发布时间 :2006-05-19 17:02:00
修订时间 :2017-10-10 21:30:56

[原文]Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.

[CNNVD]Dia 文件名 远程格式化字符串漏洞(CNNVD-200605-346)

        Dia 0.94存在格式化字符串漏洞。用户协助的攻击者可以通过触发错误或警告来引起拒绝服务(崩溃),比如借助 .bmp文件名中的格式化字符串限定符。注意: 原来的利用方式是通过命令行自变量体现的,但还存在由Dia自动处理的其他输入机制,例如特制的.dia文件。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-134 []

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11224Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary c...

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VULN-DEV  20060506 DIA file name handling format string
(UNKNOWN)  BID  18078

- 漏洞信息

Dia 文件名 远程格式化字符串漏洞
中危 格式化字符串
2006-05-19 00:00:00 2006-08-28 00:00:00
        Dia 0.94存在格式化字符串漏洞。用户协助的攻击者可以通过触发错误或警告来引起拒绝服务(崩溃),比如借助 .bmp文件名中的格式化字符串限定符。注意: 原来的利用方式是通过命令行自变量体现的,但还存在由Dia自动处理的其他输入机制,例如特制的.dia文件。

- 公告与补丁

        DIA DIA 0.94
        Mandriva dia-0.94-6.4.20060mdk.i586.rpm
        Mandriva Linux 2006.0:
        Mandriva dia-0.94-6.4.20060mdk.src.rpm
        Mandriva Linux 2006.0:
        Mandriva dia-0.94-6.4.20060mdk.x86_64.rpm
        Mandriva Linux 2006.0:
        RedHat dia-0.94-16.fc4.i386.rpm
        Fedora Core 4
        RedHat dia-0.94-16.fc4.ppc.rpm
        Fedora Core 4
        RedHat dia-0.94-16.fc4.src.rpm
        Fedora Core 4
        RedHat dia-0.94-16.fc4.x86_64.rpm
        Fedora Core 4
        RedHat dia-debuginfo-0.94-16.fc4.i386.rpm
        Fedora Core 4
        RedHat dia-debuginfo-0.94-16.fc4.ppc.rpm
        Fedora Core 4
        RedHat dia-debuginfo-0.94-16.fc4.x86_64.rpm
        Fedora Core 4
        Ubuntu dia-common_0.94.0-11ubuntu1.2_all.deb
        Ubuntu 5.10: ubuntu1.2_all.deb
        Ubuntu dia-common_0.94.0-5ubuntu1.3_all.deb
        Ubuntu 5.04: buntu1.3_all.deb
        Ubuntu dia-gnome_0.94.0-11ubuntu1.2_amd64.deb
        Ubuntu 5.10: buntu1.2_amd64.deb
        Ubuntu dia-gnome_0.94.0-11ubuntu1.2_i386.deb
        Ubuntu 5.10: buntu1.2_i386.deb
        Ubuntu dia-gnome_0.94.0-11ubuntu1.2_powerpc.deb
        Ubuntu 5.10: buntu1.2_powerpc.deb
        Ubuntu dia-gnome_0.94.0-5ubuntu1.3_amd64.deb
        Ubuntu 5.04: untu1.3_amd64.deb
        Ubuntu dia-gnome_0.94.0-5ubuntu1.3_i386.deb
        Ubuntu 5.04: untu1.3_i386.deb
        Ubuntu dia-gnome_0.94.0-5ubuntu1.3_powerpc.deb
        Ubuntu 5.04: untu1.3_powerpc.deb
        Ubuntu dia-libs_0.94.0-11ubuntu1.2_amd64.deb
        Ubuntu 5.10: untu1.2_amd64.deb
        Ubuntu dia-libs_0.94.0-11ubuntu1.2_i386.deb
        Ubuntu 5.10: untu1.2_i386.deb
        Ubuntu dia-libs_0.94.0-11ubuntu1.2_powerpc.deb
        Ubuntu 5.10: untu1.2_powerpc.deb
        Ubuntu dia-libs_0.94.0-5ubuntu1.3_amd64.deb
        Ubuntu 5.04: ntu1.3_amd64.deb
        Ubuntu dia-libs_0.94.0-5ubuntu1.3_i386.deb
        Ubuntu 5.04: ntu1.3_i386.deb
        Ubuntu dia-libs_0.94.0-5ubuntu1.3_powerpc.deb
        Ubuntu 5.04: ntu1.3_powerpc.deb
        Ubuntu dia_0.94.0-11ubuntu1.2_amd64.deb
        Ubuntu 5.10: ntu1.2_amd64.deb
        Ubuntu dia_0.94.0-11ubuntu1.2_i386.deb
        Ubuntu 5.10: ntu1.2_i386.deb
        Ubuntu dia_0.94.0-11ubuntu1.2_powerpc.deb
        Ubuntu 5.10: ntu1.2_powerpc.deb
        Ubuntu dia_0.94.0-5ubuntu1.3_amd64.deb
        Ubuntu 5.04: tu1.3_amd64.deb
        Ubuntu dia_0.94.0-5ubuntu1.3_i386.deb
        Ubuntu 5.04: tu1.3_i386.deb
        Ubuntu dia_0.94.0-5ubuntu1.3_powerpc.deb
        Ubuntu 5.04: tu1.3_powerpc.deb
        DIA DIA 0.92.2
        Mandriva dia-0.92.2-2.3.C30mdk.i586.rpm
        Corporate 3.0:
        Mandriva dia-0.92.2-2.3.C30mdk.src.rpm
        Corporate 3.0:
        Mandriva dia-0.92.2-2.3.C30mdk.x86_64.rpm
        Corporate 3.0:

- 漏洞信息

Dia File Name Handling Local Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

Dia contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the program is used to open a file using the 'Open Diagram' dialog box and if the file name contains format string characters. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-05 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Dia Filename Remote Format String Vulnerability
Input Validation Error 18078
Yes No
2006-05-23 12:00:00 2006-11-30 04:45:00
Discovery is credited to KaDaL-X.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Enterprise Linux AS 4
Gentoo Linux
DIA DIA 0.92.2
DIA DIA 0.88.1
DIA DIA 0.95-pre6
DIA DIA 0.95
DIA DIA 0.94
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 5.0 4 amd64
DIA DIA 0.93
DIA DIA 0.91
DIA DIA 0.87

- 漏洞讨论

Dia is prone to a remote format-string vulnerability.

This issue arises when the application handles specially crafted filenames. An attacker can exploit this vulnerability by crafting a malicious filename that contains format specifiers and then coercing unsuspecting users to open the malicious file with the affected application.

A successful attack may crash the application or lead to arbitrary code execution.

This issue affects Dia versions 0.95 and earlier.

- 漏洞利用

The following filename is sufficient to demonstrate this issue:

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 解决方案

Please see the references for vendor advisories and fixes.

DIA DIA 0.94

DIA DIA 0.92.2

- 相关参考