Vulnerabilities > CVE-2005-4439 - Remote Buffer Overflow vulnerability in Elog Elogd 2.6.0Beta4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Buffer overflow in ELOG elogd 2.6.0-beta4 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a URL with a long (1) cmd or (2) mode parameter.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family CGI abuses NASL id ELOG_OVERFLOWS.NASL description The remote host appears to be using ELOG, a web-based electronic logbook application. The version of ELOG installed on the remote host crashes when it receives HTTP requests with excessive data for the last seen 2020-06-01 modified 2020-06-02 plugin id 20321 published 2005-12-19 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20321 title ELOG Remote Buffer Overflow Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20321); script_version("1.21"); script_cve_id("CVE-2005-4439"); script_bugtraq_id(15932); script_name(english:"ELOG Remote Buffer Overflow Vulnerabilities"); script_summary(english:"Checks for remote buffer overflow vulnerabilities in ELOG"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by remote buffer overflow flaws." ); script_set_attribute(attribute:"description", value: "The remote host appears to be using ELOG, a web-based electronic logbook application. The version of ELOG installed on the remote host crashes when it receives HTTP requests with excessive data for the 'mode' and 'cmd' parameters. An unauthenticated attacker may be able to exploit these issues to execute arbitrary code on the remote host subject to the privileges under which the application runs." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/949" ); script_set_attribute(attribute:"solution", value: "Unknown at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/19"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/12/19"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 8080); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:8080, embedded: 0); # Make sure the server looks like ELOG. banner = get_http_banner(port:port); if (banner && "Server: ELOG HTTP" >< banner) { # If safe checks are enabled... if (safe_checks()) { if ((report_paranoia > 1) && (egrep(pattern:"^Server: ELOG HTTP ([01]\.|2\.([0-5]\.|6\.0))", string:banner))) { report = string( "\n", "Nessus determined the flaw exists on the remote host based solely\n", "on the version number of ELOG found in the banner." ); security_hole(port:port, extra:report); exit(0); } } else { # Loop through directories. if (thorough_tests) dirs = list_uniq(make_list("/elog", "/demo", cgi_dirs())); else dirs = make_list(cgi_dirs()); if (http_is_dead (port:port)) exit (0); foreach dir (dirs) { # Try to exploit the flaw to crash the service. r = http_send_recv3(method:"GET", item:string( dir, "/?", "cmd=", crap(20000) ), port:port ); if (isnull(r) || strlen(r[2]) == 0) { if (http_is_dead(port:port)) { security_hole(port); exit(0); } } else exit(0); } } }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-967.NASL description Several security problems have been found in elog, an electronic logbook to manage notes. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2005-4439 last seen 2020-06-01 modified 2020-06-02 plugin id 22833 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22833 title Debian DSA-967-1 : elog - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-967. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22833); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2005-4439", "CVE-2006-0347", "CVE-2006-0348", "CVE-2006-0597", "CVE-2006-0598", "CVE-2006-0599", "CVE-2006-0600"); script_xref(name:"DSA", value:"967"); script_name(english:"Debian DSA-967-1 : elog - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several security problems have been found in elog, an electronic logbook to manage notes. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2005-4439 'GroundZero Security' discovered that elog insufficiently checks the size of a buffer used for processing URL parameters, which might lead to the execution of arbitrary code. - CVE-2006-0347 It was discovered that elog contains a directory traversal vulnerability in the processing of '../' sequences in URLs, which might lead to information disclosure. - CVE-2006-0348 The code to write the log file contained a format string vulnerability, which might lead to the execution of arbitrary code. - CVE-2006-0597 Overly long revision attributes might trigger a crash due to a buffer overflow. - CVE-2006-0598 The code to write the log file does not enforce bounds checks properly, which might lead to the execution of arbitrary code. - CVE-2006-0599 elog emitted different errors messages for invalid passwords and invalid users, which allows an attacker to probe for valid user names. - CVE-2006-0600 An attacker could be driven into infinite redirection with a crafted 'fail' request, which has denial of service potential." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349528" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-4439" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0347" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0348" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0597" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0598" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0599" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0600" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-967" ); script_set_attribute( attribute:"solution", value: "Upgrade the elog package. The old stable distribution (woody) does not contain elog packages. For the stable distribution (sarge) these problems have been fixed in version 2.5.7+r1558-4+sarge2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:elog"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"elog", reference:"2.5.7+r1558-4+sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://marc.info/?l=full-disclosure&m=113498708213563&w=2
- http://secunia.com/advisories/18124
- http://secunia.com/advisories/18783
- http://securitytracker.com/id?1015379
- http://www.debian.org/security/2006/dsa-967
- http://www.osvdb.org/21844
- http://www.securityfocus.com/bid/15932
- http://www.vupen.com/english/advisories/2005/3000
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23838
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24703