QNX RTOS FTP Client QUOTE Command Format String Overflow
2004-09-13T09:32:55
ID OSVDB:10369 Type osvdb Reporter Julio Cesar Fort(julio@rfdslabs.com.br) Modified 2004-09-13T09:32:55
Description
Vulnerability Description
A local overflow exists in QNX RTOS FTP client. The FTP Client QUOTE command fails to properly check the format of the incoming string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code executing with bin group privileges resulting in a loss of integrity.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
A local overflow exists in QNX RTOS FTP client. The FTP Client QUOTE command fails to properly check the format of the incoming string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code executing with bin group privileges resulting in a loss of integrity.
Manual Testing Notes
After a user has logged in the following commands should cause a core dump and for the cause the client to crash.
ftp> quote site exec "%p.%p.%p.%p"
500 'SITE EXEC 805b730.0.0.805b180': command not understood.
ftp> quote "%s.%s.%s.%s"
Memory fault (core dumped)
References:
Vendor URL: http://www.qnx.com
Vendor URL: http://www.qnx.com/products/index.html
Secunia Advisory ID:12533
Other Advisory URL: http://www.rfdslabs.com.br/qnx-advs-04-2004.txt
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0410.html
ISS X-Force ID: 17347
CVE-2004-1682
{"type": "osvdb", "published": "2004-09-13T09:32:55", "href": "https://vulners.com/osvdb/OSVDB:10369", "hashmap": [{"key": "affectedSoftware", "hash": "93d8ae3c9eb28eedc25bd934f675e891"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "41e916a414ce3c46288fe313ae017235"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "fe81fc626a309e67d78dc8b9ccd76014"}, {"key": "href", "hash": "b739da5d88fcbe8c5930ff3c168b469a"}, {"key": "modified", "hash": "6e23ce76bc705585d21f243af1de78ae"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6e23ce76bc705585d21f243af1de78ae"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "b30b82668b7ce8f973ba136a186e1109"}, {"key": "title", "hash": "cade97b6fd14ae8c6cb65a9caf0e62d9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "Julio Cesar Fort(julio@rfdslabs.com.br)", "title": "QNX RTOS FTP Client QUOTE Command Format String Overflow", "affectedSoftware": [{"operator": "eq", "version": "6.1", "name": "RTOS"}], "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2017-04-28T13:20:05"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-1682"]}], "modified": "2017-04-28T13:20:05"}, "vulnersScore": 7.0}, "references": [], "id": "OSVDB:10369", "hash": "fb3c96bc35fe109a6c3acbc0f63710a7835f71647f263dc86118b0e38ce7a11a", "lastseen": "2017-04-28T13:20:05", "cvelist": ["CVE-2004-1682"], "modified": "2004-09-13T09:32:55", "description": "## Vulnerability Description\nA local overflow exists in QNX RTOS FTP client. The FTP Client QUOTE command fails to properly check the format of the incoming string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code executing with bin group privileges resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA local overflow exists in QNX RTOS FTP client. The FTP Client QUOTE command fails to properly check the format of the incoming string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code executing with bin group privileges resulting in a loss of integrity.\n## Manual Testing Notes\nAfter a user has logged in the following commands should cause a core dump and for the cause the client to crash.\n\nftp> quote site exec \"%p.%p.%p.%p\"\n500 'SITE EXEC 805b730.0.0.805b180': command not understood.\nftp> quote \"%s.%s.%s.%s\"\nMemory fault (core dumped)\n## References:\nVendor URL: http://www.qnx.com\nVendor URL: http://www.qnx.com/products/index.html\n[Secunia Advisory ID:12533](https://secuniaresearch.flexerasoftware.com/advisories/12533/)\nOther Advisory URL: http://www.rfdslabs.com.br/qnx-advs-04-2004.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0410.html\nISS X-Force ID: 17347\n[CVE-2004-1682](https://vulners.com/cve/CVE-2004-1682)\n"}
{"cve": [{"lastseen": "2019-05-29T18:08:04", "bulletinFamily": "NVD", "description": "Format string vulnerability in QNX 6.1 FTP client allows remote authenticated users to gain group bin privileges via format string specifiers in the QUOTE command.", "modified": "2017-07-11T01:31:00", "id": "CVE-2004-1682", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1682", "published": "2004-08-15T04:00:00", "title": "CVE-2004-1682", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}