Vulnerability Name:

CVE-2008-1215 (CCN-41034)

Assigned:2008-02-29
Published:2008-02-29
Updated:2017-08-08
Summary:Stack-based buffer overflow in the command_Expand_Interpret function in command.c in ppp (aka user-ppp), as distributed in FreeBSD 6.3 and 7.0, OpenBSD 4.1 and 4.2, and the net/userppp package for NetBSD, allows local users to gain privileges via long commands containing "~" characters.
CVSS v3 Severity:8.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: OpenBSD FTP Web page
009_ppp.patch

Source: MITRE
Type: CNA
CVE-2008-1215

Source: CCN
Type: SA29234
OpenBSD ppp Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
29234

Source: CCN
Type: SA29238
FreeBSD ppp Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
29238

Source: CCN
Type: SA29240
user-ppp "command_Expand_Interpret()" Buffer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
29240

Source: CCN
Type: FreeBSD Web site
The FreeBSD Project

Source: CCN
Type: NetBSD Web site
The NetBSD Project

Source: CCN
Type: OpenBSD Web site
OpenBSD

Source: CCN
Type: OpenBSD CVS repository
OpenBSD

Source: OPENBSD
Type: UNKNOWN
[4.1] 20080307 014: SECURITY FIX: March 7, 2008

Source: OPENBSD
Type: UNKNOWN
[4.2] 20080307 009: SECURITY FIX: March 7, 2008

Source: CCN
Type: OSVDB ID: 42586
Multiple BSD user-ppp command_Expand_Interpret() Function Local Overflow

Source: CCN
Type: BugTraq Mailing List, BugTraq Mailing List, Feb 26 2006 12:53PM
BSD user-ppp local root (when conditions permit)

Source: VULN-DEV
Type: Exploit
20080229 *BSD user-ppp local root (when conditions permit)

Source: VULN-DEV
Type: Exploit
20080301 Re: *BSD user-ppp local root (when conditions permit)

Source: BID
Type: Exploit
28090

Source: CCN
Type: BID-28090
BSD PPP 'pppx.conf' Local Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
userppp-commandexpandinterpret-bo(41034)

Source: XF
Type: UNKNOWN
userppp-commandexpandinterpret-bo(41034)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:freebsd:freebsd:6.3:-:*:*:*:*:*:*
  • OR cpe:/o:freebsd:freebsd:7.0:-:*:*:*:*:*:*
  • OR cpe:/o:netbsd:netbsd:*:*:*:*:*:*:*:*
  • OR cpe:/o:openbsd:openbsd:4.1:*:*:*:*:*:*:*
  • OR cpe:/o:openbsd:openbsd:4.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:netbsd:netbsd:*:*:*:*:*:*:*:*
  • OR cpe:/o:openbsd:openbsd:*:*:*:*:*:*:*:*
  • OR cpe:/o:freebsd:freebsd:6.3:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    freebsd freebsd 6.3
    freebsd freebsd 7.0
    netbsd netbsd *
    openbsd openbsd 4.1
    openbsd openbsd 4.2
    netbsd netbsd *
    openbsd openbsd *
    freebsd freebsd 6.3 -