CVE-2024-2961

CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

La función iconv() en las versiones 2.39 y anteriores de la librería GNU C puede desbordar el búfer de salida que se le pasa hasta en 4 bytes al convertir cadenas al juego de caracteres ISO-2022-CN-EXT, lo que puede usarse para bloquear una aplicación. o sobrescribir una variable vecina.

An out-of-bounds write flaw was found in the ISO-2022-CN-EXT plugin for glibc's iconv library. When converting from UCS4 charset, adding certain escape charterers is required to indicate where the charset was changed to the library. During this process, iconv improperly checks the boundaries of internal buffers, leading to a buffer overflow, which allows writing up to 3 bytes outside the desired memory location. This issue may allow an attacker to craft a malicious characters sequence that will trigger the out-of-bounds write and perform remote code execution, presenting a high impact to the Integrity, Confidentiality, and Availability triad.

It was discovered that GNU C Library incorrectly handled netgroup requests. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. It was discovered that GNU C Library might allow context-dependent attackers to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. It was discovered that GNU C Library when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. This issue only affected Ubuntu 14.04 LTS.

*Credits: Charles Fol

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-03-26 CVE Reserved
2024-04-17 CVE Published
2024-04-24 First Exploit
2025-02-13 CVE Updated
2025-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-787: Out-of-bounds Write

CAPEC

CAPEC-100: Overflow Buffers

References (36)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/04/17/9
http://www.openwall.com/lists/oss-security/2024/04/18/4
http://www.openwall.com/lists/oss-security/2024/04/24/2
http://www.openwall.com/lists/oss-security/2024/05/27/1
http://www.openwall.com/lists/oss-security/2024/05/27/2
http://www.openwall.com/lists/oss-security/2024/05/27/3
http://www.openwall.com/lists/oss-security/2024/05/27/4
http://www.openwall.com/lists/oss-security/2024/05/27/5
http://www.openwall.com/lists/oss-security/2024/05/27/6
http://www.openwall.com/lists/oss-security/2024/07/22/5
https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z
https://security.netapp.com/advisory/ntap-20240531-0002
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md
https://sansec.io/research/cosmicsting
https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
https://github.com/ambionics/cnext-exploits/blob/main/cosmicsting-cnext-exploit.py

URL	Date	SRC
https://packetstorm.news/files/id/182289	2024-10-18
https://packetstorm.news/files/id/188831	2025-01-27
https://github.com/rvizx/CVE-2024-2961	2024-05-20
https://github.com/tnishiox/cve-2024-2961	2024-06-04
https://github.com/absolutedesignltd/iconvfix	2024-05-30
https://github.com/mattaperkins/FIX-CVE-2024-2961	2024-04-24
https://github.com/ambionics/cnext-exploits	2024-11-30
https://github.com/exfil0/test_iconv	2024-06-04
https://github.com/kjdfklha/CVE-2024-2961_poc	2024-09-20
https://github.com/kyotozx/CVE-2024-2961-Remote-File-Read	2025-01-28
https://github.com/4wayhandshake/CVE-2024-2961	2025-02-01
https://github.com/omarelshopky/exploit_cve-2023-26326_using_cve-2024-2961	2025-02-02
https://github.com/suce0155/CVE-2024-2961_buddyforms_2.7.7	2025-02-05
https://github.com/regantemudo/PHP-file-read-to-RCE-CVE-2024-2961-	2025-02-20

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-2961	2024-10-23
https://bugzilla.redhat.com/show_bug.cgi?id=2273404	2024-10-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
The GNU C Library Search vendor "The GNU C Library"		Glibc Search vendor "The GNU C Library" for product "Glibc"				>= 2.1.93 < 2.40 Search vendor "The GNU C Library" for product "Glibc" and version " >= 2.1.93 < 2.40"		en		Affected