CVE-2013-1428
published 2013-04-26CVE-2013-1428: Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to…
PriorityP359medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
60.68%
99.0th percentile
Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tinc | < tinc 1.0.19-3 (bookworm) | tinc 1.0.19-3 (bookworm) |
| tinc-vpn | tinc | <= 1.0.20 | — |
| tinc-vpn | tinc | <= 1.1 | — |
| tinc-vpn | tinc | — | — |
| tinc-vpn | tinc | — | — |
| tinc-vpn | tinc | — | — |
| tinc-vpn | tinc | — | — |
| tinc | tinc | >= 0 < 1.0.19-3 | 1.0.19-3 |
| tinc | tinc | >= 0 < 1.0.19-3 | 1.0.19-3 |
| tinc | tinc | >= 0 < 1.0.19-3 | 1.0.19-3 |
| tinc | tinc | >= 0 < 1.0.19-3 | 1.0.19-3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for oversized TCP packets (>1676 bytes payload) sent to tincd on port 655 from authenticated VPN peers — the overflow offset is 1676 bytes for x86 targets. ↗
- →Detect exploitation attempts by watching for tincd process crashes (SIGABRT / SIGSEGV) accompanied by '*** buffer overflow detected ***' messages in system logs, indicating active exploitation attempts even on non-exploitable builds. ↗
- →The vulnerable code path is receive_tcppacket() in net_packet.c; instrument or audit this function for buffer length checks when reviewing tinc source builds. ↗
- →ARM targets (e.g., Raspberry Pi / Pidora 18) with NX but no ASLR are susceptible to ROP-based exploitation with brute-force ASLR bypass; monitor for repeated rapid reconnections to tincd port 655 from the same peer as an ASLR brute-force indicator. ↗
- ·Exploitation requires prior authentication as a VPN peer; unauthenticated remote attackers cannot trigger the overflow directly. ↗
- ·Builds compiled with gcc 4.7.2+ and __memcpy_chk (e.g., Ubuntu 12.10, Fedora 16, OpenSuse 11.2 from packages) result in a non-exploitable crash rather than code execution; detection should still alert on the crash. ↗
- ·The exploit payload space is constrained to 1675 bytes; payloads exceeding this size will not fit within the overflow buffer for x86 targets. ↗
- ·The ARM (Pidora 18) target requires the tincd daemon to restart between brute-force attempts due to ASLR; a non-restarting daemon configuration significantly reduces exploitability on ARM. ↗
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wp6j-qh23-g8mc: Stack-based buffer overflow in the receive_tcppacket function in net_packet
ghsa_unreviewed·2022-05-17
CVE-2013-1428 [MEDIUM] CWE-119 GHSA-wp6j-qh23-g8mc: Stack-based buffer overflow in the receive_tcppacket function in net_packet
Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.
OSV
CVE-2013-1428: Stack-based buffer overflow in the receive_tcppacket function in net_packet
osv·2013-04-26·CVSS 6.5
CVE-2013-1428 [MEDIUM] CVE-2013-1428: Stack-based buffer overflow in the receive_tcppacket function in net_packet
Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.
Debian
CVE-2013-1428: tinc - Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in...
vendor_debian·2013·CVSS 6.5
CVE-2013-1428 [MEDIUM] CVE-2013-1428: tinc - Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in...
Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.
Scope: local
bookworm: resolved (fixed in 1.0.19-3)
bullseye: resolved (fixed in 1.0.19-3)
forky: resolved (fixed in 1.0.19-3)
sid: resolved (fixed in 1.0.19-3)
trixie: resolved (fixed in 1.0.19-3)
No detection rules found.
Exploit-DB
Tincd - (Authenticated) Remote TCP Stack Buffer Overflow (Metasploit)
exploitdb·2014-12-02
CVE-2013-1428 Tincd - (Authenticated) Remote TCP Stack Buffer Overflow (Metasploit)
Tincd - (Authenticated) Remote TCP Stack Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'securerandom'
class Metasploit3 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Tinc's tincd
service. After authentication, a specially crafted tcp packet (default port 655)
leads to a buffer overflow and allows to execute arbitrary code. This module has
been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
(windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The
Metasploit
Tincd Post-Authentication Remote TCP Stack Buffer Overflow
metasploit
Tincd Post-Authentication Remote TCP Stack Buffer Overflow
Tincd Post-Authentication Remote TCP Stack Buffer Overflow
This module exploits a stack buffer overflow in Tinc's tincd service. After authentication, a specially crafted tcp packet (default port 655) leads to a buffer overflow and allows to execute arbitrary code. This module has been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7 (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works for all versions <= 1.1pre6. A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module it was
Bugzilla
CVE-2013-2186 Apache commons-fileupload: Arbitrary file upload via deserialization
bugzilla·2013-06-16·CVSS 7.5
CVE-2013-2186 [HIGH] CVE-2013-2186 Apache commons-fileupload: Arbitrary file upload via deserialization
CVE-2013-2186 Apache commons-fileupload: Arbitrary file upload via deserialization
A poison null byte flaw was found in the implementation of the DiskFileItem class. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is permitted by the user running the application server process.
Discussion:
This issue has been addressed in following products:
JBEWS 1.0 for RHEL 5
JBEWS 1.0 for RHEL 6
Via RHSA-2013:1428 https://rhn.redhat.com/errata/RHSA-2013-1428.html
---
This issue has been addressed in following products:
Red Hat JBoss BRMS 5.3.1
Red Hat JBoss Portal 4.3 CP07, 5.2.2 and 6.0.0
Via RHSA-2013:1430 https://rhn.redhat.com/errata/RH
Bugzilla
CVE-2013-1428 tinc: Stack-based buffer overflow when processing overly long TCP packets [fedora-all]
bugzilla·2013-04-23·CVSS 6.5
CVE-2013-1428 [MEDIUM] CVE-2013-1428 tinc: Stack-based buffer overflow when processing overly long TCP packets [fedora-all]
CVE-2013-1428 tinc: Stack-based buffer overflow when processing overly long TCP packets [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Plea
Bugzilla
CVE-2013-1428 tinc: Stack-based buffer overflow when processing overly long TCP packets
bugzilla·2013-04-23·CVSS 6.5
CVE-2013-1428 [MEDIUM] CVE-2013-1428 tinc: Stack-based buffer overflow when processing overly long TCP packets
CVE-2013-1428 tinc: Stack-based buffer overflow when processing overly long TCP packets
A stack-based buffer overflow flaw was found in the way Tinc, a virtual private network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet, processed certain TCP packets. A remote, authenticated attacker could send a specially-crafted TCP packet that, when processed would lead to tincd daemon termination (denial of service).
References:
[1] http://www.tinc-vpn.org/news/
[2] http://www.tinc-vpn.org/pipermail/tinc/2013-April/003240.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=466904
[4] https://secunia.com/advisories/53108/
Relevant upstream patch:
[5] http://www.tinc-vpn.org/git/browse?p=tinc;a=commitdiff;h=17a33dfd95b1a29e90db76414eb9
http://freecode.com/projects/tinc/releases/354122http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105531.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/105559.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/106167.htmlhttp://osvdb.org/92653http://secunia.com/advisories/53087http://secunia.com/advisories/53108http://www.debian.org/security/2013/dsa-2663http://www.securityfocus.com/bid/59369http://www.tinc-vpn.org/news/http://www.tinc-vpn.org/pipermail/tinc/2013-April/003240.htmlhttps://github.com/gsliepen/tinc/commit/17a33dfd95b1a29e90db76414eb9622df9632320http://freecode.com/projects/tinc/releases/354122http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105531.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/105559.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/106167.htmlhttp://osvdb.org/92653http://secunia.com/advisories/53087http://secunia.com/advisories/53108http://www.debian.org/security/2013/dsa-2663http://www.securityfocus.com/bid/59369http://www.tinc-vpn.org/news/http://www.tinc-vpn.org/pipermail/tinc/2013-April/003240.htmlhttps://github.com/gsliepen/tinc/commit/17a33dfd95b1a29e90db76414eb9622df9632320
2013-04-26
Published