Vulnerabilities > CVE-2003-0252 - Off-by-one Error vulnerability in Linux-Nfs Nfs-Utils
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2003-195-01.NASL description New nfs-utils packages are available for Slackware 8.1, 9.0, and -current to fix an off-by-one buffer overflow in xlog.c. Thanks to Janusz Niewiadomski for discovering and reporting this problem. The CVE (Common Vulnerabilities and Exposures) Project has assigned the identification number CAN-2003-0252 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 18729 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18729 title Slackware 8.1 / 9.0 / current : nfs-utils off-by-one overflow fixed (SSA:2003-195-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2003-195-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18729); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_xref(name:"SSA", value:"2003-195-01"); script_name(english:"Slackware 8.1 / 9.0 / current : nfs-utils off-by-one overflow fixed (SSA:2003-195-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New nfs-utils packages are available for Slackware 8.1, 9.0, and -current to fix an off-by-one buffer overflow in xlog.c. Thanks to Janusz Niewiadomski for discovering and reporting this problem. The CVE (Common Vulnerabilities and Exposures) Project has assigned the identification number CAN-2003-0252 to this issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.374504 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?acf4f0b5" ); script_set_attribute( attribute:"solution", value:"Update the affected nfs-utils package." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:nfs-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/07/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"nfs-utils", pkgver:"1.0.4", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-076.NASL description An off-by-one buffer overflow was found in the logging code in nfs-utils when adding a newline to the string being logged. This could allow an attacker to execute arbitrary code or cause a DoS (Denial of Service) on the server by sending certain RPC requests. last seen 2020-06-01 modified 2020-06-02 plugin id 14059 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14059 title Mandrake Linux Security Advisory : nfs-utils (MDKSA-2003:076) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:076. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14059); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0252"); script_xref(name:"MDKSA", value:"2003:076"); script_name(english:"Mandrake Linux Security Advisory : nfs-utils (MDKSA-2003:076)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An off-by-one buffer overflow was found in the logging code in nfs-utils when adding a newline to the string being logged. This could allow an attacker to execute arbitrary code or cause a DoS (Denial of Service) on the server by sending certain RPC requests." ); script_set_attribute( attribute:"solution", value:"Update the affected nfs-utils and / or nfs-utils-clients packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nfs-utils-clients"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nfs-utils-0.3.3-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nfs-utils-clients-0.3.3-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nfs-utils-1.0.1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nfs-utils-clients-1.0.1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nfs-utils-1.0.1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nfs-utils-clients-1.0.1-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Red Hat Local Security Checks NASL id REDHAT_FIXES.NASL description This plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to. last seen 2020-06-01 modified 2020-06-02 plugin id 12512 published 2004-07-06 reporter This script is Copyright (C) 2004-2011 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12512 title Red Hat Enterprise Linux fixes code # # (C) Tenable Network Security, Inc. # # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(12512); script_version ("$Revision: 1.11 $"); script_cvs_date("$Date: 2011/11/03 18:08:43 $"); script_name(english: "Red Hat Enterprise Linux fixes"); script_set_attribute(attribute:"synopsis", value: "The RedHat version have been identified." ); script_set_attribute(attribute:"description", value: "This plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to." ); script_set_attribute(attribute:"solution", value: "N/A" ); script_set_attribute(attribute:"risk_factor", value:"None" ); script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_summary(english: "Fill the KB"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2011 Tenable Network Security, Inc."); script_family(english: "Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/RedHat/rpm-list"); exit(0); } include("rpm.inc"); release = get_kb_item("Host/RedHat/release"); if ( ! release ) exit(0); if ( egrep(pattern:"Red Hat Enterprise Linux.*release 3", string:release) ) { set_kb_item(name:"CVE-2000-0666", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2003-0192", value:TRUE); set_kb_item(name:"CVE-2003-0252", value:TRUE); set_kb_item(name:"CVE-2003-0682", value:TRUE); set_kb_item(name:"CVE-2003-0693", value:TRUE); set_kb_item(name:"CVE-2003-0695", value:TRUE); } if ( egrep(pattern:"Red Hat.*(Enterprise|Advanced).*release 2\.1", string:release)) { set_kb_item(name:"CVE-2000-0666", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2003-0192", value:TRUE); }
NASL family RPC NASL id NFS_XLOG_OVERFLOW.NASL description The remote rpc.mountd daemon is vulnerable to an off-by-one overflow which could be exploited by an attacker to gain a root shell on this host. last seen 2020-06-01 modified 2020-06-02 plugin id 11800 published 2003-07-23 reporter This script is Copyright (C) 2003-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11800 title Linux NFS utils package (nfs-utils) mountd xlog Function Off-by-one Remote Overflow NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_031.NASL description The remote host is missing the patch for the advisory SUSE-SA:2003:031 (nfs-utils). The nfs-utils package contains various programs to offer and manage certain RPC services such as the rpc.mountd. iSEC Security Research has reported an off-by-one bug in the xlog() function used by the rpc.mountd. It is possible for remote attackers to use this off-by-one overflow to execute arbitrary code as root. Some of the products listed above seem not vulnerable to this one byte overflow due to the stack alignment generated by the compiler during the build. Nevertheless, since there is no easy workaround except shutting down the RPC services, an update is strongly recommended for every product listed above. This update needs to be applied to both NFS servers and clients, as the vulnerable function is used by mountd and statd. You can either restart these services manually, or use the corresponding init scripts: last seen 2020-06-01 modified 2020-06-02 plugin id 13800 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13800 title SUSE-SA:2003:031: nfs-utils NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-207.NASL description Updated nfs-utils packages are available that fix a remotely exploitable Denial of Service vulnerability. The nfs-utils package provides a daemon for the kernel NFS server and related tools. Janusz Niewiadomski found a buffer overflow bug in nfs-utils version 1.0.3 and earlier. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). It is not believed that this bug could lead to remote arbitrary code execution. Users are advised to update to these erratum packages, which contain a backported security patch supplied by the nfs-utils maintainers and are not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12405 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12405 title RHEL 2.1 : nfs-utils (RHSA-2003:207) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-349.NASL description The logging code in nfs-utils contains an off-by-one buffer overrun when adding a newline to the string being logged. This vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition by sending certain RPC requests. last seen 2020-06-01 modified 2020-06-02 plugin id 15186 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15186 title Debian DSA-349-1 : nfs-utils - buffer overflow
Oval
accepted | 2010-09-20T04:00:25.948-04:00 | ||||||||||||||||
class | vulnerability | ||||||||||||||||
contributors |
| ||||||||||||||||
description | Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines. | ||||||||||||||||
family | unix | ||||||||||||||||
id | oval:org.mitre.oval:def:443 | ||||||||||||||||
status | accepted | ||||||||||||||||
submitted | 2003-09-02T12:00:00.000-04:00 | ||||||||||||||||
title | mountd xlog Function Off-by-One Vulnerability | ||||||||||||||||
version | 41 |
Redhat
advisories |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0023.html
- http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0023.html
- http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0024.html
- http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0024.html
- http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt
- http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt
- http://marc.info/?l=bugtraq&m=105820223707191&w=2
- http://marc.info/?l=bugtraq&m=105820223707191&w=2
- http://marc.info/?l=bugtraq&m=105830921519513&w=2
- http://marc.info/?l=bugtraq&m=105830921519513&w=2
- http://marc.info/?l=bugtraq&m=105839032403325&w=2
- http://marc.info/?l=bugtraq&m=105839032403325&w=2
- http://secunia.com/advisories/9259
- http://secunia.com/advisories/9259
- http://securitytracker.com/id?1007187
- http://securitytracker.com/id?1007187
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001262.1-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001262.1-1
- http://www.debian.org/security/2003/dsa-349
- http://www.debian.org/security/2003/dsa-349
- http://www.kb.cert.org/vuls/id/258564
- http://www.kb.cert.org/vuls/id/258564
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:076
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:076
- http://www.novell.com/linux/security/advisories/2003_031_nfs_utils.html
- http://www.novell.com/linux/security/advisories/2003_031_nfs_utils.html
- http://www.redhat.com/support/errata/RHSA-2003-206.html
- http://www.redhat.com/support/errata/RHSA-2003-206.html
- http://www.redhat.com/support/errata/RHSA-2003-207.html
- http://www.redhat.com/support/errata/RHSA-2003-207.html
- http://www.securityfocus.com/bid/8179
- http://www.securityfocus.com/bid/8179
- http://www.turbolinux.com/security/TLSA-2003-44.txt
- http://www.turbolinux.com/security/TLSA-2003-44.txt
- https://exchange.xforce.ibmcloud.com/vulnerabilities/12600
- https://exchange.xforce.ibmcloud.com/vulnerabilities/12600
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A443
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A443