SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   nfs-utils Vendors:   nfs.sourceforge.net
'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007187
SecurityTracker URL:  http://securitytracker.com/id/1007187
CVE Reference:   CVE-2003-0252   (Links to External Site)
Updated:  Jun 14 2008
Original Entry Date:  Jul 14 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.3 and prior versions
Description:   An off-by one buffer overflow vulnerability was reported in 'nfs-utils'. A remote user may be able to execute arbitrary code on the target system.

Janusz Niewiadomski of iSEC Security Research reported that a remote user can send a specially crafted request to the rpc.mountd daemon to trigger an overflow in the xlog() logging function. If the user-supplied string is 1023 bytes or longer, the trailing null '\0' byte is written beyond the end of the buffer.

According to the report, a remote user can cause the daemon to crash or execute arbitrary code with the privileges of the daemon. However, Red Hat reported in advisory RHSA-2003:206-01 that "it is not believed that this bug could lead to remote arbitrary code execution."

Impact:   A remote user can send a specially crafted NFS request to cause the rpc.mountd daemon to crash or execute arbitrary code. The arbitrary code will run with the privileges of the daemon.
Solution:   The vendor has released a fixed version (1.0.4), available at:

http://sourceforge.net/projects/nfs/

Vendor URL:  sourceforge.net/projects/nfs/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 14 2003 (Red Hat Issues Fix) Re: 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Red Hat has issued a fix.
Jul 14 2003 (Debian Issues Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Jul 15 2003 (Slackware Issues Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Slackware has released a fix.
Jul 15 2003 (SuSE Issues Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
SuSE has released a fix.
Jul 16 2003 (Slackware Issues Updated Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
The vendor has released an updated fix to replace the previously issued fix (which contained a bug).
Jul 16 2003 (Immunix Issues Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Immunix has released a fix.
Jul 22 2003 (Conectiva Issues Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.
Jul 23 2003 (Mandrake Issues Fix) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Sep 10 2003 (Sun Issues Fix for Sun Linux) Re: 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
Sun has issued a fix for Sun Linux.
Nov 18 2003 (SCO Issues Fix for OpenLinux) 'nfs-utils' Buffer Overflow May Let Remote Users Execute Arbitrary Code
SCO has released a fix for OpenLinux 3.1.1.



 Source Message Contents

Subject:  [VulnWatch] Linux nfs-utils xlog() off-by-one bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:	Linux nfs-utils xlog() off-by-one bug 
Product:	nfs-utils
Version:	<= 1.0.3
Vendor:		http://sourceforge.net/projects/nfs/

URL:		http://isec.pl/vulnerabilities/
CVE:		CAN-2003-0252
Author:		Janusz Niewiadomski <funkysh@isec.pl>
Date:		July 14, 2003


Issue:
======

Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending 
specially crafted request to rpc.mountd daemon.


Details:
========

An off-by-one bug exist in xlog() function which handles logging of 
requests. An overflow occurs when function is trying to add missing
trailing newline character to logged string. 

Due to miscalculation, if a string passed to the functions is equal
or longer than 1023 bytes, the '\0' byte will be written beyond the 
buffer:
  

- ------8<------cut-here------8<------

        char            buff[1024];
        ...
 
        va_start(args, fmt);
        vsnprintf(buff, sizeof (buff), fmt, args);
        va_end(args);
        buff[sizeof (buff) - 1] = 0;

        if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
                buff[n++] = '\n'; buff[n++] = '\0';
        }

- ------8<------cut-here------8<------


Impact:
=======

Local or remote attacker which is capable to send RPC request to
vulnerable mountd daemon could execute artitrary code or cause
denial of service.


Status:
=======

Vendor has been notified on June 10, 2003. The fix is incorporated
in recent 1.0.4 release of nfs-utils.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0252 to this issue.


- -- 
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/EsX3C+8U3Z5wpu4RArLdAKDD40fr/uq21jn47nZ3y4drrx7AaQCgvYKv
ji74jUOQtgjaGVoQn63d05Q=
=OqOQ
-----END PGP SIGNATURE-----




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC