Zip/Linux超长路径缓冲区溢出漏洞

受影响系统： Info-ZIP Zip 2.3 描述： -------------------------------------------------------------------------------- zip是一款Linux下的压缩工具。 zip对超长文件处理不正确，攻击者可以利用这个漏洞构建恶意文件，诱使用户处理，可以以进程权限执行任意指令。 当zip执行递归文件夹压缩时，没有检查最后路径的长度，如果路径太长，就可以触发堆栈破坏和段错误，如果在目录或者文件名中夹带SHELLCODE数据，可能以用户进程权限执行任意指令。 <*来源：HexView （vuln@hexview.com） 相关文章： List: full-disclosure Subject: [Full-Disclosure] [HV-MED] Zip/Linux long path buffer overflow From: vuln () hexview ! com Date: 2004-11-03 23:11:29 Message-ID: <20041103231128.GA6266 () hexview ! com> [Download message RAW] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zip/Linux long path buffer overflow Classification: =============== Level: low-[MED]-high-crit ID: HEXVIEW*2004*11*03*1 URL: http://www.hexview.com/docs/20041103-1.txt Overview: ========= Zip console application by Info-Zip (http://www.info-zip.org) is an open-source software and part of many Linux distributions. A buffer overflow condition can be triggered and exploited during recursive compression operation. Affected products: ================== HexView tested the issue using Zip 2.3 which comes as "zip" package with Debian Linux. Possibly all earlier Info-Zip versions are vulnerable. Info-Zip applications for other operating systems are also vulnerable, but depending on operating system and file system restrictions, the vulnerability may or may not be triggered or exploited. Cause and Effect: ================= When zip performs recursive folder compression, it does not check for the length of resulting path. If the path is too long, a buffer overflow occurs leading to stack corruption and segmentation fault. It is possible to exploit this vulnerability by embedding a shellcode in directory or file name. While the issue is not of primary concern for regular users, it can be critical for environments where zip archives are re-compressed automatically using Info-Zip application. Demonstration: ============== The issue can be reproduced by following these steps: 1. Create an 8-level directory structure, where each directory name is 256 characters long (we used 256 'a' characters). 2. run "zip -r file.zip *". The application will crash with "segmentation fault" 3. run "gdb -core core `which zip`" (assuming core drop is enabled) 4. type "where" and hit Enter. Here is what you'll see: Program terminated with signal 11, Segmentation fault. [garbage truncated] #0 0x0805108e in error () #1 0x61616161 in ?? () #2 0x61616161 in ?? () #3 0x61616161 in ?? () Vendor Status: ============== HexView tried to notify vendor using vendor-provided e-mail address (zip-bugs@lists.wku.edu) on 2004-10-03. The mail was returned back as undeliverable. About HexView: ============== HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. The chances are you read our advisories or disclosures. For more information visit http://www.hexview.com Distribution: ============= This document may be freely distributed through any channels as long as the contents are kept unmodified. Commercial use of the information in the document is not allowed without written permission from HexView signed by our pgp key. HexView Disclosure Policy: ========================== HexView notifies vendors that have publicly available contact e-mail 24 hours before disclosing any information to the public. If we are unable to find vendor's e-mail address or if no reply is received within 24 hours, HexView will publish vulnerability notification including all technical details unless the issue is rated as "critical". If vendor does not reply within 72 hours, HexView may disclose all details for critical vulnerabilities as well. If vendor replies within the above mentioned time period, HexView will announce the vulnerability, but will not disclose the details required to reproduce it. HexView will also specify the date when full disclosure containing all the details will be published. The time period between announcement and full disclosure is 30 days unless there is an agreement with vendor and appropriate justification for extension. If vendor resolves the issue earlier than 30 days after announcement, HexView will publish full disclosure as soon as the fix is available to the public. HexView also reserves the right to publish any detail of any vulnerability at any time. Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk@hexview.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBiWR3DPV1+KQrDqQRAoGdAJ9ii5vJ+jCyT3le7mko6dHXxJ1H4wCgsfDq SYo6Nb0wIbEm5HAxMRRFtxg= =7Jjm -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html