Vulnerabilities > CVE-2002-1391 - Buffer Overrun vulnerability in MGetty Caller ID Excessive Name Length
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in cnd-program for mgetty before 1.1.29 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a Caller ID string with a long CallerName argument.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-053.NASL description Two vulnerabilities were discovered in mgetty versions prior to 1.1.29. An internal buffer could be overflowed if the caller name reported by the modem, via Caller ID information, was too long. As well, the faxspool script that comes with mgetty used a simple permissions scheme to allow or deny fax transmission privileges. Because the spooling directory used for outgoing faxes was world-writable, this scheme was easily circumvented. Update : The installation of mgetty-sendfax on Mandrake Linux 8.2 relied on macros that are non-existent, which would result in fresh installs of mgetty-sendfax being unable to work. Updated packages for 8.2 correct this. last seen 2020-06-01 modified 2020-06-02 plugin id 14037 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14037 title Mandrake Linux Security Advisory : mgetty (MDKSA-2003:053-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:053. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14037); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1391", "CVE-2002-1392"); script_xref(name:"MDKSA", value:"2003:053"); script_xref(name:"MDKSA", value:"2003:053-1"); script_name(english:"Mandrake Linux Security Advisory : mgetty (MDKSA-2003:053-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities were discovered in mgetty versions prior to 1.1.29. An internal buffer could be overflowed if the caller name reported by the modem, via Caller ID information, was too long. As well, the faxspool script that comes with mgetty used a simple permissions scheme to allow or deny fax transmission privileges. Because the spooling directory used for outgoing faxes was world-writable, this scheme was easily circumvented. Update : The installation of mgetty-sendfax on Mandrake Linux 8.2 relied on macros that are non-existent, which would result in fresh installs of mgetty-sendfax being unable to work. Updated packages for 8.2 correct this." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-contrib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-sendfax"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-viewfax"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-voice"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/05/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-1.1.30-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-contrib-1.1.30-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-sendfax-1.1.30-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-viewfax-1.1.30-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-voice-1.1.30-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-1.1.30-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-contrib-1.1.30-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-sendfax-1.1.30-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-viewfax-1.1.30-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-voice-1.1.30-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-008.NASL description Updated Mgetty packages are now available to fix a possible buffer overflow and a permissions problem. Mgetty is a getty replacement for use with data and fax modems. Mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Versions of Mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of Mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. All users of Mgetty should upgrade to these errata packages, which contain Mgetty 1.1.30 and are not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 12349 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12349 title RHEL 2.1 : mgetty (RHSA-2003:008) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:008. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12349); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-1391", "CVE-2002-1392"); script_xref(name:"RHSA", value:"2003:008"); script_name(english:"RHEL 2.1 : mgetty (RHSA-2003:008)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Mgetty packages are now available to fix a possible buffer overflow and a permissions problem. Mgetty is a getty replacement for use with data and fax modems. Mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Versions of Mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of Mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. All users of Mgetty should upgrade to these errata packages, which contain Mgetty 1.1.30 and are not vulnerable to these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1391" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1392" ); # http://search.alphanet.ch/cgi-bin/search.cgi?msgid= script_set_attribute( attribute:"see_also", value:"https://www.alphanet.ch/~schaefer/cgi-bin/search.cgi?msgid=" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:008" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty-sendfax"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty-viewfax"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty-voice"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/17"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:008"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-1.1.30-0.7")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-sendfax-1.1.30-0.7")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-viewfax-1.1.30-0.7")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-voice-1.1.30-0.7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mgetty / mgetty-sendfax / mgetty-viewfax / mgetty-voice"); } }
Redhat
| advisories |
|
References
- ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-021.0.txt
- http://marc.info/?l=bugtraq&m=105154413326136&w=2
- http://search.alphanet.ch/cgi-bin/search.cgi?msgid=20021125142338.E12094%40greenie.muc.de&max_results=1&type=long&domain=ml-mgetty
- http://www.redhat.com/support/errata/RHSA-2003-008.html
- http://www.redhat.com/support/errata/RHSA-2003-036.html
- http://www.securityfocus.com/bid/7303
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11072