Vulnerabilities > CVE-2008-0888 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Info-Zip Unzip

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
info-zip
CWE-119
critical
nessus

Summary

The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.

Vulnerable Configurations

Part Description Count
Application
Info-Zip
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1522.NASL
    descriptionTavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library
    last seen2020-06-01
    modified2020-06-02
    plugin id31628
    published2008-03-21
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31628
    titleDebian DSA-1522-1 : unzip - programming error
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1522. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31628);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2008-0888");
      script_xref(name:"DSA", value:"1522");
    
      script_name(english:"Debian DSA-1522-1 : unzip - programming error");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Tavis Ormandy discovered that unzip, when processing specially crafted
    ZIP archives, could pass invalid pointers to the C library's free
    routine, potentially leading to arbitrary code execution
    (CVE-2008-0888 )."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1522"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the unzip package.
    
    For the old stable distribution (sarge), this problem has been fixed
    in version 5.52-1sarge5.
    
    For the stable distribution (etch), this problem has been fixed in
    version 5.52-9etch1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:unzip");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"unzip", reference:"5.52-1sarge5")) flag++;
    if (deb_check(release:"4.0", prefix:"unzip", reference:"5.52-9etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-068.NASL
    descriptionTavis Ormandy of Google Security discovered an invalid pointer flaw in unzip that could lead to the execution of arbitrary code with the privileges of the user running unzip. The updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id37575
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37575
    titleMandriva Linux Security Advisory : unzip (MDVSA-2008:068)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0196.NASL
    descriptionFrom Red Hat Security Advisory 2008:0196 : Updated unzip packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The unzip utility is used to list, test, or extract files from a zip archive. An invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user
    last seen2020-06-01
    modified2020-06-02
    plugin id67672
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67672
    titleOracle Linux 3 : unzip (ELSA-2008-0196)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-589-1.NASL
    descriptionTavis Ormandy discovered that unzip did not correctly clean up pointers. If a user or automated service was tricked into processing a specially crafted ZIP archive, a remote attacker could execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31639
    published2008-03-21
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31639
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : unzip vulnerability (USN-589-1)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2010-002.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-002 applied. This security update contains fixes for the following products : - AppKit - Application Firewall - AFP Server - Apache - ClamAV - CoreTypes - CUPS - curl - Cyrus IMAP - Cyrus SASL - Disk Images - Directory Services - Event Monitor - FreeRADIUS - FTP Server - iChat Server - Image RAW - Libsystem - Mail - Mailman - OS Services - Password Server - perl - PHP - PS Normalizer - Ruby - Server Admin - SMB - Tomcat - unzip - vim - Wiki Server - X11 - xar
    last seen2020-06-01
    modified2020-06-02
    plugin id45373
    published2010-03-29
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45373
    titleMac OS X Multiple Vulnerabilities (Security Update 2010-002)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0009.NASL
    descriptiona. VMware Tools Local Privilege Escalation on Windows-based guest OS The VMware Tools Package provides support required for shared folders (HGFS) and other features. An input validation error is present in the Windows-based VMware HGFS.sys driver. Exploitation of this flaw might result in arbitrary code execution on the guest system by an unprivileged guest user. It doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id40378
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40378
    titleVMSA-2008-0009 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0196.NASL
    descriptionUpdated unzip packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The unzip utility is used to list, test, or extract files from a zip archive. An invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user
    last seen2020-06-01
    modified2020-06-02
    plugin id31610
    published2008-03-19
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31610
    titleCentOS 3 : unzip (CESA-2008:0196)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200804-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200804-06 (UnZip: User-assisted execution of arbitrary code) Tavis Ormandy of the Google Security Team discovered that the NEEDBITS macro in the inflate_dynamic() function in the file inflate.c can be invoked using invalid buffers, which can lead to a double free. Impact : Remote attackers could entice a user or automated system to open a specially crafted ZIP file that might lead to the execution of arbitrary code or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id31837
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31837
    titleGLSA-200804-06 : UnZip: User-assisted execution of arbitrary code
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20080318_UNZIP_ON_SL3_X.NASL
    descriptionAn invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user
    last seen2020-06-01
    modified2020-06-02
    plugin id60375
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60375
    titleScientific Linux Security Update : unzip on SL3.x i386/x86_64
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0196.NASL
    descriptionUpdated unzip packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The unzip utility is used to list, test, or extract files from a zip archive. An invalid pointer flaw was found in unzip. If a user ran unzip on a specially crafted file, an attacker could execute arbitrary code with that user
    last seen2020-06-01
    modified2020-06-02
    plugin id31619
    published2008-03-19
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31619
    titleRHEL 2.1 / 3 : unzip (RHSA-2008:0196)

Oval

accepted2013-04-29T04:21:42.685-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionThe NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.
familyunix
idoval:org.mitre.oval:def:9733
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.
version26

Redhat

advisories
rhsa
idRHSA-2008:0196
rpms
  • unzip-0:5.50-31.EL2.1
  • unzip-0:5.50-36.EL3
  • unzip-debuginfo-0:5.50-36.EL3

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28288 CVE(CAN) ID: CVE-2008-0888 unzip是在Unix下对.zip文件格式进行解压的工具。 unzip的实现上存在漏洞,攻击者可能利用此漏洞通过诱使用户处理恶意文档提升权限。 unzip的inflate.c文件978行的inflate_dynamic()例程在出现错误时使用NEEDBITS()宏将执行流跳转到cleanup例程,而该例程试图free()两个在解压过程中所分配的缓冲区。某些位置在指针没有指向有效缓冲区的情况下便使用了NEEDBITS()宏,包括缓冲区未初始化或指向已经释放的块中。这两种情况都允许攻击者控制指针或指针所指向的缓冲区,导致执行任意指令。 Info-ZIP UnZip 5.52 RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2008:0196-01)以及相应补丁: RHSA-2008:0196-01:Moderate: unzip security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-0196.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0196.html</a>
idSSV:3060
last seen2017-11-19
modified2008-03-20
published2008-03-20
reporterRoot
titleInfo-ZIP UnZip inflate_dynamic()函数堆破坏漏洞

References