Vulnerabilities > CVE-2003-0853 - Integer Overflow vulnerability in Coreutils LS Width Argument
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
An integer overflow in ls in the fileutils or coreutils packages may allow local users to cause a denial of service or execute arbitrary code via a large -w value, which could be remotely exploited via applications that use ls, such as wu-ftpd.
Vulnerable Configurations
Exploit-Db
| description | Coreutils 4.5.x LS Width Argument Integer Overflow Vulnerability. CVE-2003-0853. Dos exploit for linux platform |
| id | EDB-ID:23274 |
| last seen | 2016-02-02 |
| modified | 2003-10-22 |
| published | 2003-10-22 |
| reporter | druid |
| source | https://www.exploit-db.com/download/23274/ |
| title | Coreutils 4.5.x LS Width Argument Integer Overflow Vulnerability |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-106.NASL description A memory starvation denial of service vulnerability in the ls program was discovered by Georgi Guninski. It is possible to allocate a huge amount of memory by specifying certain command-line arguments. It is also possible to exploit this remotely via programs that call ls such as wu-ftpd (although wu-ftpd is no longer shipped with Mandrake Linux). Likewise, a non-exploitable integer overflow problem was discovered in ls, which can be used to crash ls by specifying certain command-line arguments. This can also be triggered via remotely accessible services such as wu-ftpd. The provided packages include a patched ls to fix these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 14088 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14088 title Mandrake Linux Security Advisory : fileutils/coreutils (MDKSA-2003:106) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:106. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14088); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2003-0853", "CVE-2003-0854"); script_xref(name:"MDKSA", value:"2003:106"); script_name(english:"Mandrake Linux Security Advisory : fileutils/coreutils (MDKSA-2003:106)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A memory starvation denial of service vulnerability in the ls program was discovered by Georgi Guninski. It is possible to allocate a huge amount of memory by specifying certain command-line arguments. It is also possible to exploit this remotely via programs that call ls such as wu-ftpd (although wu-ftpd is no longer shipped with Mandrake Linux). Likewise, a non-exploitable integer overflow problem was discovered in ls, which can be used to crash ls by specifying certain command-line arguments. This can also be triggered via remotely accessible services such as wu-ftpd. The provided packages include a patched ls to fix these problems." ); script_set_attribute( attribute:"solution", value: "Update the affected coreutils, coreutils-doc and / or fileutils packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:coreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:coreutils-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:fileutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2003/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"fileutils-4.1.11-6.1.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"coreutils-4.5.7-1.1.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"coreutils-doc-4.5.7-1.1.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"coreutils-5.0-7.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"coreutils-5.0-6.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"coreutils-doc-5.0-7.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"coreutils-doc-5.0-6.1.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-310.NASL description Updated fileutils packages that close a potential denial of service vulnerability are now available. The fileutils package contains several basic system utilities. One of these utilities is the last seen 2020-06-01 modified 2020-06-02 plugin id 12428 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12428 title RHEL 2.1 : fileutils (RHSA-2003:310) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:310. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12428); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0853", "CVE-2003-0854"); script_xref(name:"RHSA", value:"2003:310"); script_name(english:"RHEL 2.1 : fileutils (RHSA-2003:310)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated fileutils packages that close a potential denial of service vulnerability are now available. The fileutils package contains several basic system utilities. One of these utilities is the 'ls' program, which is used to list information about files and directories. Georgi Guninski discovered a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by specifying certain command line arguments. This vulnerability is remotely exploitable through services like wu-ftpd, which pass user arguments to ls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0854 to this issue. A non-exploitable integer overflow in ls has been discovered. It is possible to make ls crash by specifying certain command line arguments. This vulnerability is remotely exploitable through services like wu-ftpd, which pass user arguments to ls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0853 to this issue. Users are advised to update to these erratum packages, which contain backported security patches that correct these vulnerabilities. These packages also add support for the O_DIRECT flag, which controls the use of synchronous I/O on file systems such as OCFS." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0853" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0854" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:310" ); script_set_attribute( attribute:"solution", value:"Update the affected fileutils package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:fileutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/11/17"); script_set_attribute(attribute:"patch_publication_date", value:"2003/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:310"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"fileutils-4.1-10.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "fileutils"); } }NASL family Fedora Local Security Checks NASL id FEDORA_2004-091.NASL description An updated coreutils package is available fixing an issue in the ls(1) utility, described at : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0853 Note that this vulnerability affects Internet-facing services which execute ls(1) with user-supplied input, and although wu-ftpd is one such service it is not supplied with Fedora Core 1. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62243 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62243 title Fedora Core 1 : coreutils-5.0-34.1 (2004-091) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-091. # include("compat.inc"); if (description) { script_id(62243); script_version("1.7"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2003-0853"); script_xref(name:"FEDORA", value:"2004-091"); script_name(english:"Fedora Core 1 : coreutils-5.0-34.1 (2004-091)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated coreutils package is available fixing an issue in the ls(1) utility, described at : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0853 Note that this vulnerability affects Internet-facing services which execute ls(1) with user-supplied input, and although wu-ftpd is one such service it is not supplied with Fedora Core 1. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-March/000089.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7ad7dd42" ); script_set_attribute( attribute:"solution", value:"Update the affected coreutils and / or coreutils-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:coreutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:coreutils-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"coreutils-5.0-34.1")) flag++; if (rpm_check(release:"FC1", reference:"coreutils-debuginfo-5.0-34.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "coreutils / coreutils-debuginfo"); }NASL family FTP NASL id WUFTPD_LS_DOS.NASL description The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending : ls last seen 2020-06-01 modified 2020-06-02 plugin id 11912 published 2003-10-29 reporter This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/11912 title WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS code # # (C) Tenable Network Security, Inc. # # HD Moore suggested fixes and the safe_checks code. # It is released under the General Public License (GPLv2). # # Credit: Georgi Guninski discovered this attack # include("compat.inc"); if (description) { script_id(11912); script_version("1.24"); script_cvs_date("Date: 2019/02/26 4:50:08"); script_cve_id("CVE-2003-0853", "CVE-2003-0854"); script_bugtraq_id(8875); # commenting these out instead of removing # these xrefs get flaged as invalid by validate plugin # preventing build from completing # script_xref(name:"CONECTIVA", value:"CLA-2003:768"); # script_xref(name:"zone-h", value:"3299"); script_xref(name:"Secunia", value:"10059"); script_name(english:"WU-FTPD fileutils/coreutils ls -w Argument Memory Consumption DoS"); script_summary(english:"send 'ls -w 1000000 -C' to the remote FTP server."); script_set_attribute(attribute:"synopsis", value: "The remote FTP server is affected by a denial of service vulnerability." ); script_set_attribute(attribute:"description", value: "The version of WU-FTPD on the remote server uses a vulnerable version of /bin/ls. It does not filter arguments to /bin/ls, which could lead to a DoS. It is possible to consume all available memory on the machine by sending : ls '-w 1000000 -C'" ); script_set_attribute(attribute:"see_also", value:"http://www.guninski.com/binls.html" ); script_set_attribute(attribute:"solution", value: "Contact your vendor for a fix." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0853"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/10/29"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english: "FTP"); script_copyright(english:"This script is Copyright (C) 2003-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ftpserver_detect_type_nd_version.nasl", "ftp_anonymous.nasl"); script_require_ports("Services/ftp", 21); exit(0); } include("audit.inc"); include("global_settings.inc"); include("ftp_func.inc"); port = get_ftp_port(default: 21); banner = get_ftp_banner(port:port); if ( !banner ) audit(AUDIT_NO_BANNER, port); if ( !egrep(pattern:"(wu|wuftpd)-[0-9]\.", string:banner) ) audit(AUDIT_NOT_LISTEN, 'WU-FTPD', port); user = get_kb_item("ftp/login"); pass = get_kb_item("ftp/password"); if (! user) { if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); user = "anonymous"; } if (! pass) { if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); pass = "[email protected]"; } soc = ftp_open_and_authenticate( user:user, pass:pass, port:port ); if (!soc) exit(0); port2 = ftp_pasv(socket:soc); if (!port2) { ftp_close(socket: soc); exit(1, "PASV command failed on port "+port+"."); } soc2 = open_sock_tcp(port2, transport: ENCAPS_IP); if (!soc2 || safe_checks()) { send(socket: soc, data: 'LIST -ABCDEFGHIJKLMNOPQRSTUV\r\n'); r1 = ftp_recv_line(socket:soc); if (egrep(string: r1, pattern: "invalid option|usage:", icase: 1)) security_hole(port); if(soc2)close(soc2); ftp_close(socket: soc); exit(0); } start_denial(); send(socket:soc, data: 'LIST "-W 1000000 -C"\r\n'); r1 = ftp_recv_line(socket:soc); ftp_recv_listing(socket: soc2); r2 = ftp_recv_line(socket:soc); close(soc2); ftp_close(socket: soc); alive = end_denial(); if (! alive) { security_hole(port); exit(0); } if (egrep(string: r2, pattern: "exhausted|failed", icase: 1)) { security_hole(port); exit(0); } soc = ftp_open_and_authenticate( user:user, pass:pass, port:port ); if ( !soc ) { security_hole(port); } if (soc) ftp_close(socket: soc);
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000768
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000771
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012548.html
- http://secunia.com/advisories/10126
- http://secunia.com/advisories/17069
- http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf
- http://www.guninski.com/binls.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:106
- http://www.redhat.com/support/errata/RHSA-2003-309.html
- http://www.redhat.com/support/errata/RHSA-2003-310.html
- http://www.securityfocus.com/advisories/6014
- http://www.securityfocus.com/bid/8875
- http://www.turbolinux.com/security/TLSA-2003-60.txt