Scanner Access Now Easy (SANE) Flaws Let Remote Users Crash the 'saned' Daemon
SecurityTracker Alert ID: 1007984|
SecurityTracker URL: http://securitytracker.com/id/1007984
CVE-2003-0773, CVE-2003-0774, CVE-2003-0775, CVE-2003-0776, CVE-2003-0777, CVE-2003-0778
(Links to External Site)
Updated: Dec 1 2003|
Original Entry Date: Oct 23 2003
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 1.0.7 and prior versions|
Several vulnerabilities were reported in the Scanner Access Now Easy (SANE) application. A remote user can cause denial of service conditions.|
It is reported that the the sane-backends package contains several flaws. If the 'saned' daemon is running on your system, you may be affected. A remote user can cause saned to consume large amounts of memory or crash. The remote user can exploit these flaws even if the remote user's host is not listed in the 'saned.conf' file, the report said.
It is reported that saned fails to validate the IP address of the remote host for the SANE_NET_INIT RPC message (the first message of a SANE session). A host that is not explicitly permitted in accordance with the 'saned.conf' file settings (CVE: CVE-2003-0773).
It is reported that the code does not properly check for communication errors. A remote user can drop a connection without having the target system detect the drop, resulting in a buffer overflow and segmentation fault (CVE: CVE-2003-0774).
A remote user can connect and then drop the connection before sending the size of strings (ostensibly to be sent as a subsequent part of the connection). This will cause the target system to malloc an arbitrary amount of memory and fail or crash (CVE: CVE-2003-0775)
It is reported that the saned daemon fails to check the validity of user-supplied RPC numbers (CVE: CVE-2003-0776). The impact of this flaw is reported to be uncertain.
If a remote user drops a connection when debug messages are enabled on the target server, the target server may print non-null-terminated strings and crash (CVE: CVE-2003-0777).
It is also reported that a remote user can cause an arbitrary amount of memory to be allocated on the target server (CVE: CVE-2003-0778).
Debian credits Alexander Hvostov, Julien Blache, and Aurelien Jarno with discovering these flaws.
A remote user can cause the target server to consume large amounts of memory or crash.|
[Editor's note: It is not clear if the upstream version of SANE past 1.0.7 includes fixes or not. We will update this alert if additional information becomes available.]|
Vendor URL: www.sane-project.org/ (Links to External Site)
Boundary error, Resource error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: CVE-2003-0773 CVE-2003-0774 CVE-2003-0775 CVE-2003-0776 CVE-2003-0777|
Debian originally reported several vulnerabilities in "Scanner Access Now Easy" (SANE).
CVE: CAN-2003-0773, CAN-2003-0774, CAN-2003-0775, CAN-2003-0776, CAN-2003-0777,
The following information is provided by Debian:
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the [Debian] sane-backends package, which contains an API
library for scanners including a scanning daemon (in the package libsane) that can be
remotely exploited. These problems allow a remote attacker to cause a segmentation fault
and/or consume arbitrary amounts of memory. The attack is successful, even if the
attacker's computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the
entries in the configuration file of xinetd or inetd respectively are commented out or do
not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you get "connection
refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the following problems:
saned checks the identity (IP address) of the remote host only after the first
communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the
remote host is not allowed to scan (not listed in saned.conf).
saned lacks error checking nearly everywhere in the code. So connection drops
are detected very late. If the drop of the connection isn't detected, the access to the
internal wire buffer leaves the limits of the allocated memory. So random memory "after"
the wire buffer is read which will be followed by a segmentation fault.
If saned expects strings, it mallocs the memory necessary to store the complete
string after it receives the size of the string. If the connection was dropped before
transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that
size and the amount of memory available either malloc fails (->saned quits nicely) or a
huge amount of memory is allocated. Swapping and OOM measures may occur depending on the
saned doesn't check the validity of the RPC numbers it gets before getting the
If debug messages are enabled and a connection is dropped, non-null-terminated
strings may be printed and segmentation faults may occur.
It's possible to allocate an arbitrary amount of memory on the server running
saned even if the connection isn't dropped. At the moment this can not easily be fixed
according to the author. Better limit the total amount of memory saned may use (ulimit).