CVE-2004-2687
published 2004-12-31CVE-2004-2687: distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
90.47%
99.6th percentile
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | xcode | — | — |
| debian | distcc | < distcc 2.18.1-1 (bookworm) | distcc 2.18.1-1 (bookworm) |
| samba | samba | <= 2.18.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
444953543030303030303031
bytes↗
41524743303030303030303841524756303030303030303273684152475630303030303030322d634152475630303030303030637368202d6320272869642927415247563030303030303031234152475630303030303030322d634152475630303030303030366d61696e2e634152475630303030303030322d6f4152475630303030303030366d61696e2e6f444f5449303030303030303141
- →Exploit traffic begins with the magic token 'DIST00000001' followed by 'ARGC' and argument count in hex — detect this pattern on TCP port 3632 to identify CVE-2004-2687 exploitation attempts. ↗
- →The exploit appends 'ARGV' tokens for each shell argument (e.g., 'sh', '-c', payload) followed by a 'DOTI' token with a 10-byte alphanumeric tag and newline — monitor for this protocol sequence on port 3632. ↗
- →The exploit disguises the payload as a compile job by appending '# -c main.c -o main.o' to the argument list — look for these literal strings in distccd TCP streams. ↗
- →Successful exploitation results in command output containing 'uid=<N>...gid=<N>...' in the response — use this regex to confirm RCE in network captures or IDS. ↗
- →The Nuclei probe sends the full hex-encoded distcc RCE payload (running 'id') over TCP port 3632 — the two hex blobs can be used as byte signatures in Snort/Suricata rules. ↗
- ·The vulnerability only affects distccd instances that are NOT configured to restrict access to the server port — deployments with a proper IP whitelist are not exposed. ↗
- ·The Metasploit module notes the process runs without elevated privileges by default ('Privileged => false'), so post-exploitation impact depends on the uid distccd runs as. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-88vv-hvrc-733q: distcc 2
ghsa_unreviewed·2022-04-29
CVE-2004-2687 [HIGH] GHSA-88vv-hvrc-733q: distcc 2
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
OSV
CVE-2004-2687: distcc 2
osv·2004-12-31·CVSS 9.3
CVE-2004-2687 [CRITICAL] CVE-2004-2687: distcc 2
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Debian
CVE-2004-2687: distcc - distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict acc...
vendor_debian·2004·CVSS 9.3
CVE-2004-2687 [CRITICAL] CVE-2004-2687: distcc - distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict acc...
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Scope: local
bookworm: resolved (fixed in 2.18.1-1)
bullseye: resolved (fixed in 2.18.1-1)
forky: resolved (fixed in 2.18.1-1)
sid: resolved (fixed in 2.18.1-1)
trixie: resolved (fixed in 2.18.1-1)
No detection rules found.
Exploit-DB
DistCC Daemon - Command Execution (Metasploit)
exploitdb·2002-02-01
CVE-2004-2687 DistCC Daemon - Command Execution (Metasploit)
DistCC Daemon - Command Execution (Metasploit)
---
##
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DistCC Daemon Command Execution',
'Description' => %q{
This module uses a documented security weakness to execute
arbitrary commands on any system running distccd.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2004-2687'],
[ 'OSVDB', '13378' ],
[ 'URL', 'http://distcc.samba.org/security.html'],
],
'Platform' => ['u
Nuclei
Distccd v1 - Remote Code Execution
nuclei·CVSS 9.3
CVE-2004-2687 [CRITICAL] Distccd v1 - Remote Code Execution
Distccd v1 - Remote Code Execution
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Template:
id: CVE-2004-2687
info:
name: Distccd v1 - Remote Code Execution
author: pussycat0x
severity: high
description: |
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
impact: |
Unauthenticated attackers can execute arbitrary commands with elevated privileges by sending malicious compilation jobs to distcc servers tha
Metasploit
DistCC Daemon Command Execution
metasploit
DistCC Daemon Command Execution
DistCC Daemon Command Execution
This module uses a documented security weakness to execute arbitrary commands on any system running distccd.
Bugzilla
CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist [epel-all]
bugzilla·2018-12-18·CVSS 9.3
CVE-2004-2687 [CRITICAL] CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist [epel-all]
CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist [fedora-all]
bugzilla·2018-12-18·CVSS 9.3
CVE-2004-2687 [CRITICAL] CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist [fedora-all]
CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist
bugzilla·2018-12-18·CVSS 9.3
CVE-2004-2687 [CRITICAL] CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist
CVE-2004-2687 distcc: TCP mode has too permissive default IP address whitelist
In TCP mode, distcc checks the client IP address against a whitelist, which (iirc) is required but can be set quite loosely. There is of course no guarantee that every user on a permitted client address is friendly.
Once the connection is established the client can reasonably easily manipulate the server into running arbitrary commands.
Upstream issue:
https://github.com/distcc/distcc/issues/155
Discussion:
Created distcc tracking bugs for this issue:
Affects: epel-all [bug 1660408]
Affects: fedora-all [bug 1660407]
---
IBM will do testing as Red Hat will not have access to the new hardware for testing. Setting to OtherQA.
---
This CVE Bugzilla entry is for community support informational purposes onl
http://archives.neohapsis.com/archives/bugtraq/2005-03/0183.htmlhttp://distcc.samba.org/security.htmlhttp://lists.samba.org/archive/distcc/2004q3/002550.htmlhttp://lists.samba.org/archive/distcc/2004q3/002562.htmlhttp://www.metasploit.org/projects/Framework/exploits.html#distcc_exechttp://www.osvdb.org/13378http://archives.neohapsis.com/archives/bugtraq/2005-03/0183.htmlhttp://distcc.samba.org/security.htmlhttp://lists.samba.org/archive/distcc/2004q3/002550.htmlhttp://lists.samba.org/archive/distcc/2004q3/002562.htmlhttp://www.metasploit.org/projects/Framework/exploits.html#distcc_exechttp://www.osvdb.org/13378
2004-12-31
Published