Vulnerabilities > CVE-2003-0849 - Remote Security vulnerability in Cfengine

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
gnu
nessus
exploit available

Summary

Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function.

Exploit-Db

  • descriptionCFEngine 2.0.x CFServD Transaction Packet Buffer Overrun Vulnerability (2). CVE-2003-0849. Remote exploit for linux platform
    idEDB-ID:23183
    last seen2016-02-02
    modified2003-11-04
    published2003-11-04
    reportersnooq
    sourcehttps://www.exploit-db.com/download/23183/
    titleCFEngine 2.0.x CFServD Transaction Packet Buffer Overrun Vulnerability 2
  • descriptionCFEngine 2.0.x CFServD Transaction Packet Buffer Overrun Vulnerability (1). CVE-2003-0849. Remote exploit for linux platform
    idEDB-ID:23182
    last seen2016-02-02
    modified2003-09-25
    published2003-09-25
    reporterjsk
    sourcehttps://www.exploit-db.com/download/23182/
    titleCFEngine 2.0.x CFServD Transaction Packet Buffer Overrun Vulnerability 1
  • descriptionGNU Cfengine 2.-2.0.3 Remote Stack Overflow Exploit. CVE-2003-0849. Remote exploit for bsd platform
    idEDB-ID:105
    last seen2016-01-31
    modified2003-09-27
    published2003-09-27
    reporterkokanin
    sourcehttps://www.exploit-db.com/download/105/
    titleGNU Cfengine 2.-2.0.3 - Remote Stack Overflow Exploit

Nessus

  • NASL familyGain a shell remotely
    NASL idGNU_CFSERV.NASL
    descriptionThe remote Cfserver seems to be vulnerable to a remote buffer overflow bug. Such a bug might be exploited by an attacker to execute arbitrary code on this host, with the privileges cfservd is running with.
    last seen2020-06-01
    modified2020-06-02
    plugin id11893
    published2003-10-16
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11893
    titleCfengine cfservd ReceiveTransaction Function Remote Overflow (intrusive check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # script based on exploit code by
    # kokaninATdtors.net
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11893);
     script_version("1.21");
     script_cvs_date("Date: 2018/07/12 19:01:15");
    
     script_cve_id("CVE-2003-0849");
     script_bugtraq_id(8699);
     script_xref(name:"Secunia", value:"9855");
    
     script_name(english:"Cfengine cfservd ReceiveTransaction Function Remote Overflow (intrusive check)");
     script_summary(english:"Checks for the Cfserver remote buffer overflow");
    
     script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote buffer overflow vulnerability.");
     script_set_attribute(attribute:"description", value:
    "The remote Cfserver seems to be vulnerable to a remote buffer overflow
    bug. Such a bug might be exploited by an attacker to execute arbitrary
    code on this host, with the privileges cfservd is running with.");
     script_set_attribute(attribute:"see_also", value:"https://packetstormsecurity.com/files/31714/cfengine.txt.html");
     script_set_attribute(attribute:"solution", value:"Upgrade to version 2.0.8/2.0.8p1 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/25");
     script_set_attribute(attribute:"patch_publication_date", value:"2003/09/25");
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/16");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_category(ACT_DESTRUCTIVE_ATTACK);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english:"Gain a shell remotely");
    
     script_dependencie("find_service1.nasl");
     script_require_keys("Settings/ParanoidReport");
    
     exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = 5308;
    if (!get_port_state(port)) exit(0);
    
    
    
    req = hex2raw(s: tolower("32647564656475646564756465647564656475646509322F6173646661736466617464666173646661736466433A5C096C6F63616C686F73742E6C6F63616C646F6D61696E2E636F6D093730092D0D0A2E0D0A"));
    req += crap(3500);
    
    
    soc = open_sock_tcp(port);
    if (!soc) exit(0);
    send (socket:soc, data:req);
    close(soc);
    sleep(1);
    soc = open_sock_tcp(port);
    if (!soc) security_hole(port);
    exit(0);
    
    
  • NASL familyGain a shell remotely
    NASL idCFENGINE_TRANS_PACKET_BUFF_OVERRUN.NASL
    descriptionCfengine is running on this remote host. This version has a stack-based buffer overrun vulnerability. An attacker, exploiting this flaw, would need network access to the server as well as the ability to send a crafted transaction packet to the cfservd process. Successful exploitation of this flaw would lead to arbitrary code being executed on the remote machine or a loss of service (DoS).
    last seen2020-06-01
    modified2020-06-02
    plugin id14317
    published2004-08-20
    reporterThis script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14317
    titleCfengine cfservd ReceiveTransaction Function Remote Overflow (version check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(14317);
     script_version("1.19");
     script_cvs_date("Date: 2018/11/15 20:50:22");
    
     script_cve_id("CVE-2003-0849");
     script_bugtraq_id(8699);
    
     script_name(english:"Cfengine cfservd ReceiveTransaction Function Remote Overflow (version check)");
     script_summary(english:"check for cfengine flaw based on its version");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by a remote buffer overflow vulnerability." );
     script_set_attribute(attribute:"description", value:
    "Cfengine is running on this remote host.
    
    This version has a stack-based buffer overrun vulnerability. 
    
    An attacker, exploiting this flaw, would need network access to the
    server as well as the ability to send a crafted transaction packet to
    the cfservd process.  Successful exploitation of this flaw would lead
    to arbitrary code being executed on the remote machine or a loss of
    service (DoS)." );
     script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=106451047819552&w=2");
     script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=106485375218280&w=2");
     script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=106546086216984&w=2"); 
     script_set_attribute(attribute:"solution", value:
    "Upgrade to at least 1.5.3-4, 2.0.8 or most recent 2.1 version." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/20");
     script_set_attribute(attribute:"vuln_publication_date", value: "2003/09/25");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
     script_family(english:"Gain a shell remotely");
     script_require_ports(5308);
    
     script_dependencies("cfengine_detect.nasl");
     exit(0);
    }
    
    port = 5308;
    if ( ! get_kb_item("cfengine/running") ) exit(0);
    
    version=get_kb_item("cfengine/version");
    if (version)
    {
     	if (egrep(pattern:"(1\.[0-4]\.|1\.5\.[0-2]|1\.5\.3-[0-3]|2\.(0\.[0-7]|1\.0a[0-9][^0-9]))", string:version))
      		security_hole(port);
    }