ID CVE-2004-0826
Summary Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.
References
Vulnerable Configurations
  • Mozilla Network Security Services 3.2
    cpe:2.3:a:mozilla:network_security_services:3.2
  • Mozilla Network Security Services 3.2.1
    cpe:2.3:a:mozilla:network_security_services:3.2.1
  • Mozilla Network Security Services 3.3
    cpe:2.3:a:mozilla:network_security_services:3.3
  • Mozilla Network Security Services 3.3.1
    cpe:2.3:a:mozilla:network_security_services:3.3.1
  • Mozilla Network Security Services 3.3.2
    cpe:2.3:a:mozilla:network_security_services:3.3.2
  • Mozilla Network Security Services 3.4
    cpe:2.3:a:mozilla:network_security_services:3.4
  • Mozilla Network Security Services 3.4.1
    cpe:2.3:a:mozilla:network_security_services:3.4.1
  • Mozilla Network Security Services 3.4.2
    cpe:2.3:a:mozilla:network_security_services:3.4.2
  • Mozilla Network Security Services 3.5
    cpe:2.3:a:mozilla:network_security_services:3.5
  • Mozilla Network Security Services 3.6
    cpe:2.3:a:mozilla:network_security_services:3.6
  • Mozilla Network Security Services 3.6.1
    cpe:2.3:a:mozilla:network_security_services:3.6.1
  • Mozilla Network Security Services 3.7
    cpe:2.3:a:mozilla:network_security_services:3.7
  • Mozilla Network Security Services 3.7.1
    cpe:2.3:a:mozilla:network_security_services:3.7.1
  • Mozilla Network Security Services 3.7.2
    cpe:2.3:a:mozilla:network_security_services:3.7.2
  • Mozilla Network Security Services 3.7.3
    cpe:2.3:a:mozilla:network_security_services:3.7.3
  • Mozilla Network Security Services 3.7.5
    cpe:2.3:a:mozilla:network_security_services:3.7.5
  • Mozilla Network Security Services 3.7.7
    cpe:2.3:a:mozilla:network_security_services:3.7.7
  • Mozilla Network Security Services 3.8
    cpe:2.3:a:mozilla:network_security_services:3.8
  • Mozilla Network Security Services 3.9
    cpe:2.3:a:mozilla:network_security_services:3.9
  • cpe:2.3:a:netscape:certificate_server:1.0:patch1
    cpe:2.3:a:netscape:certificate_server:1.0:patch1
  • Netscape Certificate Server 4.2
    cpe:2.3:a:netscape:certificate_server:4.2
  • cpe:2.3:a:netscape:directory_server:1.3:patch5
    cpe:2.3:a:netscape:directory_server:1.3:patch5
  • cpe:2.3:a:netscape:directory_server:3.1:patch1
    cpe:2.3:a:netscape:directory_server:3.1:patch1
  • Netscape Netscape Directory Server 3.12
    cpe:2.3:a:netscape:directory_server:3.12
  • Netscape Netscape Directory Server 4.1
    cpe:2.3:a:netscape:directory_server:4.1
  • Netscape Netscape Directory Server 4.11
    cpe:2.3:a:netscape:directory_server:4.11
  • Netscape Netscape Directory Server 4.13
    cpe:2.3:a:netscape:directory_server:4.13
  • Netscape Netscape Enterprise Server 2.0
    cpe:2.3:a:netscape:enterprise_server:2.0
  • cpe:2.3:a:netscape:enterprise_server:2.0.1c
    cpe:2.3:a:netscape:enterprise_server:2.0.1c
  • cpe:2.3:a:netscape:enterprise_server:2.0a
    cpe:2.3:a:netscape:enterprise_server:2.0a
  • Netscape Netscape Enterprise Server 3.0
    cpe:2.3:a:netscape:enterprise_server:3.0
  • Netscape Netscape Enterprise Server 3.0.1
    cpe:2.3:a:netscape:enterprise_server:3.0.1
  • cpe:2.3:a:netscape:enterprise_server:3.0.1b
    cpe:2.3:a:netscape:enterprise_server:3.0.1b
  • cpe:2.3:a:netscape:enterprise_server:3.0.7a:-:netware
    cpe:2.3:a:netscape:enterprise_server:3.0.7a:-:netware
  • cpe:2.3:a:netscape:enterprise_server:3.0l
    cpe:2.3:a:netscape:enterprise_server:3.0l
  • Netscape Netscape Enterprise Server 3.1
    cpe:2.3:a:netscape:enterprise_server:3.1
  • Netscape Netscape Enterprise Server 3.2
    cpe:2.3:a:netscape:enterprise_server:3.2
  • Netscape Netscape Enterprise Server 3.3
    cpe:2.3:a:netscape:enterprise_server:3.3
  • Netscape Netscape Enterprise Server 3.4
    cpe:2.3:a:netscape:enterprise_server:3.4
  • Netscape Netscape Enterprise Server 3.5
    cpe:2.3:a:netscape:enterprise_server:3.5
  • Netscape Netscape Enterprise Server 3.5.1
    cpe:2.3:a:netscape:enterprise_server:3.5.1
  • cpe:2.3:a:netscape:enterprise_server:3.5:-:solaris
    cpe:2.3:a:netscape:enterprise_server:3.5:-:solaris
  • Netscape Netscape Enterprise Server 3.6
    cpe:2.3:a:netscape:enterprise_server:3.6
  • cpe:2.3:a:netscape:enterprise_server:3.6:-:solaris
    cpe:2.3:a:netscape:enterprise_server:3.6:-:solaris
  • cpe:2.3:a:netscape:enterprise_server:3.6:sp1
    cpe:2.3:a:netscape:enterprise_server:3.6:sp1
  • cpe:2.3:a:netscape:enterprise_server:3.6:sp2
    cpe:2.3:a:netscape:enterprise_server:3.6:sp2
  • cpe:2.3:a:netscape:enterprise_server:3.6:sp3
    cpe:2.3:a:netscape:enterprise_server:3.6:sp3
  • Netscape Netscape Enterprise Server 4.0
    cpe:2.3:a:netscape:enterprise_server:4.0
  • cpe:2.3:a:netscape:enterprise_server:4.1.1:-:netware
    cpe:2.3:a:netscape:enterprise_server:4.1.1:-:netware
  • cpe:2.3:a:netscape:enterprise_server:4.1:sp3
    cpe:2.3:a:netscape:enterprise_server:4.1:sp3
  • cpe:2.3:a:netscape:enterprise_server:4.1:sp4
    cpe:2.3:a:netscape:enterprise_server:4.1:sp4
  • cpe:2.3:a:netscape:enterprise_server:4.1:sp5
    cpe:2.3:a:netscape:enterprise_server:4.1:sp5
  • cpe:2.3:a:netscape:enterprise_server:4.1:sp6
    cpe:2.3:a:netscape:enterprise_server:4.1:sp6
  • cpe:2.3:a:netscape:enterprise_server:4.1:sp7
    cpe:2.3:a:netscape:enterprise_server:4.1:sp7
  • cpe:2.3:a:netscape:enterprise_server:4.1:sp8
    cpe:2.3:a:netscape:enterprise_server:4.1:sp8
  • cpe:2.3:a:netscape:enterprise_server:5.0:-:netware
    cpe:2.3:a:netscape:enterprise_server:5.0:-:netware
  • Netscape Personalization Engine
    cpe:2.3:a:netscape:personalization_engine
  • cpe:2.3:a:sun:java_enterprise_system:2003q4
    cpe:2.3:a:sun:java_enterprise_system:2003q4
  • cpe:2.3:a:sun:java_enterprise_system:2004q2
    cpe:2.3:a:sun:java_enterprise_system:2004q2
  • cpe:2.3:a:sun:java_system_application_server:7.0:-:enterprise
    cpe:2.3:a:sun:java_system_application_server:7.0:-:enterprise
  • cpe:2.3:a:sun:java_system_application_server:7.0:-:platform
    cpe:2.3:a:sun:java_system_application_server:7.0:-:platform
  • cpe:2.3:a:sun:java_system_application_server:7.0:-:standard
    cpe:2.3:a:sun:java_system_application_server:7.0:-:standard
  • cpe:2.3:a:sun:java_system_application_server:7.0:ur4
    cpe:2.3:a:sun:java_system_application_server:7.0:ur4
  • Sun Java System Application Server 7.1
    cpe:2.3:a:sun:java_system_application_server:7.1
  • Sun ONE Application Server 6.0
    cpe:2.3:a:sun:one_application_server:6.0
  • cpe:2.3:a:sun:one_application_server:6.0:sp1
    cpe:2.3:a:sun:one_application_server:6.0:sp1
  • cpe:2.3:a:sun:one_application_server:6.0:sp2
    cpe:2.3:a:sun:one_application_server:6.0:sp2
  • Sun ONE Web Server 4.1
    cpe:2.3:a:sun:one_web_server:4.1
  • Sun ONE Web Server 4.1 SP1
    cpe:2.3:a:sun:one_web_server:4.1:sp1
  • Sun ONE Web Server 4.1 SP10
    cpe:2.3:a:sun:one_web_server:4.1:sp10
  • Sun ONE Web Server 4.1 SP11
    cpe:2.3:a:sun:one_web_server:4.1:sp11
  • Sun ONE Web Server 4.1 SP12
    cpe:2.3:a:sun:one_web_server:4.1:sp12
  • Sun ONE Web Server 4.1 SP8
    cpe:2.3:a:sun:one_web_server:4.1:sp13
  • Sun ONE Web Server 4.1 SP9
    cpe:2.3:a:sun:one_web_server:4.1:sp14
  • Sun ONE Web Server 4.1 SP2
    cpe:2.3:a:sun:one_web_server:4.1:sp2
  • Sun ONE Web Server 4.1 SP3
    cpe:2.3:a:sun:one_web_server:4.1:sp3
  • Sun ONE Web Server 4.1 SP4
    cpe:2.3:a:sun:one_web_server:4.1:sp4
  • Sun ONE Web Server 4.1 SP5
    cpe:2.3:a:sun:one_web_server:4.1:sp5
  • Sun ONE Web Server 4.1 SP6
    cpe:2.3:a:sun:one_web_server:4.1:sp6
  • Sun ONE Web Server 4.1 SP7
    cpe:2.3:a:sun:one_web_server:4.1:sp7
  • Sun ONE Web Server 4.1 SP8
    cpe:2.3:a:sun:one_web_server:4.1:sp8
  • Sun ONE Web Server 4.1 SP9
    cpe:2.3:a:sun:one_web_server:4.1:sp9
  • cpe:2.3:a:sun:one_web_server:6.0:sp3
    cpe:2.3:a:sun:one_web_server:6.0:sp3
  • cpe:2.3:a:sun:one_web_server:6.0:sp4
    cpe:2.3:a:sun:one_web_server:6.0:sp4
  • cpe:2.3:a:sun:one_web_server:6.0:sp5
    cpe:2.3:a:sun:one_web_server:6.0:sp5
  • cpe:2.3:a:sun:one_web_server:6.0:sp7
    cpe:2.3:a:sun:one_web_server:6.0:sp7
  • cpe:2.3:a:sun:one_web_server:6.0:sp8
    cpe:2.3:a:sun:one_web_server:6.0:sp8
  • Sun ONE Web Server 6.1
    cpe:2.3:a:sun:one_web_server:6.1
  • Sun ONE Web Server 6.1 SP1
    cpe:2.3:a:sun:one_web_server:6.1:sp1
  • Sun ONE Web Server 6.1 SP2
    cpe:2.3:a:sun:one_web_server:6.1:sp2
  • HP-UX 11.00
    cpe:2.3:o:hp:hp-ux:11.00
  • HP-UX 11.11
    cpe:2.3:o:hp:hp-ux:11.11
  • cpe:2.3:o:hp:hp-ux:11.23:-:ia64_64-bit
    cpe:2.3:o:hp:hp-ux:11.23:-:ia64_64-bit
CVSS
Base: 7.5 (as of 15-06-2005 - 15:15)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_NSS_392.NASL
    description The following package needs to be updated: nss
    last seen 2018-09-02
    modified 2018-08-22
    plugin id 14440
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14440
    title FreeBSD : nss -- exploitable buffer overflow in SSLv2 protocol handler (129)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_207F8FF3F69711D881B0000347A4FA7D.NASL
    description ISS X-Force reports that a remotely exploitable buffer overflow exists in the Netscape Security Services (NSS) library's implementation of SSLv2. From their advisory : The NSS library contains a flaw in SSLv2 record parsing that may lead to remote compromise. When parsing the first record in an SSLv2 negotiation, the client hello message, the server fails to validate the length of a record field. As a result, it is possible for an attacker to trigger a heap-based overflow of arbitrary length. Note that the vulnerable NSS library is also present in Mozilla-based browsers. However, it is not believed that browsers are affected, as the vulnerability is present only in code used by SSLv2 *servers*.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 37032
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37032
    title FreeBSD : nss -- exploitable buffer overflow in SSLv2 protocol handler (207f8ff3-f697-11d8-81b0-000347a4fa7d)
  • NASL family Gain a shell remotely
    NASL id SSLV2_HELLO_OVERFLOW.NASL
    description The remote host seems to be using the Mozilla Network Security Services (NSS) Library, a set of libraries designed to support the development of security-enabled client/server applications. There seems to be a flaw in the remote version of this library, in the SSLv2 handling code, that may allow an attacker to cause a heap overflow and therefore execute arbitrary commands on the remote host. To exploit this flaw, an attacker needs to send a malformed SSLv2 'hello' message to the remote service.
    last seen 2019-02-21
    modified 2013-10-18
    plugin id 14361
    published 2004-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14361
    title Netscape NSS Library SSLv2 Challenge Overflow
refmap via4
bid 11015
hp SSRT4779
iss 20040823 Netscape NSS Library Remote Compromise
xf sslv2-client-hello-overflow(16314)
Last major update 17-10-2016 - 22:49
Published 31-12-2004 - 00:00
Last modified 10-07-2017 - 21:30
Back to Top