CVE-2006-4655
published 2006-09-09CVE-2006-4655: Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8…
PriorityP419medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
0.87%
54.4th percentile
Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sco | unixware | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)
exploitdb·2006-09-13·CVSS 4.6
CVE-2006-4655 [MEDIUM] X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)
X11R6
*
* Buffer overflow in the Strcmp function in the XKEYBOARD extension in X
* Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun
* Solaris 8 through 10, allows local users to gain privileges via a long
* _XKB_CHARSET environment variable value (CVE-2006-4655).
*
* "You certainly do some ninja shit man." -- Kevin Finisterre (0dd)
*
* Exploitation on Solaris 8/9 platforms was trivial, while recent Solaris 10
* required additional efforts: for some obscure reason traditional return
* into the stack doesn't work (SIGSEGV due to FLTBOUNDS?!), sprintf() must
* be used instead of strcpy() (some new security measures were apparently
* introduced to prevent exploitation), and the ld.so.1 memory space is a
* bit changed. In order for this exploit to work, the X Window Syst
Exploit-DB
X11R6 < 6.4 XKEYBOARD (solaris x86) - Local Buffer Overflow
exploitdb·2006-09-08
CVE-2006-4655 X11R6 < 6.4 XKEYBOARD (solaris x86) - Local Buffer Overflow
X11R6 ,
/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86
* Copyright 2006 RISE Security ,
* Ramon de Carvalho Valle
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, F
Exploit-DB
X11R6 < 6.4 XKEYBOARD (sco x86) - Local Buffer Overflow
exploitdb·2006-09-08
CVE-2006-4655 X11R6 < 6.4 XKEYBOARD (sco x86) - Local Buffer Overflow
X11R6 ,
* Ramon de Carvalho Valle
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include
#include
#include
#include
#define ADRSIZE 102
Exploit-DB
X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (1)
exploitdb·2006-09-08
CVE-2006-4655 X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (1)
X11R6 ,
* Ramon de Carvalho Valle
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* Compile with the following command.
* $ (g)cc -Wall
No writeups or analysis indexed.
http://secunia.com/advisories/21815http://secunia.com/advisories/21845http://secunia.com/advisories/21856http://secunia.com/advisories/21993http://securityreason.com/securityalert/1545http://securitytracker.com/id?1016806http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1http://support.avaya.com/elmodocs2/security/ASA-2006-195.htmhttp://www.risesecurity.org/advisory/RISE-2006001.txthttp://www.securityfocus.com/archive/1/445579/100/0/threadedhttp://www.securityfocus.com/bid/19905http://www.vupen.com/english/advisories/2006/3525http://www.vupen.com/english/advisories/2006/3529https://exchange.xforce.ibmcloud.com/vulnerabilities/28820https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1798http://secunia.com/advisories/21815http://secunia.com/advisories/21845http://secunia.com/advisories/21856http://secunia.com/advisories/21993http://securityreason.com/securityalert/1545http://securitytracker.com/id?1016806http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1http://support.avaya.com/elmodocs2/security/ASA-2006-195.htmhttp://www.risesecurity.org/advisory/RISE-2006001.txthttp://www.securityfocus.com/archive/1/445579/100/0/threadedhttp://www.securityfocus.com/bid/19905http://www.vupen.com/english/advisories/2006/3525http://www.vupen.com/english/advisories/2006/3529https://exchange.xforce.ibmcloud.com/vulnerabilities/28820https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1798
2006-09-09
Published