cbcvebase.
CVE-2010-1938
published 2010-05-28

CVE-2010-1938: Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
21.99%
97.4th percentile
Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.

Affected

19 ranges
VendorProductVersion rangeFixed in
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
nrlopie<= 2.4.1
nrlopie
nrlopie
nrlopie
nrlopie
nrlopie
nrlopie
nrlopie
nrlopie

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/contrib/opie/libopie/readrec.c
urlhttp://security.FreeBSD.org/patches/SA-10:05/opie.patch
  • Trigger is a long USER command sent to ftpd over FTP (port 21); a username consisting of a long string of repeated characters (e.g. 39+ 'A's) causes an off-by-one stack overflow in __opiereadrec and results in connection termination/daemon crash.
  • The vulnerable code path is in the __opiereadrec function in readrec.c within libopie; any service linked against libopie that accepts a username is potentially affected, not just ftpd.
  • The crash occurs even when OPIE is not explicitly enabled on the system, because ftpd(8) is linked against libopie by default on FreeBSD.
  • Monitor FTP USER commands for abnormally long usernames; abrupt connection closure after such a command is a strong indicator of exploitation attempt.
  • ·Exploitation requires the target service to be linked against libopie; systems without any OPIE-capable services running are not vulnerable.
  • ·The off-by-one writes only a single zero byte beyond the end of an on-stack buffer, limiting reliable exploitation to DoS in most configurations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.