Vulnerabilities > CVE-2004-1471 - Multiple vulnerability in CVS

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
cvs
openpkg
sgi
freebsd
gentoo
openbsd
nessus
exploit available

Summary

Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line. Failed exploit attempts will likely cause a denial of service condition.

Exploit-Db

descriptionCVS 1.11.x Multiple Vulnerabilities. CVE-2004-1471. Local exploit for linux platform
idEDB-ID:24182
last seen2016-02-02
modified2004-06-09
published2004-06-09
reporterGyan Chawdhary
sourcehttps://www.exploit-db.com/download/24182/
titleCVS 1.11.x - Multiple Vulnerabilities

Nessus

  • NASL familyMisc.
    NASL idCVS_MALFORMED_ENTRY_LINES_FLAW.NASL
    descriptionThe remote CVS server, according to its version number, might allow an attacker to execute arbitrary commands on the remote system because of a flaw relating to malformed Entry lines which lead to a missing NULL terminator. Among the issues deemed likely to be exploitable were: - A double-free relating to the error_prog_name string. (CVE-2004-0416) - An argument integer overflow. (CVE-2004-0417) - Out-of-bounds writes in serv_notify. (CVE-2004-0418)
    last seen2020-06-01
    modified2020-06-02
    plugin id12265
    published2004-06-09
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12265
    titleCVS < 1.11.17 / 1.12.9 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # Ref:
    #  Date: Wed, 9 Jun 2004 15:00:04 +0200
    #  From: Stefan Esser <[email protected]>
    #  To: [email protected], [email protected],
    #        [email protected], [email protected]
    #  Subject: Advisory 09/2004: More CVS remote vulnerabilities
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(12265);
     script_version("1.28");
    
     script_cve_id("CVE-2004-0414", "CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418", "CVE-2004-1471"); 
     script_bugtraq_id(10499);
     script_xref(name:"RHSA", value:"2004:233-017");
     
     script_name(english:"CVS < 1.11.17 / 1.12.9 Multiple Vulnerabilities");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote CVS server is affected by multiple issues." );
     script_set_attribute(attribute:"description", value:
    "The remote CVS server, according to its version number, might allow an
    attacker to execute arbitrary commands on the remote system because of
    a flaw relating to malformed Entry lines which lead to a missing NULL
    terminator. 
    
    Among the issues deemed likely to be exploitable were:
    
      - A double-free relating to the error_prog_name string. 
        (CVE-2004-0416)
    
      - An argument integer overflow. (CVE-2004-0417)
    
      - Out-of-bounds writes in serv_notify. (CVE-2004-0418)" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Jun/234" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to CVS 1.12.9 or 1.11.17." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploited_by_malware", value:"true");
     script_cwe_id(119);
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/09");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/06/09");
     script_cvs_date("Date: 2018/11/15 20:50:23");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
     script_summary(english:"Logs into the remote CVS server and asks the version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"Misc.");
     script_require_ports("Services/cvspserver", 2401);
     script_dependencies("find_service1.nasl", "cvs_pserver_heap_overflow.nasl");
     exit(0);
    }
    
    include('global_settings.inc');
    
    port = get_kb_item("Services/cvspserver");
    if(!port)port = 2401;
    if(!get_port_state(port))exit(0);
    version =  get_kb_item(string("cvs/", port, "/version"));
    if ( ! version ) exit(0);
    if(ereg(pattern:".* 1\.([0-9]\.|10\.|11\.([0-9][^0-9]|1[0-6])|12\.[0-8][^0-9]).*", string:version))
         	security_hole(port);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_CVS_11117.NASL
    descriptionThe following package needs to be updated: FreeBSD
    last seen2016-09-26
    modified2011-10-02
    plugin id14282
    published2004-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14282
    titleFreeBSD : cvs -- numerous vulnerabilities (29)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_CVS_NUMEROUS_VULNS.NASL
    descriptionThe remote host is running a version of FreeBSD which contains a version of the 'cvs' utility containing several issues : - An insufficient input validation while processing 'Entry' lines - A double-free issue - An integer overflow when processing 'Max-dotdot' commands - A format string bug when processing cvs wrappers - A single-byte buffer overflow when processing configuration files - Various other integers overflows
    last seen2016-09-26
    modified2011-10-02
    plugin id14812
    published2004-09-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14812
    titleFreeBSD : SA-04:14.cvs