Vulnerabilities > CVE-2003-0252 - Off-by-one Error vulnerability in Linux-Nfs Nfs-Utils

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

linux-nfs

CWE-193

critical

nessus

NVD

Published: 2003-08-18

Updated: 2024-02-02

Summary

Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.

Vulnerable Configurations

Part	Description	Count
Application	Linux-Nfs Linux NFS NFS Utils 0.1.1 Linux NFS NFS Utils 0.1.2 Linux NFS NFS Utils 0.1.3 Linux NFS NFS Utils 0.1.4 Linux NFS NFS Utils 0.1.5 Linux NFS NFS Utils 0.1.6 Linux NFS NFS Utils 0.1.7 Linux NFS NFS Utils 0.1.8 Linux NFS NFS Utils 0.1.8.2 Linux NFS NFS Utils 0.1.9 Linux NFS NFS Utils 0.1.9.1 Linux NFS NFS Utils 0.2 Linux NFS NFS Utils 0.2.1 Linux NFS NFS Utils 0.3.1 Linux NFS NFS Utils 0.3.3 Linux NFS NFS Utils 1.0.1 Linux NFS NFS Utils 1.0.3	17

Common Weakness Enumeration (CWE)

CWE-193 - Off-by-one Error

Nessus

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2003-195-01.NASL
description	New nfs-utils packages are available for Slackware 8.1, 9.0, and -current to fix an off-by-one buffer overflow in xlog.c. Thanks to Janusz Niewiadomski for discovering and reporting this problem. The CVE (Common Vulnerabilities and Exposures) Project has assigned the identification number CAN-2003-0252 to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	18729
published	2005-07-13
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18729
title	Slackware 8.1 / 9.0 / current : nfs-utils off-by-one overflow fixed (SSA:2003-195-01)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2003-195-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18729); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_xref(name:"SSA", value:"2003-195-01"); script_name(english:"Slackware 8.1 / 9.0 / current : nfs-utils off-by-one overflow fixed (SSA:2003-195-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New nfs-utils packages are available for Slackware 8.1, 9.0, and -current to fix an off-by-one buffer overflow in xlog.c. Thanks to Janusz Niewiadomski for discovering and reporting this problem. The CVE (Common Vulnerabilities and Exposures) Project has assigned the identification number CAN-2003-0252 to this issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.374504 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?acf4f0b5" ); script_set_attribute( attribute:"solution", value:"Update the affected nfs-utils package." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:nfs-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2003-076.NASL
description	An off-by-one buffer overflow was found in the logging code in nfs-utils when adding a newline to the string being logged. This could allow an attacker to execute arbitrary code or cause a DoS (Denial of Service) on the server by sending certain RPC requests.
last seen	2020-06-01
modified	2020-06-02
plugin id	14059
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14059
title	Mandrake Linux Security Advisory : nfs-utils (MDKSA-2003:076)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:076. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14059); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0252"); script_xref(name:"MDKSA", value:"2003:076"); script_name(english:"Mandrake Linux Security Advisory : nfs-utils (MDKSA-2003:076)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An off-by-one buffer overflow was found in the logging code in nfs-utils when adding a newline to the string being logged. This could allow an attacker to execute arbitrary code or cause a DoS (Denial of Service) on the server by sending certain RPC requests." ); script_set_attribute( attribute:"solution", value:"Update the affected nfs-utils and / or nfs-utils-clients packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils-clients"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nfs-utils-0.3.3-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nfs-utils-clients-0.3.3-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nfs-utils-1.0.1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nfs-utils-clients-1.0.1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nfs-utils-1.0.1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nfs-utils-clients-1.0.1-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Red Hat Local Security Checks
NASL id	REDHAT_FIXES.NASL
description	This plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to.
last seen	2020-06-01
modified	2020-06-02
plugin id	12512
published	2004-07-06
reporter	This script is Copyright (C) 2004-2011 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/12512
title	Red Hat Enterprise Linux fixes
code	# # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(12512); script_version ("$Revision: 1.11 $"); script_cvs_date("$Date: 2011/11/03 18:08:43 $"); script_name(english: "Red Hat Enterprise Linux fixes"); script_set_attribute(attribute:"synopsis", value: "The RedHat version have been identified." ); script_set_attribute(attribute:"description", value: "This plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to." ); script_set_attribute(attribute:"solution", value: "N/A" ); script_set_attribute(attribute:"risk_factor", value:"None" ); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_summary(english: "Fill the KB"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2011 Tenable Network Security, Inc."); script_family(english: "Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/RedHat/rpm-list"); exit(0); } include("rpm.inc"); release = get_kb_item("Host/RedHat/release"); if ( ! release ) exit(0); if ( egrep(pattern:"Red Hat Enterprise Linux.release 3", string:release) ) { set_kb_item(name:"CVE-2000-0666", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2003-0192", value:TRUE); set_kb_item(name:"CVE-2003-0252", value:TRUE); set_kb_item(name:"CVE-2003-0682", value:TRUE); set_kb_item(name:"CVE-2003-0693", value:TRUE); set_kb_item(name:"CVE-2003-0695", value:TRUE); } if ( egrep(pattern:"Red Hat.(Enterprise\|Advanced).*release 2\.1", string:release)) { set_kb_item(name:"CVE-2000-0666", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2003-0192", value:TRUE); }

NASL family	RPC
NASL id	NFS_XLOG_OVERFLOW.NASL
description	The remote rpc.mountd daemon is vulnerable to an off-by-one overflow which could be exploited by an attacker to gain a root shell on this host.
last seen	2020-06-01
modified	2020-06-02
plugin id	11800
published	2003-07-23
reporter	This script is Copyright (C) 2003-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11800
title	Linux NFS utils package (nfs-utils) mountd xlog Function Off-by-one Remote Overflow

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2003_031.NASL
description	The remote host is missing the patch for the advisory SUSE-SA:2003:031 (nfs-utils). The nfs-utils package contains various programs to offer and manage certain RPC services such as the rpc.mountd. iSEC Security Research has reported an off-by-one bug in the xlog() function used by the rpc.mountd. It is possible for remote attackers to use this off-by-one overflow to execute arbitrary code as root. Some of the products listed above seem not vulnerable to this one byte overflow due to the stack alignment generated by the compiler during the build. Nevertheless, since there is no easy workaround except shutting down the RPC services, an update is strongly recommended for every product listed above. This update needs to be applied to both NFS servers and clients, as the vulnerable function is used by mountd and statd. You can either restart these services manually, or use the corresponding init scripts:
last seen	2020-06-01
modified	2020-06-02
plugin id	13800
published	2004-07-25
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13800
title	SUSE-SA:2003:031: nfs-utils

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2003-207.NASL
description	Updated nfs-utils packages are available that fix a remotely exploitable Denial of Service vulnerability. The nfs-utils package provides a daemon for the kernel NFS server and related tools. Janusz Niewiadomski found a buffer overflow bug in nfs-utils version 1.0.3 and earlier. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). It is not believed that this bug could lead to remote arbitrary code execution. Users are advised to update to these erratum packages, which contain a backported security patch supplied by the nfs-utils maintainers and are not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	12405
published	2004-07-06
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/12405
title	RHEL 2.1 : nfs-utils (RHSA-2003:207)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-349.NASL
description	The logging code in nfs-utils contains an off-by-one buffer overrun when adding a newline to the string being logged. This vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition by sending certain RPC requests.
last seen	2020-06-01
modified	2020-06-02
plugin id	15186
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15186
title	Debian DSA-349-1 : nfs-utils - buffer overflow

Oval

accepted

2010-09-20T04:00:25.948-04:00

class

vulnerability

contributors

name Jay Beale
organization Bastille Linux
name Jay Beale
organization Bastille Linux
name Thomas R. Jones
organization Maitreya Security
name Jonathan Baker
organization The MITRE Corporation

description

family

unix

oval:org.mitre.oval:def:443

status

accepted

submitted

2003-09-02T12:00:00.000-04:00

title

mountd xlog Function Off-by-One Vulnerability

version

Redhat

advisories

rhsa
id RHSA-2003:206
rhsa
id RHSA-2003:207

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Redhat

References