CVE-2016-20047

Description

EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerability in the username handling that allows local attackers to execute arbitrary code by supplying an oversized username string. Attackers can trigger the overflow in the strlcpy function by passing a crafted buffer exceeding 258 bytes to overwrite the instruction pointer and execute shellcode with user privileges.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

EKG Gadu 1.9~pre+r2855-3+b1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <string.h>

/*
 * PoC for CVE-2016-20047
 * Conceptual demonstration of the buffer overflow in username handling.
 * Requires a vulnerable version of EKG Gadu running.
 */

int main() {
    // The vulnerability is triggered by a username > 258 bytes.
    // This payload fills the buffer and overwrites the instruction pointer.
    char payload[300];
    memset(payload, 0x41, sizeof(payload)); // Fill with 'A'
    payload[sizeof(payload) - 1] = 0x00;    // Null termination

    printf("[+] Generating malicious username payload (Length: %d)\n", strlen(payload));
    printf("[+] Payload content: %s...\n", payload);
    
    // In a real scenario, this payload would be passed to the EKG Gadu
    // application via the username parameter.
    // Example: ./ekg -u %s
    
    printf("[*] Simulating trigger of strlcpy overflow...\n");
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-20047
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-20047
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-20047/
[4] VulDB https://vuldb.com/cve/CVE-2016-20047
[5] http://ekg.chmurka.net/
[6] https://www.exploit-db.com/exploits/40392
[7] https://www.vulncheck.com/advisories/ekg-gadu-local-buffer-overflow-via-username-parameter

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-20047", "sourceIdentifier": "[email protected]", "published": "2026-03-28T12:16:01.013", "lastModified": "2026-03-30T13:26:07.647", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerability in the username handling that allows local attackers to execute arbitrary code by supplying an oversized username string. Attackers can trigger the overflow in the strlcpy function by passing a crafted buffer exceeding 258 bytes to overwrite the instruction pointer and execute shellcode with user privileges."}, {"lang": "es", "value": "EKG Gadu 1.9~pre+r2855-3+b1 contiene una vulnerabilidad de desbordamiento de búfer local en el manejo del nombre de usuario que permite a atacantes locales ejecutar código arbitrario al proporcionar una cadena de nombre de usuario sobredimensionada. Los atacantes pueden activar el desbordamiento en la función strlcpy al pasar un búfer manipulado que excede los 258 bytes para sobrescribir el puntero de instrucción y ejecutar shellcode con privilegios de usuario."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "http://ekg.chmurka.net/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40392", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/ekg-gadu-local-buffer-overflow-via-username-parameter", "source": "[email protected]"}]}}