Vulnerabilities > CVE-2006-2480 - Use of Externally-Controlled Format String vulnerability in DIA 0.94

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
dia
CWE-134
nessus
exploit available

Summary

Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.

Vulnerable Configurations

Part Description Count
Application
Dia
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Exploit-Db

descriptionDia 0.8x/0.9x Filename Remote Format String Vulnerability. CVE-2006-2480. Dos exploit for linux platform
idEDB-ID:27903
last seen2016-02-03
modified2006-05-23
published2006-05-23
reporterKaDaL-X
sourcehttps://www.exploit-db.com/download/27903/
titleDia 0.8x/0.9x Filename Remote Format String Vulnerability

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0541.NASL
    descriptionUpdated Dia packages that fix several buffer overflow bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Dia drawing program is designed to draw various types of diagrams. Several format string flaws were found in the way dia displays certain messages. If an attacker is able to trick a Dia user into opening a carefully crafted file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-2453, CVE-2006-2480) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21998
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21998
    titleCentOS 4 : dia (CESA-2006:0541)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-286-1.NASL
    descriptionSeveral format string vulnerabilities have been discovered in dia. By tricking a user into opening a specially crafted dia file, or a file with a specially crafted name, this could be exploited to execute arbitrary code with the user
    last seen2020-06-01
    modified2020-06-02
    plugin id21604
    published2006-05-27
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21604
    titleUbuntu 5.04 / 5.10 : dia vulnerabilities (USN-286-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200606-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200606-03 (Dia: Format string vulnerabilities) KaDaL-X discovered a format string error within the handling of filenames. Hans de Goede also discovered several other format string errors in the processing of dia files. Impact : By enticing a user to open a specially crafted file, a remote attacker could exploit these vulnerabilities to execute arbitrary code with the rights of the user running the application. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id21665
    published2006-06-08
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21665
    titleGLSA-200606-03 : Dia: Format string vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_EXTRAS_DIA_2006-001.NASL
    descriptionThis update fixes CVE-2006-1550, CVE-2006-2453, CVE-2006-2480 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id62280
    published2012-09-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62280
    titleFedora Extras 5 : dia-0.95-3
  • NASL familySuSE Local Security Checks
    NASL idSUSE_DIA-1435.NASL
    descriptionFormat string bugs in dia could potentially be exploited to execute arbitrary code (CVE-2006-2453, CVE-2006-2480).
    last seen2020-06-01
    modified2020-06-02
    plugin id27198
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27198
    titleopenSUSE 10 Security Update : dia (dia-1435)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-093.NASL
    descriptionA format string vulnerability in Dia allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms inputs that are automatically process by Dia, such as a crafted .dia file. (CVE-2006-2480) Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480. (CVE-2006-2453) Packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id21617
    published2006-05-31
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21617
    titleMandrake Linux Security Advisory : dia (MDKSA-2006:093)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-580.NASL
    descriptionCVE-2006-2480/CVE-2006-2453 Dia format string issues Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24113
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24113
    titleFedora Core 4 : dia-0.94-16.fc4 (2006-580)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0541.NASL
    descriptionUpdated Dia packages that fix several buffer overflow bugs are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Dia drawing program is designed to draw various types of diagrams. Several format string flaws were found in the way dia displays certain messages. If an attacker is able to trick a Dia user into opening a carefully crafted file, it may be possible to execute arbitrary code as the user running Dia. (CVE-2006-2453, CVE-2006-2480) Users of Dia should update to these erratum packages, which contain backported patches and are not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21638
    published2006-06-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21638
    titleRHEL 4 : dia (RHSA-2006:0541)

Oval

accepted2013-04-29T04:12:29.095-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionFormat string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
familyunix
idoval:org.mitre.oval:def:11224
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleFormat string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.
version25

Redhat

advisories
bugzilla
id192698
titleCVE-2006-2480 Dia format string issue (CVE-2006-2453)
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • commentdia is earlier than 1:0.94-5.7.1
      ovaloval:com.redhat.rhsa:tst:20060541001
    • commentdia is signed with Red Hat master key
      ovaloval:com.redhat.rhsa:tst:20060280002
rhsa
idRHSA-2006:0541
released2006-06-01
severityModerate
titleRHSA-2006:0541: dia security update (Moderate)
rpms
  • dia-1:0.94-5.7.1
  • dia-debuginfo-1:0.94-5.7.1