发布时间 :2006-09-05 20:04:00
修订时间 :2011-03-07 21:37:52

[原文]c2faxrecv in capi4hylafax 01.02.03 allows remote attackers to execute arbitrary commands via null (\0) and shell metacharacters in the TSI string, as demonstrated by a fax from an anonymous number.

[CNNVD]CAPI4Hylafax 远程任意命令执行漏洞(CNNVD-200609-035)

        capi4hylafax 01.02.03中的c2faxrecv,可让远程攻击者通过TSI字符串中的空(\0)和shell元字符执行任意命令,如通过来自匿名号码的传真所示。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2006-3430
(UNKNOWN)  BID  19801

- 漏洞信息

CAPI4Hylafax 远程任意命令执行漏洞
高危 输入验证
2006-09-05 00:00:00 2006-09-06 00:00:00
        capi4hylafax 01.02.03中的c2faxrecv,可让远程攻击者通过TSI字符串中的空(\0)和shell元字符执行任意命令,如通过来自匿名号码的传真所示。

- 公告与补丁

        CAPI4Hylafax CAPIHylafax 1.2.3
        Debian capi4hylafax_01.02.03-10sarge2_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_arm.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_i386.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_ia64.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_m68k.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian capi4hylafax_01.02.03-10sarge2_sparc.deb
        Debian GNU/Linux 3.1 alias sarge
        Hylafax Hylafax 4.2.5
        SuSE capi4hylafax-4.2.5-14.5.i586.rpm
        openSUSE 10.1
        SuSE capi4hylafax-4.2.5-14.5.x86_64.rpm
        openSUSE 10.1
        Hylafax Hylafax 4.3
        SuSE capi4hylafax-4.3.0-25.2.i586.rpm
        openSUSE 10.2
        SuSE capi4hylafax-4.3.0-25.2.x86_64.rpm
        openSUSE 10.2

- 漏洞信息 (F49708)

Debian Linux Security Advisory 1165-1 (PacketStormID:F49708)
2006-09-07 00:00:00

Debian Security Advisory 1165-1 - Lionel Elie Mamane discovered a security vulnerability in capi4hylafax, tools for faxing over a CAPI 2.0 device, that allows remote attackers to execute arbitrary commands on the fax receiving system.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1165-1                                       Martin Schulze
September 1st, 2006           
- --------------------------------------------------------------------------

Package        : capi4hylafax
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3126

Lionel Elie Mamane discovered a security vulnerability in
capi4hylafax, tools for faxing over a CAPI 2.0 device, that allows
remote attackers to execute arbitrary commands on the fax receiving

For the stable distribution (sarge) this problem has been fixed in
version 01.02.03-10sarge2.

For the unstable distribution (sid) this problem has been fixed in

We recommend that you upgrade your capi4hylafax package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:      700 ed2b42302da19f397f54be5b6ab2c70d
      Size/MD5 checksum:   233973 cb882036840592b6365e890ba2bef034
      Size/MD5 checksum:   400508 8236290d6b880ee7d5e2fe970648ad6f

  Alpha architecture:
      Size/MD5 checksum:   269704 e89fb2126460ebf99fabd817ccc135e1

  AMD64 architecture:
      Size/MD5 checksum:   205810 4fbbb15d7c0b8fa9548f669756b04c36

  ARM architecture:
      Size/MD5 checksum:   210290 5c6e249abe28be123f35321175c0caea

  Intel IA-32 architecture:
      Size/MD5 checksum:   202278 829c7e7f7aa7b51ea52aba913b84f6e9

  Intel IA-64 architecture:
      Size/MD5 checksum:   341896 020682a6d4bb63d083a05d961bddaaa8

  Motorola 680x0 architecture:
      Size/MD5 checksum:   183464 42cddb1cc2295fd753b50a0f49e9a3f4

  PowerPC architecture:
      Size/MD5 checksum:   213034 6ccc6390878b66462fc4b4c501521025

  Sun Sparc architecture:
      Size/MD5 checksum:   206634 6d82ddf94cd42c355bc125d1d542a1e9

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.5 (GNU/Linux)



- 漏洞信息

Capi4Hylafax c2faxrecv TSI String Processing Arbitrary Command Injection
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-08-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

CAPI4Hylafax Remote Arbitrary Command Execution Vulnerability
Input Validation Error 19801
Yes No
2006-09-01 12:00:00 2007-03-22 05:03:00
Lionel Elie Mamane is credited with the discovery of these vulnerabilities.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 9
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10.0
SuSE Linux 9.3
SuSE Linux 9.2
SuSE Linux 9.1
S.u.S.E. Linux 10.1
S.u.S.E. Linux 10.0
Hylafax Hylafax 4.3
Hylafax Hylafax 4.2.5
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
CAPI4Hylafax CAPIHylafax 1.2.3
CAPI4Hylafax CAPIHylafax 1.1

- 漏洞讨论

CAP4Hylafax is prone to an arbitrary command-execution vulnerability.

An attacker can exploit this vulnerability to execute arbitrary commands in the context of the affected application.

- 漏洞利用

Attackers can exploit this issue by sending malicious network data.

- 解决方案

SUSE Linux-based products containing capi4hylafax have fixes available; please see the referenced advisory for more information.

CAPI4Hylafax CAPIHylafax 1.2.3

Hylafax Hylafax 4.2.5

Hylafax Hylafax 4.3

- 相关参考