Vulnerabilities > CVE-2006-0043 - Remote Buffer Overflow vulnerability in NFS-SERVER
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the realpath function in nfs-server rpc.mountd, as used in SUSE Linux 9.1 through 10.0, allows local users to execute arbitrary code via unspecified vectors involving mount requests and symlinks.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 11 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_005.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:005 (nfs-server). An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package last seen 2019-10-28 modified 2006-01-29 plugin id 20821 published 2006-01-29 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20821 title SUSE-SA:2006:005: nfs-server code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:005 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(20821); script_version ("1.8"); name["english"] = "SUSE-SA:2006:005: nfs-server"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:005 (nfs-server). An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package 'nfs-server'. Insufficient buffer space supplied to the realpath() function when processing mount requests can lead to a buffer overflow in the rpc.mountd and allows remote attackers to execute code as the root user. Code execution is definitely possible if the attacker can create symlinks on any of the file systems on the machine running rpc.mountd (/tmp , /home/attacker or similar). For attackers without filesystem access code execution is potentially possible. NOTE: The 'nfs-server' package is obsolete and has been replaced by the 'nfs-utils' package (kernel NFS server) in all currently supported SUSE Linux products already and is only included for completeness. The 'nfs-utils' package itself is NOT affected by this problem. This issue is tracked by the Mitre CVE ID CVE-2006-0043." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2006_05_nfsserver.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/29"); script_end_attributes(); summary["english"] = "Check for the version of the nfs-server package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"nfs-server-2.2beta51-212.2", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"nfs-server-2.2beta51-206.4", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"nfs-server-2.2beta51-208.2", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"nfs-server-2.2beta51-209.2", release:"SUSE9.3") ) { security_hole(0); exit(0); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-975.NASL description Marcus Meissner discovered that attackers can trigger a buffer overflow in the path handling code by creating or abusing existing symlinks, which may lead to the execution of arbitrary code. This vulnerability isn last seen 2020-06-01 modified 2020-06-02 plugin id 22841 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22841 title Debian DSA-975-1 : nfs-user-server - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-975. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22841); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-0043"); script_xref(name:"DSA", value:"975"); script_name(english:"Debian DSA-975-1 : nfs-user-server - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Marcus Meissner discovered that attackers can trigger a buffer overflow in the path handling code by creating or abusing existing symlinks, which may lead to the execution of arbitrary code. This vulnerability isn't present in the kernel NFS server. This update includes a bugfix for attribute handling of symlinks. This fix does not have security implications, but at the time when this DSA was prepared it was already queued for the next stable point release, so we decided to include it beforehand." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350020" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-975" ); script_set_attribute( attribute:"solution", value: "Upgrade the nfs-user-server package. For the old stable distribution (woody) this problem has been fixed in version 2.2beta47-12woody1. For the stable distribution (sarge) this problem has been fixed in version 2.2beta47-20sarge2." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nfs-user-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"nfs-user-server", reference:"2.2beta47-12woody1")) flag++; if (deb_check(release:"3.0", prefix:"ugidd", reference:"2.2beta47-12woody1")) flag++; if (deb_check(release:"3.1", prefix:"nfs-user-server", reference:"2.2beta47-20sarge2")) flag++; if (deb_check(release:"3.1", prefix:"ugidd", reference:"2.2beta47-20sarge2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Statements
contributor | Mark J Cox |
lastmodified | 2006-08-30 |
organization | Red Hat |
statement | This issue did not affect Red Hat Enterprise Linux 2.1, 3, or 4. |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350020
- http://lists.suse.com/archive/suse-security-announce/2006-Jan/0007.html
- http://secunia.com/advisories/18614
- http://secunia.com/advisories/18638
- http://secunia.com/advisories/18889
- http://www.debian.org/security/2006/dsa-975
- http://www.securityfocus.com/bid/16388
- http://www.vupen.com/english/advisories/2006/0348
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24347