File is a program used to determine file types by testing each argument in an attempt to classify it.
There are three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test that succeeds causes the file type to be printed. The magic file usually resides in /usr/share/magic
A buffer overflow vulnerability allows a user to execute arbitrary commands under the privileges of another user (like root) by tricking the other user to use file on a specially made target file.
The storage buffer used in the call to read() is of size 0x20 (32) bytes, by supplying a 'size' of 0x28 (40) a stack overflow occurs overwriting the stored frame pointer (EBP) and instruction pointer (EIP) thereby providing the attacker with CPU control and the ability to execute arbitrary code.
Exploit code:
First, create the file intended for the exploit:
Local /usr/bin/file upto v3.39 exploit by anonymous
Using PRESET: 1 [Linux file <= 3.38 ]
Using FILENAME: /tmp/exploit
Using REAL_SHELL: /bin/bash
Using CREATED_SHELL: /tmp/suid
Using OUTPUT: ASCII text
Using RET_ADDR: 0xbfffc3f0
Using NOP_COUNT: 6000
Exploit created -> /tmp/exploit
Time to wait till somebody starts /usr/bin/file /tmp/exploit
Once the tainted file has been generated the attacker must wait for or coerce another user to examine the file with the file(1) command.
# ls -l exploit
-rwxr-xr-x 1 farmer farmer 6406 Jan 11 22:07 exploit
# file exploit
/tmp/exploit: ASCII text
The file(1) command reports that the examined file is "ASCII text" as the attacker specified in the creation of the exploit file. At this point if the attack was successful the original attack file (exploit) has been erased and a set user id shell has been created:
# ls -l exploit
ls: exploit: No such file or directory
$ ls -l suid
-rwsr-sr-x 1 root root 541096 Jan 11 22:07 suid
CVE:
CVE has assigned this problem the identification: CAN-2003-0102
Solution:
Download latest file version from vendor or from: Version 3.41
Vendors will issue an upgrade individually.
