CVE-2009-2957
published 2009-09-02CVE-2009-2957: Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute…
PriorityP347medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
12.68%
95.8th percentile
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
Affected
81 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dnsmasq | < dnsmasq 2.50-1 (bookworm) | dnsmasq 2.50-1 (bookworm) |
| thekelleys | dnsmasq | <= 2.49 | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
| thekelleys | dnsmasq | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dnsmasq vulnerabilities
vendor_ubuntu·2009-09-01·CVSS 6.8
CVE-2009-2957 [MEDIUM] Dnsmasq vulnerabilities
Title: Dnsmasq vulnerabilities
Summary: Dnsmasq vulnerabilities
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. A remote attacker could cause a denial of service or execute
arbitrary code with user privileges. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)
Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. A remote attacker could
cause a denial of service by sending a crafted TFTP request.
(CVE-2009-2958)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
dnsmasq: multiple vulnerabilities in TFTP server
vendor_redhat·2009-08-31·CVSS 6.8
CVE-2009-2957 [MEDIUM] dnsmasq: multiple vulnerabilities in TFTP server
dnsmasq: multiple vulnerabilities in TFTP server
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
Debian
CVE-2009-2957: dnsmasq - Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq bef...
vendor_debian·2009·CVSS 6.8
CVE-2009-2957 [MEDIUM] CVE-2009-2957: dnsmasq - Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq bef...
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
Scope: local
bookworm: resolved (fixed in 2.50-1)
bullseye: resolved (fixed in 2.50-1)
forky: resolved (fixed in 2.50-1)
sid: resolved (fixed in 2.50-1)
trixie: resolved (fixed in 2.50-1)
GHSA
GHSA-3wv8-c9pw-2c36: Heap-based buffer overflow in the tftp_request function in tftp
ghsa_unreviewed·2022-05-02
CVE-2009-2957 [MEDIUM] CWE-119 GHSA-3wv8-c9pw-2c36: Heap-based buffer overflow in the tftp_request function in tftp
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
OSV
CVE-2009-2957: Heap-based buffer overflow in the tftp_request function in tftp
osv·2009-09-02·CVSS 6.8
CVE-2009-2957 [MEDIUM] CVE-2009-2957: Heap-based buffer overflow in the tftp_request function in tftp
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
No detection rules found.
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
arxiv_fulltext·2022-12-29
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
## Abstract
Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement , which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on , we present the first l
Bugzilla
CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server
bugzilla·2009-08-24·CVSS 6.8
CVE-2009-2957 [MEDIUM] CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server
CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP server
Core Security Technologies discovered a heap overflow vulnerability in dnsmasq when the TFTP service is enabled ('--enable-tftp'). If the configured tftp-prefix is sufficiently long, and a remote user sent a request which sends a long file name, dnsmasq could crash or, possibly, execute arbitrary code with root privileges.
The default tftp-prefix is /var/tftpd, which is short enough to make this difficult to exploit; if a longer prefix is used then arbitrary code execution may be possible. As well, Red Hat does not have TFTP support enabled by default.
Discussion:
CORE has provided two CVE names:
CVE-2009-2957 for the heap overflow issue they found (possibly arbitrary code execution).
CVE-2009-2958 for the
http://secunia.com/advisories/36563http://www.coresecurity.com/content/dnsmasq-vulnerabilitieshttp://www.redhat.com/support/errata/RHSA-2009-1238.htmlhttp://www.securityfocus.com/bid/36121http://www.thekelleys.org.uk/dnsmasq/CHANGELOGhttp://www.ubuntu.com/usn/USN-827-1https://bugzilla.redhat.com/show_bug.cgi?id=519020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10538https://rhn.redhat.com/errata/RHSA-2010-0095.htmlhttp://secunia.com/advisories/36563http://www.coresecurity.com/content/dnsmasq-vulnerabilitieshttp://www.redhat.com/support/errata/RHSA-2009-1238.htmlhttp://www.securityfocus.com/bid/36121http://www.thekelleys.org.uk/dnsmasq/CHANGELOGhttp://www.ubuntu.com/usn/USN-827-1https://bugzilla.redhat.com/show_bug.cgi?id=519020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10538https://rhn.redhat.com/errata/RHSA-2010-0095.html
2009-09-02
Published