Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   Nfs Vendors:   Apple
(Apple Issues Fix) Network File System (NFS) Flaw in Processing Zero-Length RPC Messages Allows Remote Users to Crash the System
SecurityTracker Alert ID:  1008230
SecurityTracker URL:
CVE Reference:   CVE-2002-0830   (Links to External Site)
Date:  Nov 18 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A denial of service vulnerability was reported in the Network File System (NFS) code. A remote user could cause the NFS server to crash.

It is reported that the NFS code that processes incoming remote procedure call (RPC) messages contains a flaw. A remote user can send an RPC message with a zero-length payload to cause the NFS server to reference the payload from the previous message, creating a loop in the message chain. The resulting infinite loop could cause the NFS process or the entire server to crash.

[Editor's note: This was reported by FreeBSD in August 2002.]

Impact:   A remote user can cause the NFS server to crash.
Solution:   Apple has released a fix as part of Mac OS X 10.3 Panther.
Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  prior to 10.3

Message History:   This archive entry is a follow-up to the message listed below.
Sep 17 2002 Network File System (NFS) Flaw in Processing Zero-Length RPC Messages Allows Remote Users to Crash the System

 Source Message Contents

Subject:  APPLE-SA-2003-10-28 Mac OS X 10.3 Panther

Hash: SHA1

APPLE-SA-2003-10-28 Mac OS X 10.3 Panther

Mac OS X 10.3 Panther has been released, and it contains the following
security enhancements:

Finder: Fixes CAN-2003-0876 where folder permissions may not be
   preserved when copying a folder from a mounted volume such as a
   disk image.  Credit to Dave G. from @stake, Inc. for finding this

Kernel: Fixes CAN-2003-0877 where if a system is running with core
   files enabled, a user with interactive shell access can overwrite
   arbitrary files, and read core files created by root-owned
   processes.  This may result in sensitive information such as
   authentication credentials being compromised. Core file creation is
   disabled by default on Mac OS X. Credit to Dave G. from @stake,
   Inc. for finding this issue.

slpd:  Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
   slpd daemon may create a root-owned file in the /tmp directory.
   This could overwrite an existing file and allow a user to gain
   elevated privileges. Personal File Sharing is off by default in Mac
   OS X.  Credit to Dave G. from @stake, Inc. for finding this issue.

Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
   to cause the Mac OS X kernel to crash by specifying a long command
   line argument. The machine will reboot on its own after several
   minutes. Credit to Dave G. from @stake, Inc. for finding this

ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
   enabled through the KTRACE kernel option, a local user might be
   able to obtain sensitive information.  No specific utility is
   currently known to be vulnerable to this particular problem.

nfs: Fixes CVE-2002-0830 for the Network File System where a remote
   user may be able to send RPC messages that cause the system to lock

zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
   X that used the vulnerable gzprintf() function, the underlying
   issue in zlib has been fixed.

gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
   utility. No setuid root programs relied on gm4 and this fix is a
   preventative measure against a possible future exploit.

OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
   restrictions are potentially spoofable via reverse DNS for
   numerically specified IP addresses. Mac OS X 10.3 also incorporates
   prior fixes released for OpenSSH, and the version of OpenSSH as
   obtained via the "ssh -V" command is:
   OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL

nidump:  Fixes CAN-2001-1412 where the nidump utility provides access
   to the crypted passwords used to authenticate logins.

System Preferences:  Fixes CAN-2003-0883 where after authenticating
   with an administrator password, the system will continue to allow
   access to secure Preference Panes for a short period of time.  This
   could allow a local user to access Preference Panes that they would
   not normally be able to use.  In Mac OS X 10.3 Security
   preferences, there is now a choice to "Require password to unlock
   each secure system preference". Credit to Anthony Holder for
   reporting this issue.

TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
   initialized with a constant number. This could allow a person to
   discover how long the system has been up based upon the ID in TCP
   packets.  In Mac OS X 10.3, the TCP timestamp is now initialized
   with a random number. Credit to Aaron Linville for reporting this
   issue and submitting a fix via the Darwin open source program.

Mail:  Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
   account is configured to use MD5 Challenge Response, it will
   attempt to login using CRAM-MD5 but will silently fall back to
   plain-text if the hashed login fails. Credit to Chris Adams for
   reporting this issue.

Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
   the Keyboard pane in System Preferences, Dock functions can be
   accessed blindly from behind Screen Effects.
Other security features:  Mac OS X 10.3 contains a number of other
   security features which may be found at:

Further information on Mac OS X 10.3 may be obtained from:
This message is signed with Apple's Product Security PGP key, and
details are available at:

Version: PGP 8.0.2

security-announce mailing list |
Do not post admin requests to the list. They will be ignored.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC