32 \
? (void *) &sh32 \
: (void *) &sh64)
The storage buffer used in the call to read() is of size 0x20 (32) bytes,
by supplying a 'size' of 0x28 (40) a stack overflow occurs overwriting the
stored frame pointer (EBP) and instruction pointer (EIP) thereby providing
the attacker with CPU control and the ability to execute arbitrary code.
III. ANALYSIS
A user who can successfully convince another user to examine a specially
constructed exploit file with the file(1) command can execute arbitrary
code under the privileges of that user.
The following is a sample walkthrough of a successful exploitation. The
attacker must initially generate a file that is specially structured to
trigger a buffer overflow in the file(1) command:
$ ./mkfile_expl -C /tmp/suid -F /tmp/exploit -O "ASCII text" -R
/bin/bash -p 1
Local /usr/bin/file upto v3.39 exploit by anonymous
Using PRESET: 1 [Linux file <= 3.38 ]
Using FILENAME: /tmp/exploit
Using REAL_SHELL: /bin/bash
Using CREATED_SHELL: /tmp/suid
Using OUTPUT: ASCII text
Using RET_ADDR: 0xbfffc3f0
Using NOP_COUNT: 6000
Exploit created -> /tmp/exploit
Time to wait till somebody starts /usr/bin/file /tmp/exploit
Once the tainted file has been generated the attacker must wait for or
coerce another user to examine the file with the file(1) command.
# ls -l exploit
-rwxr-xr-x 1 farmer farmer 6406 Jan 11 22:07 exploit
# file exploit
/tmp/exploit: ASCII text
The file(1) command reports that the examined file is "ASCII text" as the
attacker specified in the creation of the exploit file. At this point if
the attack was a success the original attack file (exploit) has been
erased and a set user id shell has been created:
# ls -l exploit
ls: exploit: No such file or directory
$ ls -l suid
-rwsr-sr-x 1 root root 541096 Jan 11 22:07 suid
IV. DETECTION
iDEFENSE has successfully exploited file(1) versions 3.37 and 3.39. It is
suspected that all versions up to and including 3.39 are vulnerable.
V. VENDOR FIX/RESPONSE
The latest version of file(1) fixes this issue and is available from
ftp://ftp.astron.com/pub/file/file-3.41.tar.gz . Specific vendors will be
shipping updated packages in the near future.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0102 to this issue.
VII. DISCLOSURE TIMELINE
12/16/2002 Issue disclosed to iDEFENSE
02/24/2003 Maintainers notified: mail_contact@darwinsys.com
02/24/2003 Response from Ian Darwin, ian@darwinsys.com
02/25/2003 Response received from christos@zoulas.com
02/25/2003 iDEFENSE clients notified
02/27/2003 OS vendors notified via vendor-sec@lst.de
03/04/2003 Public Disclosure
VIII. CREDIT
An anonymous researcher discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPmT0jPrkky7kqW5PEQL9uwCgy357oodXdMcC++NBfuqTTzqSWw8AnRj+
2X0UHCShrduL6w6UYBUUuR8/
=599A
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPmYlQyh9+71yA2DNAQHU0AP/XGv5Y4WAStlE+rkfNpGLDwjdXgXbt+vY
xa1kf1md+2dcvVcXXm5cNi4nqa67+BsjDaNI6hnETfe9s7l66NFFsjiXIrpcWS2t
LHqcdnZ4I68c6+EZqRvmObtjXHBHceKDIbbPn7PR6jLhlmJrW1nxzRrYp/ZyydOJ
PGr5Y9OqIUY=
=AGsI
-----END PGP SIGNATURE-----
|