Published: 28/05/2010 Updated: 29/07/2011

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

VMScore: 965

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and previous versions, as used on FreeBSD 6.4 up to and including 8.1-PRERELEASE and other platforms, allows remote malicious users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.

Vulnerable Product	Search on Vulmon	Subscribe to Product
freebsd freebsd 6.4
freebsd freebsd 7.0
freebsd freebsd 7.0_beta4
freebsd freebsd 7.1
freebsd freebsd 6
freebsd freebsd 7.2
freebsd freebsd 7.0_releng
freebsd freebsd 7.0-release
freebsd freebsd 8.0
freebsd freebsd 8.1-prerelease
nrl opie 2.32
nrl opie 2.11
nrl opie 2.10
nrl opie 2.3
nrl opie 2.22
nrl opie 2.4
nrl opie
nrl opie 2.21
nrl opie 2.2

Maksymilian Arciemowicz and Adam Zabrocki discovered that OPIE incorrectly handled long usernames A remote attacker could exploit this with a crafted username and make applications linked against libopie crash, leading to a denial of service ...

USN-955-1 fixed vulnerabilities in OPIE This update provides rebuilt libpam-opie packages against the updated libopie library ...

Sebastian Krahmer discovered that opie, a system that makes it simple to use One-Time passwords in applications, is prone to a privilege escalation (CVE-2011-2490) and an off-by-one error, which can lead to the execution of arbitrary code (CVE-2011-2489) Adam Zabrocki and Maksymilian Arciemowicz also discovered another off-by-one error (CVE-2010-1 ...

# FreeBSD 80 ftpd off-by one PoC (FreeBSD-SA-10:05) # CVE-2010-1938 # FreeBSD-SA-10:05 # Credit: Maksymilian Arciemowicz and Adam Zabrocki # # securityreasoncom/achievement_securityalert/87 # securityfreebsdorg/advisories/FreeBSD-SA-10:05opieasc # blogpi3compl/?p=111 # PoC: Connected to localhost Escape character is ...

FreeBSD version 80 ftpd off-by-one proof of concept exploit ...

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

nmap -sV --script=ftp-libopie <target>

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-libopie:
|   VULNERABLE:
|   OPIE off-by-one stack overflow
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2010-1938  OSVDB:64949
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|     Description:
|       An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
|       attackers to cause a denial of service or possibly execute arbitrary code
|       via a long username.
|     Disclosure date: 2010-05-27
|     References:
|       http://osvdb.org/64949
|       http://site.pi3.com.pl/adv/libopie-adv.txt
|       http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938

Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow), a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki. See the advisory at https://nmap.org/r/fbsd-sa-opie. Be advised that, if launched against a vulnerable host, this script will crash the FTPd.

nmap -sV --script=ftp-libopie <target>

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-libopie:
|   VULNERABLE:
|   OPIE off-by-one stack overflow
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2010-1938  BID:40403
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|     Description:
|       An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
|       attackers to cause a denial of service or possibly execute arbitrary code
|       via a long username.
|     Disclosure date: 2010-05-27
|     References:
|       http://site.pi3.com.pl/adv/libopie-adv.txt
|       http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
|       https://www.securityfocus.com/bid/40403
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938

nmap network mapper ports direct trafic 65535 well-known ports 1023 version check $ nmap -v Starting Nmap 791 ( nmaporg ) at 2021-08-02 12:13 IST Read data files from: /usr/bin//share/nmap WARNING: No targets were specified, so 0 hosts scanned Nmap done: 0 IP addresses (0 hosts up) scanned in 005 seconds syn scan $ sudo

CWE-189 http://securityreason.com/securityalert/7450 http://secunia.com/advisories/39966 http://blog.pi3.com.pl/?p=111 http://site.pi3.com.pl/adv/libopie-adv.txt http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.asc http://www.securityfocus.com/bid/40403 http://securitytracker.com/id?1024040 http://secunia.com/advisories/39963 http://securityreason.com/achievement_securityalert/87 http://www.exploit-db.com/exploits/12762 http://www.debian.org/security/2011/dsa-2281 http://secunia.com/advisories/45136 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584932 http://securitytracker.com/id?1025709 https://nvd.nist.gov https://usn.ubuntu.com/955-1/https://www.exploit-db.com/exploits/12762/

CVE-2010-1938

Vulnerability Summary

Vendor Advisories

Exploits

Nmap Scripts

Github Repositories

References

Vulmon Search

About

Products

Connect