SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   nfs-utils Vendors:   nfs.sourceforge.net
(SCO Issues Fix for OpenLinux) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008225
SecurityTracker URL:  http://securitytracker.com/id/1008225
CVE Reference:   CVE-2003-0252   (Links to External Site)
Date:  Nov 18 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.3 and prior versions
Description:   An off-by one buffer overflow vulnerability was reported in 'nfs-utils'. A remote user may be able to execute arbitrary code on the target system.

Janusz Niewiadomski of iSEC Security Research reported that a remote user can send a specially crafted request to the rpc.mountd daemon to trigger an overflow in the xlog() logging function. If the user-supplied string is 1023 bytes or longer, the trailing null '\0' byte is written beyond the end of the buffer.

According to the report, a remote user can cause the daemon to crash or execute arbitrary code with the privileges of the daemon. However, Red Hat reported in advisory RHSA-2003:206-01 that "it is not believed that this bug could lead to remote arbitrary code execution."

Impact:   A remote user can send a specially crafted NFS request to cause the rpc.mountd daemon to crash or execute arbitrary code. The arbitrary code will run with the privileges of the daemon.
Solution:   SCO has released a fix for OpenLinux.

OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/RPMS

Packages

30ea43154970596e70e4fe28d975384e nfs-0.2.1-12.i386.rpm
680b5214c57a02e1265229458ae881d3 nfs-lockd-0.2.1-12.i386.rpm
32ee130750f4502fc5bfb51ed46bbbd9 nfs-server-0.2.1-12.i386.rpm

Installation

rpm -Fvh nfs-0.2.1-12.i386.rpm
rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
rpm -Fvh nfs-server-0.2.1-12.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/SRPMS

Source Packages

da4e028d9ffe374c7be7e24ffad2b360 nfs-0.2.1-12.src.rpm


OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/RPMS

Packages

40c11bad18969b6587a9d94b79c2e41c nfs-0.2.1-12.i386.rpm
f98629ebc8412a30a1ab6fe16ea55f77 nfs-lockd-0.2.1-12.i386.rpm
6407294bbb284c9e42f2769ef9941e8a nfs-server-0.2.1-12.i386.rpm

Installation

rpm -Fvh nfs-0.2.1-12.i386.rpm
rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
rpm -Fvh nfs-server-0.2.1-12.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/SRPMS

Source Packages

f47fea29ce99c7979c50ffb3e91ddf99 nfs-0.2.1-12.src.rpm

Vendor URL:  sourceforge.net/projects/nfs/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  OpenLinux 3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Jul 14 2003 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  OpenLinux: Linux NFS utils package contains remotely exploitable off-by-one bug



To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: Linux NFS utils package contains remotely exploitable off-by-one bug
Advisory number: 	CSSA-2003-037.0
Issue date: 		2003 November 17
Cross reference:	sr882699 fz528148 erg712382
______________________________________________________________________________


1. Problem Description

	Janusz Niewiadomski has discovered an off-by-one overflow in
	xlog() in the nfs-utils package. It is rumoured this bug is
	exploitable, however as it writes a single zero byte to memory,
	an exploit may be difficult to write. 

	CAN-2003-0252 Off-by-one error in the xlog function of mountd 
	in the Linux NFS utils package (nfs-utils) before 1.0.4 allows 
	remote attackers to cause a denial of service and possibly execute 
	arbitrary code via certain RPC requests to mountd that do not 
	contain newlines.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to nfs-0.2.1-12.i386.rpm
					prior to nfs-lockd-0.2.1-12.i386.rpm
					prior to nfs-server-0.2.1-12.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to nfs-0.2.1-12.i386.rpm
					prior to nfs-lockd-0.2.1-12.i386.rpm
					prior to nfs-server-0.2.1-12.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/RPMS

	4.2 Packages

	30ea43154970596e70e4fe28d975384e	nfs-0.2.1-12.i386.rpm
	680b5214c57a02e1265229458ae881d3	nfs-lockd-0.2.1-12.i386.rpm
	32ee130750f4502fc5bfb51ed46bbbd9	nfs-server-0.2.1-12.i386.rpm

	4.3 Installation

	rpm -Fvh nfs-0.2.1-12.i386.rpm
	rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
	rpm -Fvh nfs-server-0.2.1-12.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/SRPMS

	4.5 Source Packages

	da4e028d9ffe374c7be7e24ffad2b360	nfs-0.2.1-12.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/RPMS

	5.2 Packages

	40c11bad18969b6587a9d94b79c2e41c	nfs-0.2.1-12.i386.rpm
	f98629ebc8412a30a1ab6fe16ea55f77	nfs-lockd-0.2.1-12.i386.rpm
	6407294bbb284c9e42f2769ef9941e8a	nfs-server-0.2.1-12.i386.rpm

	5.3 Installation

	rpm -Fvh nfs-0.2.1-12.i386.rpm
	rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
	rpm -Fvh nfs-server-0.2.1-12.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/SRPMS

	5.5 Source Packages

	f47fea29ce99c7979c50ffb3e91ddf99	nfs-0.2.1-12.src.rpm


6. References

	Specific references for this advisory:
		http://marc.theaimsgroup.com/?l=bugtraq&m=105839032403325&w=2
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0252

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr882699 fz528148
	erg712382.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank Janusz Niewiadomski for reporting this issue.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/uU5lbluZssSXDTERAjKTAKCwv9o4wj3AnK++/g6/MObc4WFUFgCgqdA8
xmjzczTc7zXZECQEkCsW3M4=
=Kq/p
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC