Vulnerabilities > CVE-2007-1547 - Local Privilege Escalation and Denial of Service vulnerability in Radscan Network Audio System 1.8A

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

mandrakesoft

radscan

nessus

NVD

Published: 2007-03-20

Updated: 2018-10-16

Summary

The ReadRequestFromClient function in server/os/io.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference.

Vulnerable Configurations

Part	Description	Count
OS	Mandrakesoft Mandrakesoft Mandrake Linux 2007	2
Application	Radscan Radscan Network Audio System 1.8A	1

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1273.NASL
description	Several vulnerabilities have been discovered in nas, the Network Audio System. - CVE-2007-1543 A stack-based buffer overflow in the accept_att_local function in server/os/connection.c in nas allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection. - CVE-2007-1544 An integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. - CVE-2007-1545 The AddResource function in server/dia/resource.c allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID. - CVE-2007-1546 An array index error allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c. - CVE-2007-1547 The ReadRequestFromClient function in server/os/io.c allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference.
last seen	2020-06-01
modified	2020-06-02
plugin id	24921
published	2007-04-05
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24921
title	Debian DSA-1273-1 : nas - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1273. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(24921); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-1543", "CVE-2007-1544", "CVE-2007-1545", "CVE-2007-1546", "CVE-2007-1547"); script_bugtraq_id(23017); script_xref(name:"DSA", value:"1273"); script_name(english:"Debian DSA-1273-1 : nas - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in nas, the Network Audio System. - CVE-2007-1543 A stack-based buffer overflow in the accept_att_local function in server/os/connection.c in nas allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection. - CVE-2007-1544 An integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. - CVE-2007-1545 The AddResource function in server/dia/resource.c allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID. - CVE-2007-1546 An array index error allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c. - CVE-2007-1547 The ReadRequestFromClient function in server/os/io.c allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416038" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1543" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1544" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1545" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1546" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1547" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2007/dsa-1273" ); script_set_attribute( attribute:"solution", value: "Upgrade the nas package. For the stable distribution (sarge), these problems have been fixed in version 1.7-2sarge1. For the upcoming stable distribution (etch) and the unstable distribution (sid) these problems have been fixed in version 1.8-4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nas"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libaudio-dev", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libaudio2", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"nas", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"nas-bin", reference:"1.7-2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"nas-doc", reference:"1.7-2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2007-065.NASL
description	Luigi Auriemma discovered a number of problems with the nas (Network Audio System) daemon that could be used to crash nasd. Updated packages have been patched to address this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	24891
published	2007-03-26
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24891
title	Mandrake Linux Security Advisory : nas (MDKSA-2007:065)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200704-20.NASL
description	The remote host is affected by the vulnerability described in GLSA-200704-20 (NAS: Multiple vulnerabilities) Luigi Auriemma has discovered multiple vulnerabilities in NAS, some of which include a buffer overflow in the function accept_att_local(), an integer overflow in the function ProcAuWriteElement(), and a null pointer error in the function ReadRequestFromClient(). Impact : An attacker having access to the NAS daemon could send an overly long slave name to the server, leading to the execution of arbitrary code with root privileges. A remote attacker could also send a specially crafted packet containing an invalid client ID, which would crash the server and result in a Denial of Service. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	25108
published	2007-04-30
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25108
title	GLSA-200704-20 : NAS: Multiple vulnerabilities

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-446-1.NASL
description	Luigi Auriemma discovered multiple flaws in the Network Audio System server. Remote attackers could send specially crafted network requests that could lead to a denial of service or execution of arbitrary code. Note that default Ubuntu installs do not include the NAS server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	28043
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/28043
title	Ubuntu 5.10 / 6.06 LTS / 6.10 : nas vulnerabilities (USN-446-1)

Summary

Vulnerable Configurations

Nessus

References