CVE-2006-6652
published 2006-12-20CVE-2006-6652: Buffer overflow in the glob implementation (glob.c) in libc in NetBSD-current before 20050914, NetBSD 2.* and 3.* before 20061203, and Apple Mac OS X before…
PriorityP352critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
19.41%
97.0th percentile
Buffer overflow in the glob implementation (glob.c) in libc in NetBSD-current before 20050914, NetBSD 2.* and 3.* before 20061203, and Apple Mac OS X before 2007-004, as used by the FTP daemon and tnftpd, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion.
Affected
45 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow
exploitdb·2006-12-01
CVE-2006-6652 NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow
NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/21377/info
NetBSD ftpd and tnftpd are prone to a remote buffer-overflow vulnerability. This issue is due to an off-by-one error; it allows attackers to corrupt memory.
Remote attackers may execute arbitrary machine code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions.
#!perl
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttli
Exploit-DB
NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
exploitdb·2006-11-30
CVE-2006-6652 NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)
---
#!perl
# $$$ NetBSD ftpd and ports *Remote ROOOOOT $HOLE$* $$$
#
# About
#
# tnftpd is a port of the NetBSD FTP server to other systems.
# It offers many enhancements over the traditional BSD ftpd,
# including per-class configuration directives via ftpd.conf(5),
# RFC 2389 and draft-ietf-ftpext-mlst-11 support, IPv6,
# transfer rate throttling, and more.
# tnftpd was formerly known as lukemftpd,
# and earlier versions are present in Mac OS X 10.2 (as ftpd)
# and FreeBSD 5.0 (as lukemftpd).
#
# Description
#
# The NetBSD ftpd and the tnftpd port suffer from a remote stack overrun,
# which can lead to a root compromise.
#
# The bug is in glob.c file. The globbing mechanism is flawed as back in
# 2001.
#
# To trigger the overflow you
CAPEC
Buffer Overflow via Parameter Expansion
mitre_capec
[HIGH] Buffer Overflow via Parameter Expansion
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
Execution Flow:
Step 1 [Explore]: [Identify target application] The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.
Step 2 [Experiment]: [Find injection vector] The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
Technique: In this attack, the normal
http://docs.info.apple.com/article.html?artnum=305391http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-027.txt.aschttp://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051009.htmlhttp://secunia.com/advisories/23178http://secunia.com/advisories/24966http://securitytracker.com/id?1017386http://www.osvdb.org/31781http://www.securityfocus.com/bid/21377http://www.us-cert.gov/cas/techalerts/TA07-109A.htmlhttp://www.vupen.com/english/advisories/2007/1470https://exchange.xforce.ibmcloud.com/vulnerabilities/30670http://docs.info.apple.com/article.html?artnum=305391http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-027.txt.aschttp://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051009.htmlhttp://secunia.com/advisories/23178http://secunia.com/advisories/24966http://securitytracker.com/id?1017386http://www.osvdb.org/31781http://www.securityfocus.com/bid/21377http://www.us-cert.gov/cas/techalerts/TA07-109A.htmlhttp://www.vupen.com/english/advisories/2007/1470https://exchange.xforce.ibmcloud.com/vulnerabilities/30670
2006-12-20
Published