CVE-2013-4096
published 2013-06-28CVE-2013-4096: ServerAdmin/TestTelnetConnection.jsp in DS3 Authentication Server allows remote authenticated users to execute arbitrary commands via shell metacharacters in…
PriorityP262critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
9.35%
94.8th percentile
ServerAdmin/TestTelnetConnection.jsp in DS3 Authentication Server allows remote authenticated users to execute arbitrary commands via shell metacharacters in the HOST_NAME field.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /ServerAdmin/TestTelnetConnection.jsp containing shell metacharacters (e.g., semicolons, pipes, backticks) in the HOST_NAME parameter, indicating command injection attempts. ↗
- →Alert on HTTP responses from servers identifying themselves with the 'Server: DS3-AuthServer' header, which fingerprints the vulnerable appliance. ↗
- →Monitor POST body content to /ServerAdmin/TestTelnetConnection.jsp for the pattern HOST_NAME containing '-;' or other shell metacharacter sequences used to inject OS commands. ↗
- →Flag unauthenticated GET requests to /ServerAdmin/ErrorViewer.jsp with a user-controlled 'message' parameter, which can be abused for social engineering. ↗
- ·The exploit requires prior authentication (post-auth RCE); unauthenticated exploitation of the command injection is not possible, but the error message manipulation (Issue #3) requires no authentication. ↗
- ·Commands injected via HOST_NAME execute with the privileges of the 'asadmin' user, not necessarily root, which may limit post-exploitation impact depending on system configuration. ↗
- ·The affected DS3 Authentication Server version is unknown; no patch or vendor fix was available at the time of public disclosure. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gg82-6rwc-5jqg: ServerAdmin/TestTelnetConnection
ghsa_unreviewed·2022-05-17
CVE-2013-4096 [HIGH] CWE-20 GHSA-gg82-6rwc-5jqg: ServerAdmin/TestTelnetConnection
ServerAdmin/TestTelnetConnection.jsp in DS3 Authentication Server allows remote authenticated users to execute arbitrary commands via shell metacharacters in the HOST_NAME field.
Kernel
HID: LG: validate HID output report details
kernel_security·2013-09-11·CVSS 4.7
CVE-2013-2893 [MEDIUM] HID: LG: validate HID output report details
HID: LG: validate HID output report details
A HID device could send a malicious output report that would cause the
lg, lg3, and lg4 HID drivers to write beyond the output report allocation
during an event, causing a heap overflow:
[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
...
[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
Additionally, while lg2 did correctly validate the report details, it was
cleaned up and shortened.
CVE-2013-2893
Signed-off-by: Kees Cook
Cc: [email protected]
Reviewed-by: Benjamin Tissoires
Signed-off-by: Jiri Kosina
No detection rules found.
Bugzilla
CVE-2016-3706 glibc: stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458)
bugzilla·2016-04-27·CVSS 5.0
CVE-2016-3706 [MEDIUM] CVE-2016-3706 glibc: stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458)
CVE-2016-3706 glibc: stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458)
It was found that the fix for CVE-2013-4458 is incomplete.
A stack (frame) overflow flaw, which could led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET or AF_INET6.
This is less substantial than the CVE-2013-4458 issue because there is an other, unfixed bug in nss_files which causes it to use gigabytes of stack space with "multi on" (our default) in /etc/host.conf. Only about 4096 addresses fit into a DNS reply, so this is not really exploitable via nss_dns (only in fringe cases with extremely small stacks, as sometimes seen with Java VMs).
Discussion:
Ack
Bugzilla
CVE-2013-4474 poppler: format string flaw in pdfseparate utility
bugzilla·2013-10-30·CVSS 5.0
CVE-2013-4474 [MEDIUM] CVE-2013-4474 poppler: format string flaw in pdfseparate utility
CVE-2013-4474 poppler: format string flaw in pdfseparate utility
Poppler was found to have a user controlled format string vulnerability because it fails to sanitize user-supplied input. An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
The issue is said to be fixed in Poppler 0.24.3.
References:
http://seclists.org/oss-sec/2013/q4/181
Commit:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
Discussion:
Filename(line): poppler-0.24.2/utils/pdfseparate.cc(70)
Code snippet:
bool extractPages (const char *srcFileName, const char *destFileName) {
char pathName[4096];
GooString *gfileName = new GooString (srcF
http://packetstormsecurity.com/files/121862/DS3-Authentication-Server-Command-Execution.htmlhttp://www.digitalsec.net/stuff/explt+advs/DS3.AuthServer.txthttp://packetstormsecurity.com/files/121862/DS3-Authentication-Server-Command-Execution.htmlhttp://www.digitalsec.net/stuff/explt+advs/DS3.AuthServer.txt
2013-06-28
Published