Oops! auth() Format String Flaw Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1013864
|
|
SecurityTracker URL: http://securitytracker.com/id?1013864
|
|
CVE Reference: CAN-2005-1121
(Links to External Site)
|
Date: May 3 2005
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.5.23 and prior versions
|
Description: A format string vulnerability was reported in Oops! A remote user may be able to execute arbitrary code.
The passwd_mysql/passwd_pgsql module auth() function contains a call to the my_xlog() function that does not include a format string
specifier. A remote user can supply a specially crafted HTTP request to trigger the vulnerability and cause the service to crash
or execute arbitrary code.
A demonstration exploit request is provided:
GET http://%s%s%s%s%s%s%s%s/ HTTP/1.0
Host: ghc.ru
Proxy-Authorization:
Basic Z2hjOnJzdA==
The flaw resides in 'passwd_sql.c'.
Edisan from RST/GHC reported this vulnerability.
|
Impact: A remote user can cause the service to crash or execute arbitrary code.
|
Solution: A patch is available at:
http://zipper.paco.net/~igor/oops/diff_from_1.5.23.patch.gz
|
Vendor URL: oops-cache.org/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
