SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SANE Vendors:   sane-project.org
Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
SecurityTracker Alert ID:  1007984
SecurityTracker URL:  http://securitytracker.com/id/1007984
CVE Reference:   CVE-2003-0773, CVE-2003-0774, CVE-2003-0775, CVE-2003-0776, CVE-2003-0777, CVE-2003-0778   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Oct 23 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.7 and prior versions
Description:   Several vulnerabilities were reported in the Scanner Access Now Easy (SANE) application. A remote user can cause denial of service conditions.

It is reported that the the sane-backends package contains several flaws. If the 'saned' daemon is running on your system, you may be affected. A remote user can cause saned to consume large amounts of memory or crash. The remote user can exploit these flaws even if the remote user's host is not listed in the 'saned.conf' file, the report said.

It is reported that saned fails to validate the IP address of the remote host for the SANE_NET_INIT RPC message (the first message of a SANE session). A host that is not explicitly permitted in accordance with the 'saned.conf' file settings (CVE: CVE-2003-0773).

It is reported that the code does not properly check for communication errors. A remote user can drop a connection without having the target system detect the drop, resulting in a buffer overflow and segmentation fault (CVE: CVE-2003-0774).

A remote user can connect and then drop the connection before sending the size of strings (ostensibly to be sent as a subsequent part of the connection). This will cause the target system to malloc an arbitrary amount of memory and fail or crash (CVE: CVE-2003-0775)

It is reported that the saned daemon fails to check the validity of user-supplied RPC numbers (CVE: CVE-2003-0776). The impact of this flaw is reported to be uncertain.

If a remote user drops a connection when debug messages are enabled on the target server, the target server may print non-null-terminated strings and crash (CVE: CVE-2003-0777).

It is also reported that a remote user can cause an arbitrary amount of memory to be allocated on the target server (CVE: CVE-2003-0778).

Debian credits Alexander Hvostov, Julien Blache, and Aurelien Jarno with discovering these flaws.

Impact:   A remote user can cause the target server to consume large amounts of memory or crash.
Solution:   [Editor's note: It is not clear if the upstream version of SANE past 1.0.7 includes fixes or not. We will update this alert if additional information becomes available.]
Vendor URL:  www.sane-project.org/ (Links to External Site)
Cause:   Boundary error, Resource error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 23 2003 (Conectiva Issues Fix) Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
Conectiva has released a fix.
Oct 24 2003 (Red Hat Issues Fix) Re: Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
Red Hat has issued a fix for SANE.
Oct 24 2003 (Debian Issues Fix) Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
Debian has released a fix.
Nov 18 2003 (SuSE Issues Fix) Re: Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
SuSE has issued a fix.



 Source Message Contents

Subject:  CVE-2003-0773 CVE-2003-0774 CVE-2003-0775 CVE-2003-0776 CVE-2003-0777


Debian originally reported several vulnerabilities in "Scanner Access Now Easy" (SANE).

CVE:  CAN-2003-0773, CAN-2003-0774, CAN-2003-0775, CAN-2003-0776, CAN-2003-0777, 
CAN-2003-0778.

The following information is provided by Debian:

More information:

     Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several 
security-related problems in the [Debian] sane-backends package, which contains an API 
library for scanners including a scanning daemon (in the package libsane) that can be 
remotely exploited. These problems allow a remote attacker to cause a segmentation fault 
and/or consume arbitrary amounts of memory. The attack is successful, even if the 
attacker's computer isn't listed in saned.conf.

     You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the 
entries in the configuration file of xinetd or inetd respectively are commented out or do 
not exist, you are safe.

     Try "telnet localhost 6566" on the server that may run saned. If you get "connection 
refused" saned is not running and you are safe.

     The Common Vulnerabilities and Exposures project identifies the following problems:

         * CAN-2003-0773:

           saned checks the identity (IP address) of the remote host only after the first 
communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the 
remote host is not allowed to scan (not listed in saned.conf).
         * CAN-2003-0774:

           saned lacks error checking nearly everywhere in the code. So connection drops 
are detected very late. If the drop of the connection isn't detected, the access to the 
internal wire buffer leaves the limits of the allocated memory. So random memory "after" 
the wire buffer is read which will be followed by a segmentation fault.
         * CAN-2003-0775:

           If saned expects strings, it mallocs the memory necessary to store the complete 
string after it receives the size of the string. If the connection was dropped before 
transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that 
size and the amount of memory available either malloc fails (->saned quits nicely) or a 
huge amount of memory is allocated. Swapping and OOM measures may occur depending on the 
kernel.
         * CAN-2003-0776:

           saned doesn't check the validity of the RPC numbers it gets before getting the 
parameters.
         * CAN-2003-0777:

           If debug messages are enabled and a connection is dropped, non-null-terminated 
strings may be printed and segmentation faults may occur.
         * CAN-2003-0778:

           It's possible to allocate an arbitrary amount of memory on the server running 
saned even if the connection isn't dropped. At the moment this can not easily be fixed 
according to the author. Better limit the total amount of memory saned may use (ulimit).



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC