CVE-2006-6495 - Vulnerability Details - OpenCVE

Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sun	Solaris Sunos

Configuration 1 [-]

OR	cpe:2.3:o:sun:solaris:9.0::sparc:::::
	cpe:2.3:o:sun:solaris:10.0::sparc:::::
	cpe:2.3:o:sun:sunos:5.8:::::::*

No data.

References

Link	Providers
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450
http://secunia.com/advisories/23317
http://secunia.com/advisories/23991
http://securitytracker.com/id?1017376
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102724-1
http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm
http://www.securityfocus.com/bid/21564
http://www.vupen.com/english/advisories/2006/4979
https://exchange.xforce.ibmcloud.com/vulnerabilities/30848
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1909

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-12-13T01:00:00

Updated: 2024-08-07T20:26:46.547Z

Reserved: 2006-12-12T00:00:00

Link: CVE-2006-6495

Vulnrichment

No data.

NVD

Status : Modified

Published: 2006-12-13T01:28:00.000

Modified: 2024-11-21T00:22:49.093

Link: CVE-2006-6495

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-12-12T00:00:00", "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-10T00:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "23317", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/23317"}, {"name": "23991", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/23991"}, {"name": "20061212 Sun Microsystems Solaris ld.so 'doprf()' Buffer Overflow Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450"}, {"name": "102724", "tags": ["vendor-advisory", "x_refsource_SUNALERT"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102724-1"}, {"name": "21564", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/21564"}, {"name": "1017376", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1017376"}, {"name": "ADV-2006-4979", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/4979"}, {"name": "oval:org.mitre.oval:def:1909", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1909"}, {"name": "solaris-ld-doprf-bo(30848)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30848"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-6495", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "23317", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/23317"}, {"name": "23991", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/23991"}, {"name": "20061212 Sun Microsystems Solaris ld.so 'doprf()' Buffer Overflow Vulnerability", "refsource": "IDEFENSE", "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450"}, {"name": "102724", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102724-1"}, {"name": "21564", "refsource": "BID", "url": "http://www.securityfocus.com/bid/21564"}, {"name": "1017376", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1017376"}, {"name": "ADV-2006-4979", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/4979"}, {"name": "oval:org.mitre.oval:def:1909", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1909"}, {"name": "solaris-ld-doprf-bo(30848)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30848"}, {"name": "http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm", "refsource": "CONFIRM", "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T20:26:46.547Z"}, "title": "CVE Program Container", "references": [{"name": "23317", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/23317"}, {"name": "23991", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/23991"}, {"name": "20061212 Sun Microsystems Solaris ld.so 'doprf()' Buffer Overflow Vulnerability", "tags": ["third-party-advisory", "x_refsource_IDEFENSE", "x_transferred"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450"}, {"name": "102724", "tags": ["vendor-advisory", "x_refsource_SUNALERT", "x_transferred"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102724-1"}, {"name": "21564", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/21564"}, {"name": "1017376", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1017376"}, {"name": "ADV-2006-4979", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/4979"}, {"name": "oval:org.mitre.oval:def:1909", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1909"}, {"name": "solaris-ld-doprf-bo(30848)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30848"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-6495", "datePublished": "2006-12-13T01:00:00", "dateReserved": "2006-12-12T00:00:00", "dateUpdated": "2024-08-07T20:26:46.547Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sun:solaris:9.0:*:sparc:*:*:*:*:*", "matchCriteriaId": "A711CDC2-412C-499D-9FA6-7F25B06267C6", "vulnerable": true}, {"criteria": "cpe:2.3:o:sun:solaris:10.0:*:sparc:*:*:*:*:*", "matchCriteriaId": "7BF232A9-9E0A-481E-918D-65FC82EF36D8", "vulnerable": true}, {"criteria": "cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*", "matchCriteriaId": "A2475113-CFE4-41C8-A86F-F2DA6548D224", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494."}, {"lang": "es", "value": "Desbordamiento de b\u00fafer en el ld.so.1 del Sun Solaris 8, 9 y 10 permite a atacantes locales ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de valores de relleno de gran precisi\u00f3n con un formato de cadena espec\u00edfico, en el par\u00e1metro de formato de la funci\u00f3n doprf .NOTA: Esta vulnerabilidad no suele traspasar los l\u00edmites de los privilegios, a excepci\u00f3n de los casos en los que se introducen ficheros externos con mensajes maliciosos, o si se combina con otras vulnerabilidades como puede ser la CVE-2006-6494."}], "id": "CVE-2006-6495", "lastModified": "2024-11-21T00:22:49.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 2.7, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-12-13T01:28:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/23317"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/23991"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1017376"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102724-1"}, {"source": "cve@mitre.org", "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/21564"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/4979"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30848"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1909"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/23317"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/23991"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1017376"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-102724-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://support.avaya.com/elmodocs2/security/ASA-2007-019.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/21564"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2006/4979"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30848"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1909"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}