Vulnerabilities > CVE-2010-4051 - Unspecified vulnerability in GNU Glibc
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow."
Vulnerable Configurations
Exploit-Db
| description | GNU libc/regcomp(3) Multiple Vulnerabilities. CVE-2010-4051. Dos exploit for linux platform |
| file | exploits/linux/dos/15935.c |
| id | EDB-ID:15935 |
| last seen | 2016-02-01 |
| modified | 2011-01-07 |
| platform | linux |
| port | |
| published | 2011-01-07 |
| reporter | Maksymilian Arciemowicz |
| source | https://www.exploit-db.com/download/15935/ |
| title | GNU libc/regcomp3 Multiple Vulnerabilities |
| type | dos |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2011-5098.NASL description The second release candidate for proftpd 1.3.4. This includes fixes for a number of security issues : - Plaintext command injection vulnerability in FTPS implementation - Badly formed SSH messages cause DoS - Limit recursion depth for untrusted regular expressions (#673040) The update also contains a large number of bug fixes over release candidate 1, plus new support for SSL session caching using memcached. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 53460 published 2011-04-18 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53460 title Fedora 15 : proftpd-1.3.4-0.8.rc2.fc15 (2011-5098) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-5098. # include("compat.inc"); if (description) { script_id(53460); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:35"); script_cve_id("CVE-2010-4051", "CVE-2010-4052", "CVE-2011-1137"); script_bugtraq_id(45233); script_xref(name:"FEDORA", value:"2011-5098"); script_name(english:"Fedora 15 : proftpd-1.3.4-0.8.rc2.fc15 (2011-5098)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The second release candidate for proftpd 1.3.4. This includes fixes for a number of security issues : - Plaintext command injection vulnerability in FTPS implementation - Badly formed SSH messages cause DoS - Limit recursion depth for untrusted regular expressions (#673040) The update also contains a large number of bug fixes over release candidate 1, plus new support for SSL session caching using memcached. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=645859" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=681718" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-April/058262.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c0126ca2" ); script_set_attribute( attribute:"solution", value:"Update the affected proftpd package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:proftpd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"proftpd-1.3.4-0.8.rc2.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "proftpd"); }NASL family Junos Local Security Checks NASL id JUNIPER_JSA10612.NASL description According to its self-reported version number, the remote Juniper Junos device is affected by a denial of service vulnerability in the regcomp implementation of the GNU C Library used in the command-line interpreter (CLI). A attacker can exploit this vulnerability to crash the RE by using a crafted regular expression containing adjacent repetition operators or adjacent bounded repetitions. last seen 2020-06-01 modified 2020-06-02 plugin id 72001 published 2014-01-16 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72001 title Juniper Junos CLI libc recomp() rpd DoS (JSA10612) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72001); script_version("1.4"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2010-4051", "CVE-2010-4052"); script_bugtraq_id(45233); script_xref(name:"JSA", value:"JSA10612"); script_name(english:"Juniper Junos CLI libc recomp() rpd DoS (JSA10612)"); script_summary(english:"Checks the Junos version and build date."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the remote Juniper Junos device is affected by a denial of service vulnerability in the regcomp implementation of the GNU C Library used in the command-line interpreter (CLI). A attacker can exploit this vulnerability to crash the RE by using a crafted regular expression containing adjacent repetition operators or adjacent bounded repetitions."); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612"); script_set_attribute(attribute:"solution", value: "Apply the relevant Junos upgrade referenced in Juniper advisory JSA10612."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2013/09/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Junos Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("junos_version.nasl"); script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/JUNOS/BuildDate"); exit(0); } include("audit.inc"); include("junos.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version'); build_date = get_kb_item_or_exit('Host/Juniper/JUNOS/BuildDate'); if (compare_build_dates(build_date, '2013-12-12') >= 0) audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver + ' (build date ' + build_date + ')'); if (ver == '11.4R9-S1' || ver == '13.1R3-S1') audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver); fixes = make_array(); fixes['10.4'] = '10.4S15'; fixes['11.4'] = '11.4R10'; fixes['12.1'] = '12.1R8'; fixes['12.1X44'] = '12.1X44-D25'; fixes['12.1X45'] = '12.1X45-D15'; fixes['12.1X46'] = '12.1X46-D10'; fixes['12.2'] = '12.2R6'; fixes['12.3'] = '12.3R4'; fixes['13.1'] = '13.1R3'; fixes['13.2'] = '13.2R2'; fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE); if (report_verbosity > 0) { report = get_report(ver:ver, fix:fix); security_note(port:0, extra:report); } else security_note(0);
Packetstorm
data source https://packetstormsecurity.com/files/download/106589/regcomp-memory.txt id PACKETSTORM:106589 last seen 2016-12-05 published 2011-11-04 reporter Maksymilian Arciemowicz source https://packetstormsecurity.com/files/106589/BSD-libc-regcomp-3-Memory-Management-Recursion.html title BSD libc/regcomp(3) Memory Management / Recursion data source https://packetstormsecurity.com/files/download/125725/macsaffir-dos.txt id PACKETSTORM:125725 last seen 2016-12-05 published 2014-03-14 reporter Maksymilian Arciemowicz source https://packetstormsecurity.com/files/125725/OS-X-Safari-Firefox-REGEX-Denial-Of-Service.html title OS X / Safari / Firefox REGEX Denial Of Service
Seebug
bulletinFamily exploit description No description provided by source. id SSV:78173 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-78173 title FreeBSD 9.1 ftpd Remote Denial of Service bulletinFamily exploit description No description provided by source. id SSV:70536 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70536 title GNU libc/regcomp(3) Multiple Vulnerabilities
References
- http://securityreason.com/achievement_securityalert/93
- http://secunia.com/advisories/42547
- http://www.securityfocus.com/bid/45233
- http://cxib.net/stuff/proftpd.gnu.c
- http://www.kb.cert.org/vuls/id/912279
- http://securityreason.com/securityalert/8003
- https://bugzilla.redhat.com/show_bug.cgi?id=645859
- http://seclists.org/fulldisclosure/2011/Jan/78
- http://securitytracker.com/id?1024832
- http://www.exploit-db.com/exploits/15935
- http://www.securityfocus.com/archive/1/515589/100/0/threaded
- https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E