Vulnerabilities > CVE-2003-0252 - Off-by-one Error vulnerability in Linux-Nfs Nfs-Utils

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
linux-nfs
CWE-193
critical
nessus

Summary

Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2003-195-01.NASL
    descriptionNew nfs-utils packages are available for Slackware 8.1, 9.0, and -current to fix an off-by-one buffer overflow in xlog.c. Thanks to Janusz Niewiadomski for discovering and reporting this problem. The CVE (Common Vulnerabilities and Exposures) Project has assigned the identification number CAN-2003-0252 to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id18729
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18729
    titleSlackware 8.1 / 9.0 / current : nfs-utils off-by-one overflow fixed (SSA:2003-195-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2003-195-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18729);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_xref(name:"SSA", value:"2003-195-01");
    
      script_name(english:"Slackware 8.1 / 9.0 / current : nfs-utils off-by-one overflow fixed (SSA:2003-195-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New nfs-utils packages are available for Slackware 8.1, 9.0, and
    -current to fix an off-by-one buffer overflow in xlog.c. Thanks to
    Janusz Niewiadomski for discovering and reporting this problem. The
    CVE (Common Vulnerabilities and Exposures) Project has assigned the
    identification number CAN-2003-0252 to this issue."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.374504
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?acf4f0b5"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected nfs-utils package."
      );
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:nfs-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/07/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i486", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-076.NASL
    descriptionAn off-by-one buffer overflow was found in the logging code in nfs-utils when adding a newline to the string being logged. This could allow an attacker to execute arbitrary code or cause a DoS (Denial of Service) on the server by sending certain RPC requests.
    last seen2020-06-01
    modified2020-06-02
    plugin id14059
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14059
    titleMandrake Linux Security Advisory : nfs-utils (MDKSA-2003:076)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:076. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14059);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0252");
      script_xref(name:"MDKSA", value:"2003:076");
    
      script_name(english:"Mandrake Linux Security Advisory : nfs-utils (MDKSA-2003:076)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An off-by-one buffer overflow was found in the logging code in
    nfs-utils when adding a newline to the string being logged. This could
    allow an attacker to execute arbitrary code or cause a DoS (Denial of
    Service) on the server by sending certain RPC requests."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected nfs-utils and / or nfs-utils-clients packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils-clients");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nfs-utils-0.3.3-3.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nfs-utils-clients-0.3.3-3.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nfs-utils-1.0.1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nfs-utils-clients-1.0.1-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nfs-utils-1.0.1-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nfs-utils-clients-1.0.1-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT_FIXES.NASL
    descriptionThis plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to.
    last seen2020-06-01
    modified2020-06-02
    plugin id12512
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2011 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12512
    titleRed Hat Enterprise Linux fixes
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    #
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(12512);
     script_version ("$Revision: 1.11 $");
     script_cvs_date("$Date: 2011/11/03 18:08:43 $");
    			
     script_name(english: "Red Hat Enterprise Linux fixes");
     
     script_set_attribute(attribute:"synopsis", value:
    "The RedHat version have been identified." );
     script_set_attribute(attribute:"description", value:
    "This plugin writes in the knowledge base the CVE ids that we know
    Red Hat enterprise Linux is not vulnerable to." );
     script_set_attribute(attribute:"solution", value:
    "N/A" );
     script_set_attribute(attribute:"risk_factor", value:"None" );
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06");
    script_set_attribute(attribute:"plugin_type", value:"local");
    script_end_attributes();
    
     script_summary(english: "Fill the KB");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2011 Tenable Network Security, Inc.");
     script_family(english: "Red Hat Local Security Checks");
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/RedHat/rpm-list");
     exit(0);
    }
    
    
    include("rpm.inc");
    
    
    release = get_kb_item("Host/RedHat/release");
    if ( ! release ) exit(0);
    if ( egrep(pattern:"Red Hat Enterprise Linux.*release 3", string:release) )
    {
     set_kb_item(name:"CVE-2000-0666", value:TRUE);
     set_kb_item(name:"CVE-2003-0020", value:TRUE);
     set_kb_item(name:"CVE-2003-0192", value:TRUE);
     set_kb_item(name:"CVE-2003-0252", value:TRUE);
     set_kb_item(name:"CVE-2003-0682", value:TRUE);
     set_kb_item(name:"CVE-2003-0693", value:TRUE);
     set_kb_item(name:"CVE-2003-0695", value:TRUE);
    }
    
    
    if ( egrep(pattern:"Red Hat.*(Enterprise|Advanced).*release 2\.1", string:release)) 
    {
     set_kb_item(name:"CVE-2000-0666", value:TRUE);
     set_kb_item(name:"CVE-2003-0020", value:TRUE);
     set_kb_item(name:"CVE-2003-0192", value:TRUE);
    }
    
  • NASL familyRPC
    NASL idNFS_XLOG_OVERFLOW.NASL
    descriptionThe remote rpc.mountd daemon is vulnerable to an off-by-one overflow which could be exploited by an attacker to gain a root shell on this host.
    last seen2020-06-01
    modified2020-06-02
    plugin id11800
    published2003-07-23
    reporterThis script is Copyright (C) 2003-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11800
    titleLinux NFS utils package (nfs-utils) mountd xlog Function Off-by-one Remote Overflow
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2003_031.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2003:031 (nfs-utils). The nfs-utils package contains various programs to offer and manage certain RPC services such as the rpc.mountd. iSEC Security Research has reported an off-by-one bug in the xlog() function used by the rpc.mountd. It is possible for remote attackers to use this off-by-one overflow to execute arbitrary code as root. Some of the products listed above seem not vulnerable to this one byte overflow due to the stack alignment generated by the compiler during the build. Nevertheless, since there is no easy workaround except shutting down the RPC services, an update is strongly recommended for every product listed above. This update needs to be applied to both NFS servers and clients, as the vulnerable function is used by mountd and statd. You can either restart these services manually, or use the corresponding init scripts:
    last seen2020-06-01
    modified2020-06-02
    plugin id13800
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13800
    titleSUSE-SA:2003:031: nfs-utils
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-207.NASL
    descriptionUpdated nfs-utils packages are available that fix a remotely exploitable Denial of Service vulnerability. The nfs-utils package provides a daemon for the kernel NFS server and related tools. Janusz Niewiadomski found a buffer overflow bug in nfs-utils version 1.0.3 and earlier. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). It is not believed that this bug could lead to remote arbitrary code execution. Users are advised to update to these erratum packages, which contain a backported security patch supplied by the nfs-utils maintainers and are not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12405
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12405
    titleRHEL 2.1 : nfs-utils (RHSA-2003:207)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-349.NASL
    descriptionThe logging code in nfs-utils contains an off-by-one buffer overrun when adding a newline to the string being logged. This vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition by sending certain RPC requests.
    last seen2020-06-01
    modified2020-06-02
    plugin id15186
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15186
    titleDebian DSA-349-1 : nfs-utils - buffer overflow

Oval

accepted2010-09-20T04:00:25.948-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
  • nameJonathan Baker
    organizationThe MITRE Corporation
descriptionOff-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.
familyunix
idoval:org.mitre.oval:def:443
statusaccepted
submitted2003-09-02T12:00:00.000-04:00
titlemountd xlog Function Off-by-One Vulnerability
version41

Redhat

advisories
  • rhsa
    idRHSA-2003:206
  • rhsa
    idRHSA-2003:207

References