Vulnerabilities > CVE-2006-0043 - Remote Buffer Overflow vulnerability in NFS-SERVER

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
suse
nessus

Summary

Buffer overflow in the realpath function in nfs-server rpc.mountd, as used in SUSE Linux 9.1 through 10.0, allows local users to execute arbitrary code via unspecified vectors involving mount requests and symlinks.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_005.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:005 (nfs-server). An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package
    last seen2019-10-28
    modified2006-01-29
    plugin id20821
    published2006-01-29
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20821
    titleSUSE-SA:2006:005: nfs-server
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:005
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(20821);
     script_version ("1.8");
     
     name["english"] = "SUSE-SA:2006:005: nfs-server";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2006:005 (nfs-server).
    
    
    An remotely exploitable problem exists in the rpc.mountd service in
    the user space NFS server package 'nfs-server'.
    
    Insufficient buffer space supplied to the realpath() function
    when processing mount requests can lead to a buffer overflow in
    the rpc.mountd and allows remote attackers to execute code as the
    root user.
    
    Code execution is definitely possible if the attacker can create
    symlinks on any of the file systems on the machine running rpc.mountd
    (/tmp , /home/attacker or similar).
    For attackers without filesystem access code execution is potentially
    possible.
    
    NOTE:
    The 'nfs-server' package is obsolete and has been replaced by the
    'nfs-utils' package (kernel NFS server) in all currently supported
    SUSE Linux products already and is only included for completeness.
    The 'nfs-utils' package itself is NOT affected by this problem.
    
    This issue is tracked by the Mitre CVE ID CVE-2006-0043." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/advisories/2006_05_nfsserver.html" );
     script_set_attribute(attribute:"risk_factor", value:"High" );
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/29");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the nfs-server package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"nfs-server-2.2beta51-212.2", release:"SUSE10.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"nfs-server-2.2beta51-206.4", release:"SUSE9.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"nfs-server-2.2beta51-208.2", release:"SUSE9.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"nfs-server-2.2beta51-209.2", release:"SUSE9.3") )
    {
     security_hole(0);
     exit(0);
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-975.NASL
    descriptionMarcus Meissner discovered that attackers can trigger a buffer overflow in the path handling code by creating or abusing existing symlinks, which may lead to the execution of arbitrary code. This vulnerability isn
    last seen2020-06-01
    modified2020-06-02
    plugin id22841
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22841
    titleDebian DSA-975-1 : nfs-user-server - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-975. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22841);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:20");
    
      script_cve_id("CVE-2006-0043");
      script_xref(name:"DSA", value:"975");
    
      script_name(english:"Debian DSA-975-1 : nfs-user-server - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Marcus Meissner discovered that attackers can trigger a buffer
    overflow in the path handling code by creating or abusing existing
    symlinks, which may lead to the execution of arbitrary code.
    
    This vulnerability isn't present in the kernel NFS server.
    
    This update includes a bugfix for attribute handling of symlinks. This
    fix does not have security implications, but at the time when this DSA
    was prepared it was already queued for the next stable point release,
    so we decided to include it beforehand."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350020"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-975"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the nfs-user-server package.
    
    For the old stable distribution (woody) this problem has been fixed in
    version 2.2beta47-12woody1.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 2.2beta47-20sarge2."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nfs-user-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"nfs-user-server", reference:"2.2beta47-12woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"ugidd", reference:"2.2beta47-12woody1")) flag++;
    if (deb_check(release:"3.1", prefix:"nfs-user-server", reference:"2.2beta47-20sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"ugidd", reference:"2.2beta47-20sarge2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Statements

contributorMark J Cox
lastmodified2006-08-30
organizationRed Hat
statementThis issue did not affect Red Hat Enterprise Linux 2.1, 3, or 4.