Vulnerabilities > CVE-2008-2542 - Buffer Errors vulnerability in Nasa Ames Research Center Bigview 1.8
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in the getline function in Ppm/ppm.C in NASA Ames Research Center BigView 1.8 allows user-assisted remote attackers to execute arbitrary code via a crafted PNM file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | NASA Ames Research Center BigView 1.8 PNM File Stack-Based Buffer Overflow Vulnerability. CVE-2008-2542. Dos exploits for multiple platform |
| id | EDB-ID:31872 |
| last seen | 2016-02-03 |
| modified | 2008-06-04 |
| published | 2008-06-04 |
| reporter | Alfredo Ortega |
| source | https://www.exploit-db.com/download/31872/ |
| title | NASA Ames Research Center BigView 1.8 - .PNM Stack-Based Buffer Overflow Vulnerability |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/67015/CORE-2008-0425.txt |
| id | PACKETSTORM:67015 |
| last seen | 2016-12-05 |
| published | 2008-06-05 |
| reporter | Core Security Technologies |
| source | https://packetstormsecurity.com/files/67015/Core-Security-Technologies-Advisory-2008.0425.html |
| title | Core Security Technologies Advisory 2008.0425 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 29517 CVE(CAN) ID: CVE-2008-2542 BigView是NASA开发的图形查看器,可在运行Linux的桌面PC上将图形拉伸和缩放到任意尺寸。 BigView在解析特制的PNM输入文件时存在栈溢出漏洞,攻击者可能利用此漏洞通过诱使用户处理恶意文件控制用户系统。 以下是Ppm/ppm.C文件中的漏洞代码。这里getline()函数从文件将数据读取到缓冲区: /----------- 418 static void getline(int fin, char* lineBuf, int len) 419 { 420 bool done=false; 421 int index=0; 422 lineBuf[index]=' '; 423 while(! done){ 424 lineBuf[index] = getOneChar(fin); 425 if( lineBuf[index]==10 ) { 426 lineBuf[index]=0; 427 done=true; 428 } 429 ++index; 430 } 431 lineBuf[index]=0; 432 } - -----------/ 函数要求了目标缓冲区的长度,但没有内部使用。在PPM::ppmHeader()函数中使用了上述函数来读取PPM文件的头: /----------- 56 PPM::ppmHeader(string filename, PPM::Format* format, 57 int* cpp, int* bpc, 58 int* sizeX, int* sizeY, 59 int* imageOffset) 60 { 61 std::ostringstream err; 62 char magic[3],lineBuf[512],junk; 63 int res,max; . . . 115 while( junk == '#' ){ 116 getline(fin,lineBuf,512); 117 cout << "Comment:"<<lineBuf<<":"<<endl; 118 junk = getOneChar(fin); 119 } - -----------/ 栈上所分配的lineBuf缓冲区大小为512字节,如果PPM头中包含有大于512字节的行的话,就会触发栈溢出,导致拒绝服务或执行任意指令。 NASA BigView 1.8 NASA ---- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://opensource.arc.nasa.gov/project/bigview/ target=_blank>http://opensource.arc.nasa.gov/project/bigview/</a> |
| id | SSV:3387 |
| last seen | 2017-11-19 |
| modified | 2008-06-06 |
| published | 2008-06-06 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-3387 |
| title | NASA BigView PNM文件处理栈溢出漏洞 |
References
- http://secunia.com/advisories/30546
- http://securityreason.com/securityalert/3924
- http://www.coresecurity.com/?action=item&id=2304
- http://www.securityfocus.com/archive/1/493112/100/0/threaded
- http://www.securityfocus.com/bid/29517
- http://www.vupen.com/english/advisories/2008/1745/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42847