Vulnerabilities > CVE-2002-1050 - Unspecified vulnerability in Hylafax

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
hylafax
nessus

Summary

Buffer overflow in HylaFAX faxgetty before 4.1.3 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long line of image data.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-055.NASL
    descriptionNumerous vulnerabilities in the HylaFAX product exist in versions prior to 4.1.3. It does not check the TSI string which is received from remote FAX systems before using it in logging and other places. A remote sender using a specially formatted TSI string can cause the faxgetty program to segfault, resulting in a denial of service. Format string vulnerabilities were also discovered by Christer Oberg, which exist in a number of utilities bundled with HylaFax, such as faxrm, faxalter, faxstat, sendfax, sendpage, and faxwatch. If any of these tools are setuid, they could be used to elevate system privileges. Mandrake Linux does not, by default, install these tools setuid. Finally, Lee Howard discovered that faxgetty would segfault due to a buffer overflow after receiving a very large line of image data. This vulnerability could conceivably be used to execute arbitrary commands on the system as root, and could also be exploited more easily as a denial of sevice.
    last seen2020-06-01
    modified2020-06-02
    plugin id13957
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13957
    titleMandrake Linux Security Advisory : hylafax (MDKSA-2002:055)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:055. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13957);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2001-1034", "CVE-2002-1049", "CVE-2002-1050");
      script_bugtraq_id(3357);
      script_xref(name:"MDKSA", value:"2002:055");
    
      script_name(english:"Mandrake Linux Security Advisory : hylafax (MDKSA-2002:055)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Numerous vulnerabilities in the HylaFAX product exist in versions
    prior to 4.1.3. It does not check the TSI string which is received
    from remote FAX systems before using it in logging and other places. A
    remote sender using a specially formatted TSI string can cause the
    faxgetty program to segfault, resulting in a denial of service. Format
    string vulnerabilities were also discovered by Christer Oberg, which
    exist in a number of utilities bundled with HylaFax, such as faxrm,
    faxalter, faxstat, sendfax, sendpage, and faxwatch. If any of these
    tools are setuid, they could be used to elevate system privileges.
    Mandrake Linux does not, by default, install these tools setuid.
    Finally, Lee Howard discovered that faxgetty would segfault due to a
    buffer overflow after receiving a very large line of image data. This
    vulnerability could conceivably be used to execute arbitrary commands
    on the system as root, and could also be exploited more easily as a
    denial of sevice."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.securityfocus.com/archive/1/215984"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:hylafax");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:hylafax-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:hylafax-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libhylafax4.1.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libhylafax4.1.1-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"hylafax-4.1-0.11mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"hylafax-client-4.1-0.11mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"hylafax-server-4.1-0.11mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"hylafax-4.1-0.11mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"hylafax-client-4.1-0.11mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"hylafax-server-4.1-0.11mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"hylafax-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"hylafax-client-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"hylafax-server-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"libhylafax4.1.1-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"libhylafax4.1.1-devel-4.1.3-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"hylafax-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"hylafax-client-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"hylafax-server-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libhylafax4.1.1-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"libhylafax4.1.1-devel-4.1.3-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"hylafax-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"hylafax-client-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"hylafax-server-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libhylafax4.1.1-4.1.3-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libhylafax4.1.1-devel-4.1.3-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2002_035.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2002:035 (hylafax). HylaFAX is a client-server architecture for receiving and sending facsimiles. The logging function of faxgetty prior version 4.1.3 was vulnerable to a format string bug when handling the TSI value of a received facsimile. This bug could easily be used to trigger a denial-of-service attack or to execute arbitrary code remotely. Another bug in faxgetty, a buffer overflow, can be abused by a remote attacker by sending a large line of image data to execute arbitrary commands too. Several format string bugs in local helper applications were fixed too. These bugs can not be exploited to gain higher privileges on a system running SUSE LINUX because of the absence of setuid bits. The hylafax package is not installed by default. A temporary fix is not known. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
    last seen2020-06-01
    modified2020-06-02
    plugin id13756
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13756
    titleSUSE-SA:2002:035: hylafax
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2002:035
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(13756);
     script_bugtraq_id(5349);
     script_version ("1.15");
     script_cve_id("CVE-2002-1050");
     
     name["english"] = "SUSE-SA:2002:035: hylafax";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2002:035 (hylafax).
    
    
    HylaFAX is a client-server architecture for receiving and sending
    facsimiles.
    
    The logging function of faxgetty prior version 4.1.3 was vulnerable to
    a format string bug when handling the TSI value of a received facsimile.
    This bug could easily be used to trigger a denial-of-service attack or
    to execute arbitrary code remotely.
    
    Another bug in faxgetty, a buffer overflow, can be abused by a remote
    attacker by sending a large line of image data to execute arbitrary
    commands too.
    
    Several format string bugs in local helper applications were fixed too.
    These bugs can not be exploited to gain higher privileges on a system
    running SUSE LINUX because of the absence of setuid bits.
    
    The hylafax package is not installed by default.
    A temporary fix is not known.
    
    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command 'rpm -Fhv file.rpm' to apply
    the update." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/2002_035_hylafax.html" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
     script_cvs_date("Date: 2019/10/25 13:36:27");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the hylafax package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"hylafax-4.1beta2-373", release:"SUSE7.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"hylafax-4.1beta2-375", release:"SUSE7.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"hylafax-4.1beta2-376", release:"SUSE7.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"hylafax-4.1-284", release:"SUSE7.3") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"hylafax-4.1-285", release:"SUSE8.0") )
    {
     security_hole(0);
     exit(0);
    }
    if (rpm_exists(rpm:"hylafax-", release:"SUSE7.0")
     || rpm_exists(rpm:"hylafax-", release:"SUSE7.1")
     || rpm_exists(rpm:"hylafax-", release:"SUSE7.2")
     || rpm_exists(rpm:"hylafax-", release:"SUSE7.3")
     || rpm_exists(rpm:"hylafax-", release:"SUSE8.0") )
    {
     set_kb_item(name:"CVE-2002-1050", value:TRUE);
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-148.NASL
    descriptionA set of problems have been discovered in Hylafax, a flexible client/server fax software distributed with many GNU/Linux distributions. Quoting SecurityFocus the problems are in detail : - A format string vulnerability makes it possible for users to potentially execute arbitrary code on some implementations. Due to insufficient checking of input, it
    last seen2020-06-01
    modified2020-06-02
    plugin id14985
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14985
    titleDebian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-148. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14985);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2001-0387", "CVE-2001-1034", "CVE-2002-1049", "CVE-2002-1050");
      script_bugtraq_id(3357, 5348, 5349);
      script_xref(name:"DSA", value:"148");
    
      script_name(english:"Debian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A set of problems have been discovered in Hylafax, a flexible
    client/server fax software distributed with many GNU/Linux
    distributions. Quoting SecurityFocus the problems are in detail :
    
      - A format string vulnerability makes it possible for
        users to potentially execute arbitrary code on some
        implementations. Due to insufficient checking of input,
        it's possible to execute a format string attack. Since
        this only affects systems with the faxrm and faxalter
        programs installed setuid, Debian is not vulnerable.
      - A buffer overflow has been reported in Hylafax. A
        malicious fax transmission may include a long scan line
        that will overflow a memory buffer, corrupting adjacent
        memory. An exploit may result in a denial of service
        condition, or possibly the execution of arbitrary code
        with root privileges.
    
      - A format string vulnerability has been discovered in
        faxgetty. Incoming fax messages include a Transmitting
        Subscriber Identification (TSI) string, used to identify
        the sending fax machine. Hylafax uses this data as part
        of a format string without properly sanitizing the
        input. Malicious fax data may cause the server to crash,
        resulting in a denial of service condition.
    
      - Marcin Dawcewicz discovered a format string
        vulnerability in hfaxd, which will crash hfaxd under
        certain circumstances. Since Debian doesn't have hfaxd
        installed setuid root, this problem cannot directly lead
        into a vulnerability. This has been fixed by Darren
        Nickerson, which was already present in newer versions,
        but not in the potato version.
    
    These problems have been fixed in version 4.0.2-14.3 for the old
    stable distribution (potato), in version 4.1.1-1.1 for the current
    stable distribution (woody) and in version 4.1.2-2.1 for the unstable
    distribution (sid)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-148"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the hylafax packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hylafax");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/08/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2001/04/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"hylafax-client", reference:"4.0.2-14.3")) flag++;
    if (deb_check(release:"2.2", prefix:"hylafax-doc", reference:"4.0.2-14.3")) flag++;
    if (deb_check(release:"2.2", prefix:"hylafax-server", reference:"4.0.2-14.3")) flag++;
    if (deb_check(release:"3.0", prefix:"hylafax-client", reference:"4.1.1-1.1")) flag++;
    if (deb_check(release:"3.0", prefix:"hylafax-doc", reference:"4.1.1-1.1")) flag++;
    if (deb_check(release:"3.0", prefix:"hylafax-server", reference:"4.1.1-1.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");