CVE-2006-2480 - Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service

CVE-2006-2480

Summary

Format string vulnerability in Dia 0.94 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms for input that are automatically processed by Dia, such as a crafted .dia file.

References

Vulnerable Configurations

cpe:2.3:a:dia:dia:0.94:*:*:*:*:*:*:*
cpe:2.3:a:dia:dia:0.94:*:*:*:*:*:*:*

CVSS

Base:	5.1 (as of 03-10-2018 - 21:41)
Impact:
Exploitability:

CWE

CWE-134

CAPEC

String Format Overflow in syslog()
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:12:29.095-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990

description

family

unix

oval:org.mitre.oval:def:11224

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	1618109
title	CVE-2006-2480 security flaw

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025
comment dia is earlier than 1:0.94-5.7.1
oval oval:com.redhat.rhsa:tst:20060541001
comment dia is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060280002

rhsa

id	RHSA-2006:0541
released	2006-06-01
severity	Moderate
title	RHSA-2006:0541: dia security update (Moderate)

rpms

dia-1:0.94-5.7.1
dia-debuginfo-1:0.94-5.7.1

refmap via4

bid	18078
confirm	http://bugzilla.gnome.org/show_bug.cgi?id=342111
gentoo	GLSA-200606-03
mandriva	MDKSA-2006:093
misc	http://kandangjamur.net/tutorial/dia.txt
osvdb	25699
sectrack	1016203
secunia	20199 20254 20339 20422 20457 20513
suse	SUSE-SR:2006:012
ubuntu	USN-286-1
vuln-dev	20060506 DIA file name handling format string
vupen	ADV-2006-1908

Last major update

03-10-2018 - 21:41

Published

19-05-2006 - 21:02

Last modified

03-10-2018 - 21:41