Zlib压缩库gzprintf()缓冲区溢出漏洞

漏洞信息详情

Zlib压缩库gzprintf()缓冲区溢出漏洞

• CNNVD编号：CNNVD-200303-040
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2003-0107
  
• 漏洞类型：
  
  
  边界条件错误
  
• 发布时间：
  
  2003-02-23
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2006-09-20
  
• 厂        商：
  
  gnu
• 漏洞来源：
  Richard Kettlewell…

zlib是一款流行的压缩库，使用于多种应用程序中，包括有名的SSH实现。
zlib的gzprintf()函数没有正确检查用户提供的数据，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以使用此函数的应用程序进程权限在系统上执行任意指令。
zlib包含gzprintf()函数，类似fprintf()，如果提交给此函数的参数超过Z_PRINTF_BUFSIZE所定义的字节数(默认4096)，可触发缓冲区溢出，精心构建提交的数据可能以使用此函数的应用程序进程权限在系统上执行任意指令。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 第三方补丁如下：

diff -Naur zlib-1.1.4/ChangeLog zlib-1.1.4-vsnprintf/ChangeLog

— zlib-1.1.4/ChangeLog 2002-03-11 15:02:35.000000000 +0000

+++ zlib-1.1.4-vsnprintf/ChangeLog 2003-02-24 05:31:41.000000000 +0000

@@ -1,6 +1,13 @@

ChangeLog file for zlib

+Changes in 1.1.4-patched (23 February 2003)

+- fix a security vulnerability related to improper use of snprintf/vsnprintf

+ function.

+- ./configure now detects the presence of snprintf/vsnprintf and enables it

+ automatically if present.

+- README.vsnprintf added.

+

Changes in 1.1.4 (11 March 2002)

– ZFREE was repeated on same allocation on some error conditions.

This creates a security problem described in

diff -Naur zlib-1.1.4/README.vsnprintf zlib-1.1.4-vsnprintf/README.vsnprintf

— zlib-1.1.4/README.vsnprintf 1970-01-01 00:00:00.000000000 +0000

+++ zlib-1.1.4-vsnprintf/README.vsnprintf 2003-02-24 05:13:28.000000000 +0000

@@ -0,0 +1,23 @@

+During a recent audit of zlib-1.1.4, a buffer-overflow and string-format

+vulnerability was found in the gzprintf() function. This has been corrected in

+this version of zlib; in addition, some ./configure checks have been added to

+make sure the host system can utilize the corrections fully.

+

+As a result, it is now strongly recommended that your host system or compiler

+provide a fully C99-compliant implementation of the vsnprintf() function.

+Anything less will reduce the functionality and/or security of the gzprintf()

+function. The most critical aspect is that vsnprintf() should be present and

+should provide a return value. If this function is missing, one of the

+fallback functions (vsprintf(), snprintf(), vsnprintf()) will have to be used,

+and if so, they too should return a value. If your system is lacking in any of

+these aspects, the ./configure script should warn you and refer you to this

+file.

+

+In addition, the HAS_vsnprintf and HAS_snprintf macros are automatically

+defined if these functions are available. zlib-1.1.4 and older versions did

+not do this, potentially leading to a broken and vulnerable zlib even when the

+host system supported the requisite functionality to avoid this.

+

+

+ — Kelledin <kelledin@users.sourceforge.net>

+

diff -Naur zlib-1.1.4/configure zlib-1.1.4-vsnprintf/configure

— zlib-1.1.4/configure 1998-07-08 18:19:35.000000000 +0000

+++ zlib-1.1.4-vsnprintf/configure 2003-02-24 05:13:28.000000000 +0000

@@ -156,6 +156,209 @@

fi

cat > $test.c <

+#include

+

+#if (defined(__MSDOS__) || defined(_WINDOWS) || defined(_WIN32) || defined(__WIN32__) || defined(WIN32) || defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)) && !defined(STDC)

+# define STDC

+#endif

+

+int main() {

+ int i;

+

+ i=0;

+#ifndef STDC

+ choke me

+#endif

+

+ return 0;

+}

+EOF

+

+if test “`($CC -c $CFLAGS $test.c) 2>&1`” = “”; then

+ echo “Checking whether to use vsnprintf() or snprintf()… using vsnprintf()”

+

+ cat > $test.c <

+#include

+#include

+

+int mytest(char *fmt, …) {

+ char buf[20];

+ va_list ap;

+

+ va_start(ap, fmt);

+ vsnprintf(buf, sizeof(buf), fmt, ap);

+ return 0;

+}

+

+int main() {

+ return (mytest(“Hello%d\n”, 1));

+}

+EOF

+

+ if test “`($CC -c $CFLAGS $test.c) 2>&1`” = “”; then

+ CFLAGS=”$CFLAGS -DHAS_vsnprintf”

+ echo “Checking for vsnprintf() in stdio.h… Yes.”

+

+ cat > $test.c <

+#include

+#include

+

+int mytest(char *fmt, …) {

+ int i;

+ char buf[20];

+ va_list ap;

+

+ va_start(ap, fmt);

+ i=vsnprintf(buf, sizeof(buf), fmt, ap);

+ return 0;

+}

+

+int main() {

+ return (mytest(“Hello%d\n”, 1));

+}

+EOF

+

+ if test “`($CC -c $CFLAGS $test.c) 2>&1`” = “”; then

+ CFLAGS=”$CFLAGS -DHAS_vsnprintf_return”

+ echo “Checking for return value of vsnprintf()… Yes.”

+ else

+ echo “Checking for return value of vsnprintf()… No.”

+ echo ” WARNING: apparently vsnprintf() does not return a value. zlib”

+ echo ” can build but will be open to possible string-format security”

+ echo ” vulnerabilities. See README.vsnprintf for more info.”

+ echo

+ fi

+ else

+ echo “Checking for vsnprintf() in stdio.h… No.”

+ echo ” WARNING: vsnprintf() not found, falling back to vsprintf(). zlib”

+ echo ” can build but will be open to possible buffer-overflow security”

+ echo ” vulnerabilities. See README.vsnprintf for more info.”

+ echo

+

+ cat > $test.c <

+#include

+#include

+

+int mytest(char *fmt, …) {

+ int i;

+ char buf[20];

+ va_list ap;

+

+ va_start(ap, fmt);

+ i=vsprintf(buf, fmt, ap);

+ return 0;

+}

+

+int main() {

+ return (mytest(“Hello%d\n”, 1));

+}

+EOF

+

+ if test “`($CC -c $CFLAGS $test.c) 2>&1`” = “”; then

+ CFLAGS=”$CFLAGS -DHAS_vsprintf_return”

+ echo “Checking for return value of vsprintf()… Yes.”

+ else

+ echo “Checking for return value of vsprintf()… No.”

+ echo ” WARNING: apparently vsprintf() does not return a value. zlib”

+ echo ” can build but will be open to possible string-format security”

+ echo ” vulnerabilities. See README.vsnprintf for more info.”

+ echo

+ fi

+ fi

+else

+ echo “Checking whether to use vsnprintf() or snprintf()… using snprintf()”

+

+ cat > $test.c <

+#include

+#include

+

+int mytest() {

+ char buf[20];

+ va_list ap;

+

+ va_start(ap, fmt);

+ snprintf(buf, sizeof(buf), fmt, ap);

+ return 0;

+}

+

+int main() {

+ return (mytest());

+}

+EOF

+

+ if test “`($CC -c $CFLAGS $test.c) 2>&1`” = “”; then

+ CFLAGS=”$CFLAGS -DHAS_snprintf”

+ echo “Checking for snprintf() in stdio.h… Yes.”

来源:US-CERT Vulnerability Note: VU#142121
名称: VU#142121
链接:http://www.kb.cert.org/vuls/id/142121

来源: XF
名称: zlib-gzprintf-bo(11381)
链接:http://www.iss.net/security_center/static/11381.php

来源: BUGTRAQ
名称: 20030222 buffer overrun in zlib 1.1.4
链接:http://online.securityfocus.com/archive/1/312869

来源: BUGTRAQ
名称: 20030223 poc zlib sploit just for fun 🙂
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104610337726297&w=2

来源: lists.apple.com
链接:http://lists.apple.com/mhonarc/security-announce/msg00038.html

来源: BID
名称: 6913
链接:http://www.securityfocus.com/bid/6913

来源: REDHAT
名称: RHSA-2003:081
链接:http://www.redhat.com/support/errata/RHSA-2003-081.html

来源: REDHAT
名称: RHSA-2003:079
链接:http://www.redhat.com/support/errata/RHSA-2003-079.html

来源: OSVDB
名称: 6599
链接:http://www.osvdb.org/6599

来源: MANDRAKE
名称: MDKSA-2003:033
链接:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:033

来源: SUNALERT
名称: 57405
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405

来源: GENTOO
名称: GLSA-200303-25
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104887247624907&w=2

来源: BUGTRAQ
名称: 20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104620610427210&w=2

来源: BUGTRAQ
名称: 20030224 Re: buffer overrun in zlib 1.1.4
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104610536129508&w=2

来源: CONECTIVA
名称: CLSA-2003:619
链接:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000619

来源: NETBSD
名称: NetBSD-SA2003-004
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-004.txt.asc

来源: CALDERA
名称: CSSA-2003-011.0
链接:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-011.0.txt