Rudedog up to 1.6.1 auth_ldap auth_ldap_log_reason format string
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.4 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in Rudedog up to 1.6.1. This vulnerability affects the function auth_ldap_log_reason of the component auth_ldap. The manipulation leads to format string.
This vulnerability is documented as CVE-2006-0150. There is not any exploit available.
It is advisable to upgrade the affected component.
Details
A vulnerability was found in Rudedog up to 1.6.1. It has been rated as critical. This issue affects the function auth_ldap_log_reason of the component auth_ldap. The manipulation with an unknown input leads to a format string vulnerability. Using CWE to declare the problem leads to CWE-134. The product uses a function that accepts a format string as an argument, but the format string originates from an external source. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username.
The bug was discovered 12/22/2005. The weakness was released 01/10/2006 with Digital Armaments (Website). The advisory is shared at digitalarmaments.com. The identification of this vulnerability is CVE-2006-0150 since 01/09/2006. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available.
It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 18 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 20400 (RHEL 2.1 : auth_ldap (RHSA-2006:0179)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Red Hat Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 117767 (CentOS Security Update for auth_ldap (CESA-2006:0179)).
Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at rudedog.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 2 weeks after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 8590.
The vulnerability is also documented in the databases at X-Force (24030), Tenable (20400), SecurityFocus (BID 16177†), OSVDB (22301†) and Secunia (SA18568†). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.4
VulDB Base Score: 7.3
VulDB Temp Score: 6.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Format stringCWE: CWE-134 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 20400
Nessus Name: RHEL 2.1 : auth_ldap (RHSA-2006:0179)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 56212
OpenVAS Name: Debian Security Advisory DSA 952-1 (libapache-auth-ldap)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: rudedog.org
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
12/22/2005 🔍01/09/2006 🔍
01/09/2006 🔍
01/09/2006 🔍
01/09/2006 🔍
01/10/2006 🔍
01/10/2006 🔍
01/10/2006 🔍
01/10/2006 🔍
01/11/2006 🔍
01/11/2006 🔍
01/23/2006 🔍
01/23/2006 🔍
06/23/2025 🔍
Sources
Advisory: digitalarmaments.comResearcher: http://www.digitalarmaments.com
Organization: Digital Armaments
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2006-0150 (🔍)
GCVE (CVE): GCVE-0-2006-0150
GCVE (VulDB): GCVE-100-1961
X-Force: 24030 - Apache auth_ldap module multiple format strings, Medium Risk
SecurityFocus: 16177 - Dave Carrigan Auth_LDAP Remote Format String Vulnerability
Secunia: 18568 - Debian update for libapache-auth-ldap, Highly Critical
OSVDB: 22301 - auth_ldap for Apache HTTP Server auth_ldap_log_reason() Function Remote Format String
SecurityTracker: 1015456 - auth_ldap Format String Bug Lets Remote Users Execute Arbitrary Code
Vulnerability Center: 10139 - Auth_ldap Format String Vulnerability Allows Execution of Arbitrary Code, Critical
Vupen: ADV-2006-0117
Entry
Created: 01/11/2006 13:28Updated: 06/23/2025 04:46
Changes: 01/11/2006 13:28 (98), 11/30/2016 21:18 (8), 03/12/2021 10:10 (3), 06/23/2025 04:46 (16)
Complete: 🔍
Cache ID: 216:7EC:103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.