Vulnerabilities > CVE-2002-1661 - Denial Of Service vulnerability in Leafnode Resource Exhaustion
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The leafnode server in leafnode 1.9.20 to 1.9.29 allows remote attackers to cause a denial of service (infinite loop) when leafnode requests a cross-posted article to one group whose name is a prefix of another group.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-005.NASL description A vulnerability was discovered by Jan Knutar in leafnode that Mark Brown pointed out could be used in a Denial of Service attack. This vulnerability causes leafnode to go into an infinite loop with 100% CPU use when an article that has been crossposed to several groups, one of which is the prefix of another, is requested by it last seen 2020-06-01 modified 2020-06-02 plugin id 13990 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13990 title Mandrake Linux Security Advisory : leafnode (MDKSA-2003:005) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:005. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13990); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1661"); script_xref(name:"MDKSA", value:"2003:005"); script_name(english:"Mandrake Linux Security Advisory : leafnode (MDKSA-2003:005)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered by Jan Knutar in leafnode that Mark Brown pointed out could be used in a Denial of Service attack. This vulnerability causes leafnode to go into an infinite loop with 100% CPU use when an article that has been crossposed to several groups, one of which is the prefix of another, is requested by it's Message-ID. This vulnerability was introduced in 1.9.20 and fixed upstream in version 1.9.30. Only Mandrake Linux 9.0 is affected by this, but version 1.9.19 (which shipped with Mandrake Linux 8.2) is receiving an update due to critical bugs in it that can corrupt parts of its news spool under certain circumstances." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=104127108823436&w=2 script_set_attribute( attribute:"see_also", value:"http://marc.info/?l=bugtraq&m=104127108823436&w=2" ); script_set_attribute( attribute:"solution", value:"Update the affected leafnode package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:leafnode"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"leafnode-1.9.31-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"leafnode-1.9.31-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id LEAFNODE_1_9_29.NASL description According to its version number, the remote Leafnode NNTP server is vulnerable to a denial of service attack. Specifically, it may go into an infinite loop with 100% CPU use when an article that has been crossposted to several groups, one of which is the prefix of another, and when this article is then requested by its Message-ID. Note that Nessus did not actually test for the flaw but instead has relied on the version in Leafnode last seen 2020-06-01 modified 2020-06-02 plugin id 42259 published 2009-10-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42259 title leafnode Cross-Posted Article Group Name Prefix DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(42259); script_version ("1.8"); script_cvs_date("Date: 2018/07/12 19:01:16"); script_cve_id("CVE-2002-1661"); script_bugtraq_id(6490); script_name(english:"leafnode Cross-Posted Article Group Name Prefix DoS"); script_set_attribute(attribute:"synopsis", value: "The remote NNTP server is vulnerable to a denial of service attack." ); script_set_attribute(attribute:"description", value: "According to its version number, the remote Leafnode NNTP server is vulnerable to a denial of service attack. Specifically, it may go into an infinite loop with 100% CPU use when an article that has been crossposted to several groups, one of which is the prefix of another, and when this article is then requested by its Message-ID. Note that Nessus did not actually test for the flaw but instead has relied on the version in Leafnode's banner so this may be a false positive."); script_set_attribute(attribute:"see_also", value: "http://leafnode.sourceforge.net/leafnode-SA-2002-01.txt"); script_set_attribute(attribute:"solution", value: "Upgrade to 1.9.48 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2009/10/27"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/12/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Check Leafnode version number for flaws"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("nntpserver_detect.nasl"); script_require_ports("Services/nntp", 119); script_require_keys("nntp/leafnode"); exit(0); } # port = get_kb_item("Services/nntp"); if (! port) port = 119; if (! get_port_state(port)) exit(0); k = string("nntp/banner/", port); b = get_kb_item(k); if (! b) { soc = open_sock_tcp(port); if (! soc) exit(0); b = recv_line(socket: soc, length: 2048); close(soc); } # Example of banner: # 200 Leafnode NNTP Daemon, version 1.9.32.rel running at localhost (my fqdn: www.nessus.org) if ("Leafnode" >< b) { if (ereg(string: b, pattern: "version +1\.9\.2[0-9]")) { security_warning(port: port); } }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F7A3B18C624C47039756B6B27429E5B0.NASL description The leafnode NNTP server may go into an unterminated loop with 100% CPU use when an article is requested by Message-ID that has been crossposted to several news groups when one of the group names is the prefix of another group name that the article was cross-posted to. Found by Jan Knutar. last seen 2020-06-01 modified 2020-06-02 plugin id 19177 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19177 title FreeBSD : leafnode denial-of-service triggered by article request (f7a3b18c-624c-4703-9756-b6b27429e5b0)
References
- http://leafnode.sourceforge.net/leafnode-SA-2002-01.txt
- http://marc.info/?l=bugtraq&m=104127108823436&w=2
- http://marc.info/?l=bugtraq&m=104152295210075&w=2
- http://secunia.com/advisories/7799
- http://secunia.com/advisories/7801
- http://secunia.com/advisories/7870
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:005
- http://www.securityfocus.com/bid/6490
- http://www.securitytracker.com/id?1005865
- https://exchange.xforce.ibmcloud.com/vulnerabilities/10942