Vulnerabilities > CVE-2007-1546 - Unspecified vulnerability in Radscan Network Audio System 1.8A
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN radscan
nessus
Summary
Array index error in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| Application | 1 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1273.NASL description Several vulnerabilities have been discovered in nas, the Network Audio System. - CVE-2007-1543 A stack-based buffer overflow in the accept_att_local function in server/os/connection.c in nas allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection. - CVE-2007-1544 An integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. - CVE-2007-1545 The AddResource function in server/dia/resource.c allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID. - CVE-2007-1546 An array index error allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c. - CVE-2007-1547 The ReadRequestFromClient function in server/os/io.c allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference. last seen 2020-06-01 modified 2020-06-02 plugin id 24921 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24921 title Debian DSA-1273-1 : nas - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1273. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(24921); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-1543", "CVE-2007-1544", "CVE-2007-1545", "CVE-2007-1546", "CVE-2007-1547"); script_bugtraq_id(23017); script_xref(name:"DSA", value:"1273"); script_name(english:"Debian DSA-1273-1 : nas - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in nas, the Network Audio System. - CVE-2007-1543 A stack-based buffer overflow in the accept_att_local function in server/os/connection.c in nas allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection. - CVE-2007-1544 An integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. - CVE-2007-1545 The AddResource function in server/dia/resource.c allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID. - CVE-2007-1546 An array index error allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c. - CVE-2007-1547 The ReadRequestFromClient function in server/os/io.c allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416038" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1543" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1544" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1545" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1546" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1547" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2007/dsa-1273" ); script_set_attribute( attribute:"solution", value: "Upgrade the nas package. For the stable distribution (sarge), these problems have been fixed in version 1.7-2sarge1. For the upcoming stable distribution (etch) and the unstable distribution (sid) these problems have been fixed in version 1.8-4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nas"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libaudio-dev", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libaudio2", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"nas", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"nas-bin", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"nas-doc", reference:"1.7-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-065.NASL description Luigi Auriemma discovered a number of problems with the nas (Network Audio System) daemon that could be used to crash nasd. Updated packages have been patched to address this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24891 published 2007-03-26 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24891 title Mandrake Linux Security Advisory : nas (MDKSA-2007:065) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200704-20.NASL description The remote host is affected by the vulnerability described in GLSA-200704-20 (NAS: Multiple vulnerabilities) Luigi Auriemma has discovered multiple vulnerabilities in NAS, some of which include a buffer overflow in the function accept_att_local(), an integer overflow in the function ProcAuWriteElement(), and a null pointer error in the function ReadRequestFromClient(). Impact : An attacker having access to the NAS daemon could send an overly long slave name to the server, leading to the execution of arbitrary code with root privileges. A remote attacker could also send a specially crafted packet containing an invalid client ID, which would crash the server and result in a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25108 published 2007-04-30 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25108 title GLSA-200704-20 : NAS: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-446-1.NASL description Luigi Auriemma discovered multiple flaws in the Network Audio System server. Remote attackers could send specially crafted network requests that could lead to a denial of service or execution of arbitrary code. Note that default Ubuntu installs do not include the NAS server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28043 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28043 title Ubuntu 5.10 / 6.06 LTS / 6.10 : nas vulnerabilities (USN-446-1)
References
- http://aluigi.altervista.org/adv/nasbugs-adv.txt
- http://aluigi.altervista.org/adv/nasbugs-adv.txt
- http://secunia.com/advisories/24527
- http://secunia.com/advisories/24527
- http://secunia.com/advisories/24601
- http://secunia.com/advisories/24601
- http://secunia.com/advisories/24628
- http://secunia.com/advisories/24628
- http://secunia.com/advisories/24638
- http://secunia.com/advisories/24638
- http://secunia.com/advisories/24980
- http://secunia.com/advisories/24980
- http://security.gentoo.org/glsa/glsa-200704-20.xml
- http://security.gentoo.org/glsa/glsa-200704-20.xml
- http://www.debian.org/security/2007/dsa-1273
- http://www.debian.org/security/2007/dsa-1273
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:065
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:065
- http://www.radscan.com/nas/HISTORY
- http://www.radscan.com/nas/HISTORY
- http://www.securityfocus.com/archive/1/464606/30/7230/threaded
- http://www.securityfocus.com/archive/1/464606/30/7230/threaded
- http://www.securityfocus.com/bid/23017
- http://www.securityfocus.com/bid/23017
- http://www.securitytracker.com/id?1017822
- http://www.securitytracker.com/id?1017822
- http://www.ubuntu.com/usn/usn-446-1
- http://www.ubuntu.com/usn/usn-446-1
- http://www.vupen.com/english/advisories/2007/0997
- http://www.vupen.com/english/advisories/2007/0997
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33054
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33054
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33055
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33055