Vulnerabilities > CVE-2003-0099 - Buffer Overflow vulnerability in APC Apcupsd 3.8.5

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
apc
nessus

Summary

Multiple buffer overflows in apcupsd before 3.8.6, and 3.10.x before 3.10.5, may allow attackers to cause a denial of service or execute arbitrary code, related to usage of the vsprintf function.

Vulnerable Configurations

Part Description Count
Application
Apc
1

Nessus

  • NASL familyGain a shell remotely
    NASL idAPCUPSD_OVERFLOWS.NASL
    descriptionThe remote host is running the apcupsd client which, according to its version number, is affected by multiple vulnerabilities : - The configuration file
    last seen2020-06-01
    modified2020-06-02
    plugin id11484
    published2003-03-26
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11484
    titleAPC < 3.8.0 apcupsd Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if(description)
    {
      script_id(11484);
      script_bugtraq_id(2070, 6828, 7200);
      script_cve_id("CVE-2001-0040", "CVE-2003-0098", "CVE-2003-0099");
      
      script_version ("1.20");
     
      script_name(english:"APC < 3.8.0 apcupsd Multiple Vulnerabilities");
      script_summary(english:"Checks the version of apcupsd");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is running an application which is affected by
    multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running the apcupsd client which, according to its
    version number, is affected by multiple vulnerabilities :
    
      - The configuration file '/var/run/apcupsd.pid' is by
        default world-writable. A local attacker could re-write 
        this file with other process IDs in order to crash the
        affected system.
    
      - An issue exists in the 'log_event' function which a
        local attacker could exploit in order to execute
        arbitrary code.
    
      - Several buffer overflow vulnerabilities have been
        reported which a remote attacker could exploit in order
        to execute arbitrary code on the remote host.
    
    *** Nessus solely relied on the version number of the 
    *** remote server, so this might be a false positive" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Dec/102" );
     script_set_attribute(attribute:"see_also", value:"http://www.novell.com/linux/security/advisories/2003_022_apcupsd.html" );
     script_set_attribute(attribute:"solution", value:
    "Upgrading to acpupsd version 3.8.0 or newer reportedly fixes the issue." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/26");
     script_set_attribute(attribute:"vuln_publication_date", value: "2000/12/06");
     script_cvs_date("Date: 2018/11/15 20:50:22");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
     
      script_category(ACT_GATHER_INFO);
     
      script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
      script_family(english:"Gain a shell remotely");
      script_dependencie("find_service1.nasl", "apcnisd_detect.nasl");
      script_require_ports("Services/apcnisd", 7000);
    
      exit(0);
    }
    
    port = get_kb_item("Services/apcnisd");
    if (! port) port = 7000;
    if (! get_port_state(port)) exit(0);
    
    soc = open_sock_tcp(port);
    if(!soc)exit(0);
    req = raw_string(0x00, 0x06) + "status";
    send(socket:soc, data:req);
    r = recv(socket:soc, length:4096);
    if("APC" >< r && "MODEL" >< r)
    {
      r = strstr(r, "RELEASE");
      if(ereg(pattern:"RELEASE.*: (3\.([0-7]\..*|8\.[0-5][^0-9]|10\.[0-4])|[0-2]\..*)", string:r))
           security_hole(port);
    
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-018.NASL
    descriptionA remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. They have been fixed in the latest unstable version, 3.10.5 which contains additional enhancements like USB support, and the latest stable version, 3.8.6. There are a few changes that need to be noted, such as the port has changed from port 7000 to post 3551 for NIS, and the new config only allows access from the localhost. Users may need to modify their configuration files appropriately, depending upon their configuration.
    last seen2020-06-01
    modified2020-06-02
    plugin id14003
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14003
    titleMandrake Linux Security Advisory : apcupsd (MDKSA-2003:018)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2003_022.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2003:022 (apcupsd). The controlling and management daemon apcupsd for APC
    last seen2020-06-01
    modified2020-06-02
    plugin id13792
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13792
    titleSUSE-SA:2003:022: apcupsd
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-277.NASL
    descriptionThe controlling and management daemon apcupsd for APC
    last seen2020-06-01
    modified2020-06-02
    plugin id15114
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15114
    titleDebian DSA-277-1 : apcupsd - buffer overflows, format string