CVE-2006-2480
CVSS5.1
发布时间 :2006-05-19 17:02:00
修订时间 :2011-03-07 00:00:00
NMCOS    

[原文]Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.


[CNNVD]Dia 文件名 远程格式化字符串漏洞(CNNVD-200605-346)

        Dia 0.94存在格式化字符串漏洞。用户协助的攻击者可以通过触发错误或警告来引起拒绝服务(崩溃),比如借助 .bmp文件名中的格式化字符串限定符。注意: 原来的利用方式是通过命令行自变量体现的,但还存在由Dia自动处理的其他输入机制,例如特制的.dia文件。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-134 []

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11224Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary c...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2480
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2480
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-346
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/20254
(VENDOR_ADVISORY)  SECUNIA  20254
http://www.vupen.com/english/advisories/2006/1908
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1908
http://www.ubuntulinux.org/support/documentation/usn/usn-286-1
(UNKNOWN)  UBUNTU  USN-286-1
http://www.securityfocus.com/bid/18078
(UNKNOWN)  BID  18078
http://www.securityfocus.com/archive/82/433313/30/0/threaded
(UNKNOWN)  VULN-DEV  20060506 DIA file name handling format string
http://www.redhat.com/support/errata/RHSA-2006-0541.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2006:0541
http://www.osvdb.org/25699
(UNKNOWN)  OSVDB  25699
http://www.novell.com/linux/security/advisories/2006-06-02.html
(VENDOR_ADVISORY)  SUSE  SUSE-SR:2006:012
http://www.mandriva.com/security/advisories?name=MDKSA-2006:093
(UNKNOWN)  MANDRIVA  MDKSA-2006:093
http://www.gentoo.org/security/en/glsa/glsa-200606-03.xml
(UNKNOWN)  GENTOO  GLSA-200606-03
http://securitytracker.com/id?1016203
(UNKNOWN)  SECTRACK  1016203
http://secunia.com/advisories/20513
(VENDOR_ADVISORY)  SECUNIA  20513
http://secunia.com/advisories/20457
(VENDOR_ADVISORY)  SECUNIA  20457
http://secunia.com/advisories/20422
(VENDOR_ADVISORY)  SECUNIA  20422
http://secunia.com/advisories/20339
(VENDOR_ADVISORY)  SECUNIA  20339
http://secunia.com/advisories/20199
(VENDOR_ADVISORY)  SECUNIA  20199
http://kandangjamur.net/tutorial/dia.txt
(UNKNOWN)  MISC  http://kandangjamur.net/tutorial/dia.txt
http://bugzilla.gnome.org/show_bug.cgi?id=342111
(UNKNOWN)  CONFIRM  http://bugzilla.gnome.org/show_bug.cgi?id=342111

- 漏洞信息

Dia 文件名 远程格式化字符串漏洞
中危 格式化字符串
2006-05-19 00:00:00 2006-08-28 00:00:00
远程  
        Dia 0.94存在格式化字符串漏洞。用户协助的攻击者可以通过触发错误或警告来引起拒绝服务(崩溃),比如借助 .bmp文件名中的格式化字符串限定符。注意: 原来的利用方式是通过命令行自变量体现的,但还存在由Dia自动处理的其他输入机制,例如特制的.dia文件。

- 公告与补丁

        DIA DIA 0.94
        Mandriva dia-0.94-6.4.20060mdk.i586.rpm
        Mandriva Linux 2006.0:
        http://www.mandriva.com/en/download
        Mandriva dia-0.94-6.4.20060mdk.src.rpm
        Mandriva Linux 2006.0:
        http://www.mandriva.com/en/download
        Mandriva dia-0.94-6.4.20060mdk.x86_64.rpm
        Mandriva Linux 2006.0:
        http://www.mandriva.com/en/download
        RedHat dia-0.94-16.fc4.i386.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        RedHat dia-0.94-16.fc4.ppc.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        RedHat dia-0.94-16.fc4.src.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        RedHat dia-0.94-16.fc4.x86_64.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        RedHat dia-debuginfo-0.94-16.fc4.i386.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        RedHat dia-debuginfo-0.94-16.fc4.ppc.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        RedHat dia-debuginfo-0.94-16.fc4.x86_64.rpm
        Fedora Core 4
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/
        Ubuntu dia-common_0.94.0-11ubuntu1.2_all.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-common_0.94.0-11 ubuntu1.2_all.deb
        Ubuntu dia-common_0.94.0-5ubuntu1.3_all.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-common_0.94.0-5u buntu1.3_all.deb
        Ubuntu dia-gnome_0.94.0-11ubuntu1.2_amd64.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-11u buntu1.2_amd64.deb
        Ubuntu dia-gnome_0.94.0-11ubuntu1.2_i386.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-11u buntu1.2_i386.deb
        Ubuntu dia-gnome_0.94.0-11ubuntu1.2_powerpc.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-11u buntu1.2_powerpc.deb
        Ubuntu dia-gnome_0.94.0-5ubuntu1.3_amd64.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-5ub untu1.3_amd64.deb
        Ubuntu dia-gnome_0.94.0-5ubuntu1.3_i386.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-5ub untu1.3_i386.deb
        Ubuntu dia-gnome_0.94.0-5ubuntu1.3_powerpc.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-gnome_0.94.0-5ub untu1.3_powerpc.deb
        Ubuntu dia-libs_0.94.0-11ubuntu1.2_amd64.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-11ub untu1.2_amd64.deb
        Ubuntu dia-libs_0.94.0-11ubuntu1.2_i386.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-11ub untu1.2_i386.deb
        Ubuntu dia-libs_0.94.0-11ubuntu1.2_powerpc.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-11ub untu1.2_powerpc.deb
        Ubuntu dia-libs_0.94.0-5ubuntu1.3_amd64.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-5ubu ntu1.3_amd64.deb
        Ubuntu dia-libs_0.94.0-5ubuntu1.3_i386.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-5ubu ntu1.3_i386.deb
        Ubuntu dia-libs_0.94.0-5ubuntu1.3_powerpc.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/main/d/dia/dia-libs_0.94.0-5ubu ntu1.3_powerpc.deb
        Ubuntu dia_0.94.0-11ubuntu1.2_amd64.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-11ubu ntu1.2_amd64.deb
        Ubuntu dia_0.94.0-11ubuntu1.2_i386.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-11ubu ntu1.2_i386.deb
        Ubuntu dia_0.94.0-11ubuntu1.2_powerpc.deb
        Ubuntu 5.10:
        http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-11ubu ntu1.2_powerpc.deb
        Ubuntu dia_0.94.0-5ubuntu1.3_amd64.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-5ubun tu1.3_amd64.deb
        Ubuntu dia_0.94.0-5ubuntu1.3_i386.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-5ubun tu1.3_i386.deb
        Ubuntu dia_0.94.0-5ubuntu1.3_powerpc.deb
        Ubuntu 5.04:
        http://security.ubuntu.com/ubuntu/pool/universe/d/dia/dia_0.94.0-5ubun tu1.3_powerpc.deb
        DIA DIA 0.92.2
        Mandriva dia-0.92.2-2.3.C30mdk.i586.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva dia-0.92.2-2.3.C30mdk.src.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva dia-0.92.2-2.3.C30mdk.x86_64.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download

- 漏洞信息

25699
Dia File Name Handling Local Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

Dia contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when the program is used to open a file using the 'Open Diagram' dialog box and if the file name contains format string characters. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-05 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Dia Filename Remote Format String Vulnerability
Input Validation Error 18078
Yes No
2006-05-23 12:00:00 2006-11-30 04:45:00
Discovery is credited to KaDaL-X.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Enterprise Linux AS 4
Gentoo Linux
DIA DIA 0.92.2
DIA DIA 0.88.1
DIA DIA 0.95-pre6
DIA DIA 0.95
DIA DIA 0.94
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 5.0 4 amd64
DIA DIA 0.93
DIA DIA 0.91
DIA DIA 0.87

- 漏洞讨论

Dia is prone to a remote format-string vulnerability.

This issue arises when the application handles specially crafted filenames. An attacker can exploit this vulnerability by crafting a malicious filename that contains format specifiers and then coercing unsuspecting users to open the malicious file with the affected application.

A successful attack may crash the application or lead to arbitrary code execution.

This issue affects Dia versions 0.95 and earlier.

- 漏洞利用

The following filename is sufficient to demonstrate this issue:
%p%p%p%p.bmp

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Please see the references for vendor advisories and fixes.


DIA DIA 0.94

DIA DIA 0.92.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站