CVE-2010-1938
published 2010-05-28CVE-2010-1938: Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
21.99%
97.4th percentile
Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| nrl | opie | <= 2.4.1 | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
| nrl | opie | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a long USER command sent to ftpd over FTP (port 21); a username consisting of a long string of repeated characters (e.g. 39+ 'A's) causes an off-by-one stack overflow in __opiereadrec and results in connection termination/daemon crash. ↗
- →The vulnerable code path is in the __opiereadrec function in readrec.c within libopie; any service linked against libopie that accepts a username is potentially affected, not just ftpd. ↗
- →The crash occurs even when OPIE is not explicitly enabled on the system, because ftpd(8) is linked against libopie by default on FreeBSD. ↗
- →Monitor FTP USER commands for abnormally long usernames; abrupt connection closure after such a command is a strong indicator of exploitation attempt. ↗
- ·Exploitation requires the target service to be linked against libopie; systems without any OPIE-capable services running are not vulnerable. ↗
- ·The off-by-one writes only a single zero byte beyond the end of an on-stack buffer, limiting reliable exploitation to DoS in most configurations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libpam-opie vulnerability
vendor_ubuntu·2010-06-21
CVE-2010-1938 libpam-opie vulnerability
Title: libpam-opie vulnerability
USN-955-1 fixed vulnerabilities in OPIE. This update provides rebuilt
libpam-opie packages against the updated libopie library.
Original advisory details:
Maksymilian Arciemowicz and Adam Zabrocki discovered that OPIE incorrectly
handled long usernames. A remote attacker could exploit this with a crafted
username and make applications linked against libopie crash, leading to a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
OPIE vulnerability
vendor_ubuntu·2010-06-21
CVE-2010-1938 OPIE vulnerability
Title: OPIE vulnerability
Maksymilian Arciemowicz and Adam Zabrocki discovered that OPIE incorrectly
handled long usernames. A remote attacker could exploit this with a crafted
username and make applications linked against libopie crash, leading to a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
BSD
FreeBSD-SA-10:05.opie: OPIE off-by-one stack overflow
bsd_advisories·2010-05-27·CVSS 9.3
CVE-2010-1938 [CRITICAL] FreeBSD-SA-10:05.opie: OPIE off-by-one stack overflow
FreeBSD-SA-10:05.opie Security Advisory
The FreeBSD Project
Topic: OPIE off-by-one stack overflow
Category: contrib
Module: contrib_opie
Announced: 2010-05-27
Credits: Maksymilian Arciemowicz and Adam Zabrocki
Affects: All supported versions of FreeBSD
Corrected: 2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE)
2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3)
2010-05-27 03:15:04 UTC (RELENG_7, 7.3-STABLE)
2010-05-27 03:15:04 UTC (RELENG_7_3, 7.3-RELEASE-p1)
2010-05-27 03:15:04 UTC (RELENG_7_2, 7.2-RELEASE-p8)
2010-05-27 03:15:04 UTC (RELENG_7_1, 7.1-RELEASE-p12)
2010-05-27 03:15:04 UTC (RELENG_6, 6.4-STABLE)
2010-05-27 03:15:04 UTC (RELENG_6_4, 6.4-RELEASE-p10)
CVE Name: CVE-2010-1938
For general information regarding FreeBSD Security Advisories,
including descriptions of the fiel
GHSA
GHSA-grpr-f38p-j58f: Off-by-one error in the __opiereadrec function in readrec
ghsa_unreviewed·2022-05-17
CVE-2010-1938 [HIGH] GHSA-grpr-f38p-j58f: Off-by-one error in the __opiereadrec function in readrec
Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.
No detection rules found.
No writeups or analysis indexed.
http://blog.pi3.com.pl/?p=111http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584932http://secunia.com/advisories/39963http://secunia.com/advisories/39966http://secunia.com/advisories/45136http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.aschttp://securityreason.com/achievement_securityalert/87http://securityreason.com/securityalert/7450http://securitytracker.com/id?1024040http://securitytracker.com/id?1025709http://site.pi3.com.pl/adv/libopie-adv.txthttp://www.debian.org/security/2011/dsa-2281http://www.exploit-db.com/exploits/12762http://www.securityfocus.com/bid/40403http://blog.pi3.com.pl/?p=111http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584932http://secunia.com/advisories/39963http://secunia.com/advisories/39966http://secunia.com/advisories/45136http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.aschttp://securityreason.com/achievement_securityalert/87http://securityreason.com/securityalert/7450http://securitytracker.com/id?1024040http://securitytracker.com/id?1025709http://site.pi3.com.pl/adv/libopie-adv.txthttp://www.debian.org/security/2011/dsa-2281http://www.exploit-db.com/exploits/12762http://www.securityfocus.com/bid/40403
2010-05-28
Published