Vulnerabilities > CVE-2002-0391 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
openbsd
sun
freebsd
microsoft
CWE-190
critical
nessus

Summary

Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-143.NASL
    descriptionAn integer overflow bug has been discovered in the RPC library used by the Kerberos 5 administration system, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful. No exploits are known to exist yet.
    last seen2020-06-01
    modified2020-06-02
    plugin id14980
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14980
    titleDebian DSA-143-1 : krb5 - integer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-143. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14980);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:16");
    
      script_cve_id("CVE-2002-0391");
      script_bugtraq_id(5356);
      script_xref(name:"CERT", value:"192995");
      script_xref(name:"DSA", value:"143");
    
      script_name(english:"Debian DSA-143-1 : krb5 - integer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An integer overflow bug has been discovered in the RPC library used by
    the Kerberos 5 administration system, which is derived from the SunRPC
    library. This bug could be exploited to gain unauthorized root access
    to a KDC host. It is believed that the attacker needs to be able to
    authenticate to the kadmin daemon for this attack to be successful. No
    exploits are known to exist yet."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-143"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the kerberos packages immediately.
    
    This problem has been fixed in version 1.2.4-5woody1 for the current
    stable distribution (woody) and in version 1.2.5-2 for the unstable
    distribution (sid). Debian 2.2 (potato) is not affected since it
    doesn't contain krb5 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"krb5-admin-server", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-clients", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-doc", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-ftpd", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-kdc", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-rsh-server", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-telnetd", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-user", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libkadm55", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb5-dev", reference:"1.2.4-5woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb53", reference:"1.2.4-5woody1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-057.NASL
    descriptionThe network authentication system in Kerberos 5 contains an RPC library that includes an XDR decoder derived from Sun
    last seen2020-06-01
    modified2020-06-02
    plugin id13958
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13958
    titleMandrake Linux Security Advisory : krb5 (MDKSA-2002:057)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:057. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13958);
      script_version ("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0391");
      script_xref(name:"MDKSA", value:"2002:057");
    
      script_name(english:"Mandrake Linux Security Advisory : krb5 (MDKSA-2002:057)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The network authentication system in Kerberos 5 contains an RPC
    library that includes an XDR decoder derived from Sun's RPC
    implementation. This implemenation is vulnerable to a heap overflow.
    With Kerberos, it is believed that an attacker would need to be able
    to successfully authenticate to kadmin to be able to exploit this
    vulnerability."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-client-krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-server-krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-client-krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-server-krb5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/09/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"ftp-client-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"ftp-server-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-devel-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-libs-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-server-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-workstation-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"telnet-client-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"telnet-server-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"ftp-client-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"ftp-server-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-devel-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-libs-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-server-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-workstation-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"telnet-client-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"telnet-server-krb5-1.2.2-17.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-142.NASL
    descriptionAn integer overflow bug has been discovered in the RPC library used by the OpenAFS database server, which is derived from the SunRPC library. This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes. No exploits are known to exist yet.
    last seen2020-06-01
    modified2020-06-02
    plugin id14979
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14979
    titleDebian DSA-142-1 : openafs - integer overflow
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-061.NASL
    descriptionA heap buffer overflow exists in the XDR decoder in glibc version 2.2.5 and earlier. XDR is a mechanism for encoding data structures for use with RPC, which is derived from Sun
    last seen2020-06-01
    modified2020-06-02
    plugin id13962
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13962
    titleMandrake Linux Security Advisory : glibc (MDKSA-2002:061)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-167.NASL
    descriptionUpdated glibc packages are available which fix a buffer overflow in the XDR decoder and two vulnerabilities in the resolver functions. [updated 8 aug 2002] Updated packages have been made available, as the original errata introduced a bug which could cause calloc() to crash on 32-bit platforms when passed a size of 0. These updated errata packages contain a patch to correct this bug. The glibc package contains standard libraries which are used by multiple programs on the system. Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network. XDR is a mechanism for encoding data structures for use with RPC. NFS, NIS, and other network services that are built upon Sun RPC. The glibc package contains an XDR encoder/decoder derived from Sun
    last seen2020-06-01
    modified2020-06-02
    plugin id12318
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12318
    titleRHEL 2.1 : glibc (RHSA-2002:167)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-173.NASL
    descriptionUpdated Kerberos 5 packages are now available for Red Hat LInux Advanced Server. These updates fix a buffer overflow in the XDR decoder. Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network. XDR is a mechanism for encoding data structures for use with RPC. The Kerberos 5 network authentication system contains an RPC library which includes an XDR decoder derived from Sun
    last seen2020-06-01
    modified2020-06-02
    plugin id12320
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12320
    titleRHEL 2.1 : krb5 (RHSA-2002:173)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-333.NASL
    descriptionacm, a multi-player aerial combat simulation, uses a network protocol based on the same RPC implementation used in many C libraries. This implementation was found to contain an integer overflow vulnerability which could be exploited to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id15170
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15170
    titleDebian DSA-333-1 : acm - integer overflow
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-146.NASL
    descriptionAn integer overflow bug has been discovered in the RPC library used by dietlibc, a libc optimized for small size, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the calloc, fread and fwrite code. They are also more strict regarding hostile DNS packets that could lead to a vulnerability otherwise. These problems have been fixed in version 0.12-2.4 for the current stable distribution (woody) and in version 0.20-0cvs20020808 for the unstable distribution (sid). Debian 2.2 (potato) is not affected since it doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id14983
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14983
    titleDebian DSA-146-2 : dietlibc - integer overflow
  • NASL familyRPC
    NASL idRPC_CMSD_OVERFLOW.NASL
    descriptionThe remote Sun rpc.cmsd has integer overflow problem in xdr_array. An attacker may use this flaw to execute arbitrary code on this host with the privileges rpc.cmsd is running as (typically, root), by sending a specially crafted request to this service.
    last seen2020-06-01
    modified2020-06-02
    plugin id11418
    published2003-03-19
    reporterThis script is Copyright (C) 2003-2018 Xue Yong Zhi
    sourcehttps://www.tenable.com/plugins/nessus/11418
    titleSun rpc.cmsd Remote Overflow
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-149.NASL
    descriptionAn integer overflow bug has been discovered in the RPC library used by GNU libc, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the malloc code. They also contain a fix from Andreas Schwab to reduce linebuflen in parallel to bumping up the buffer pointer in the NSS DNS code.
    last seen2020-06-01
    modified2020-06-02
    plugin id14986
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14986
    titleDebian DSA-149-1 : glibc - integer overflow
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2002_031.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2002:031 (glibc). An integer overflow has been discovered in the xdr_array() function, contained in the Sun Microsystems RPC/XDR library, which is part of the glibc library package on all SUSE products. This overflow allows a remote attacker to overflow a buffer, leading to remote execution of arbitrary code supplied by the attacker. There is no temporary workaround for this security problem other than disabling all RPC based server and client programs. The permanent solution is to update the glibc packages with the update packages listed below.
    last seen2020-06-01
    modified2020-06-02
    plugin id13753
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13753
    titleSUSE-SA:2002:031: glibc

Oval

  • accepted2010-09-20T04:00:23.326-04:00
    classvulnerability
    contributors
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameMatthew Wojcik
      organizationThe MITRE Corporation
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    descriptionInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.
    familyunix
    idoval:org.mitre.oval:def:42
    statusaccepted
    submitted2003-01-02T12:00:00.000-04:00
    titleSolaris 7 RPC xdr_array Buffer Overflow
    version37
  • accepted2006-09-27T12:29:27.565-04:00
    classvulnerability
    contributors
    • nameBrian Soby
      organizationThe MITRE Corporation
    • nameMatthew Wojcik
      organizationThe MITRE Corporation
    descriptionInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.
    familyunix
    idoval:org.mitre.oval:def:4728
    statusaccepted
    submitted2005-01-19T12:00:00.000-04:00
    titleSunRPC xdr_array Function Integer Overflow
    version35
  • accepted2010-09-20T04:00:45.613-04:00
    classvulnerability
    contributors
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameMatthew Wojcik
      organizationThe MITRE Corporation
    • nameTodd Dolinsky
      organizationOpsware, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    descriptionInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.
    familyunix
    idoval:org.mitre.oval:def:9
    statusaccepted
    submitted2003-01-28T12:00:00.000-04:00
    titleSolaris 8 RPC xdr_array Buffer Overflow
    version37

Redhat

advisories
  • rhsa
    idRHSA-2002:166
  • rhsa
    idRHSA-2002:167
  • rhsa
    idRHSA-2002:172
  • rhsa
    idRHSA-2002:173
  • rhsa
    idRHSA-2003:168
  • rhsa
    idRHSA-2003:212

References