Vulnerabilities > CVE-2013-1950 - Resource Management Errors vulnerability in Libtirpc Project Libtirpc
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | rpcbind (CALLIT Procedure) UDP Crash PoC. CVE-2013-1950. Dos exploit for linux platform |
| id | EDB-ID:26887 |
| last seen | 2016-02-03 |
| modified | 2013-07-16 |
| published | 2013-07-16 |
| reporter | Sean Verity |
| source | https://www.exploit-db.com/download/26887/ |
| title | rpcbind CALLIT Procedure UDP Crash PoC |
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0884.NASL description From Red Hat Security Advisory 2013:0884 : Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68830 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68830 title Oracle Linux 6 : libtirpc (ELSA-2013-0884) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0884 and # Oracle Linux Security Advisory ELSA-2013-0884 respectively. # include("compat.inc"); if (description) { script_id(68830); script_version("1.8"); script_cvs_date("Date: 2019/09/30 10:58:18"); script_cve_id("CVE-2013-1950"); script_bugtraq_id(59365); script_xref(name:"RHSA", value:"2013:0884"); script_name(english:"Oracle Linux 6 : libtirpc (ELSA-2013-0884)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2013:0884 : Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2013-May/003498.html" ); script_set_attribute( attribute:"solution", value:"Update the affected libtirpc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libtirpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libtirpc-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"libtirpc-0.2.1-6.el6_4")) flag++; if (rpm_check(release:"EL6", reference:"libtirpc-devel-0.2.1-6.el6_4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtirpc / libtirpc-devel"); }NASL family Scientific Linux Local Security Checks NASL id SL_20130530_LIBTIRPC_ON_SL6_X.NASL description A flaw was found in the way libtirpc decoded RPC requests. A specially- crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) All running applications using libtirpc must be restarted for the update to take effect. last seen 2020-03-18 modified 2013-05-31 plugin id 66709 published 2013-05-31 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66709 title Scientific Linux Security Update : libtirpc on SL6.x i386/srpm/x86_64 (20130530) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(66709); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/27"); script_cve_id("CVE-2013-1950"); script_name(english:"Scientific Linux Security Update : libtirpc on SL6.x i386/srpm/x86_64 (20130530)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A flaw was found in the way libtirpc decoded RPC requests. A specially- crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) All running applications using libtirpc must be restarted for the update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1305&L=scientific-linux-errata&T=0&P=2418 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0c24f903" ); script_set_attribute( attribute:"solution", value: "Update the affected libtirpc, libtirpc-debuginfo and / or libtirpc-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libtirpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libtirpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libtirpc-devel"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"libtirpc-0.2.1-6.el6_4")) flag++; if (rpm_check(release:"SL6", reference:"libtirpc-debuginfo-0.2.1-6.el6_4")) flag++; if (rpm_check(release:"SL6", reference:"libtirpc-debuginfo-0.2.1-6.el6_4")) flag++; if (rpm_check(release:"SL6", reference:"libtirpc-devel-0.2.1-6.el6_4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtirpc / libtirpc-debuginfo / libtirpc-devel"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0884.NASL description Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 66702 published 2013-05-31 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66702 title CentOS 6 : libtirpc (CESA-2013:0884) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0884 and # CentOS Errata and Security Advisory 2013:0884 respectively. # include("compat.inc"); if (description) { script_id(66702); script_version("1.11"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2013-1950"); script_bugtraq_id(59365); script_xref(name:"RHSA", value:"2013:0884"); script_name(english:"CentOS 6 : libtirpc (CESA-2013:0884)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect." ); # https://lists.centos.org/pipermail/centos-announce/2013-May/019768.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?93a58ba9" ); script_set_attribute( attribute:"solution", value:"Update the affected libtirpc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1950"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libtirpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libtirpc-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"libtirpc-0.2.1-6.el6_4")) flag++; if (rpm_check(release:"CentOS-6", reference:"libtirpc-devel-0.2.1-6.el6_4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtirpc / libtirpc-devel"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-199.NASL description A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) last seen 2020-06-01 modified 2020-06-02 plugin id 69757 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69757 title Amazon Linux AMI : libtirpc (ALAS-2013-199) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2013-199. # include("compat.inc"); if (description) { script_id(69757); script_version("1.6"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2013-1950"); script_xref(name:"ALAS", value:"2013-199"); script_xref(name:"RHSA", value:"2013:0884"); script_name(english:"Amazon Linux AMI : libtirpc (ALAS-2013-199)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2013-199.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update libtirpc' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtirpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtirpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libtirpc-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2013/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"libtirpc-0.2.1-6.8.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"libtirpc-debuginfo-0.2.1-6.8.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"libtirpc-devel-0.2.1-6.8.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtirpc / libtirpc-debuginfo / libtirpc-devel"); }NASL family RPC NASL id RPC_XDRMEM_BYTES.NASL description The RPC library has an integer overflow in the function xdrmem_getbytes(). An attacker may use this flaw to execute arbitrary code on this host with the privileges your RPC programs are running with (typically root), by sending a specially crafted request to them. Note that this issue affects Solaris, as well as Red Hat Enterprise Linux and Fedora. Nessus used this flaw to crash the portmapper. last seen 2020-06-01 modified 2020-06-02 plugin id 11420 published 2003-03-19 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11420 title Sun RPC XDR xdrmem_getbytes Function Remote Overflow code # # (C) Tenable Network Security, Inc. # # This script was written by Renaud Deraison <[email protected]> # with using rpc_cmsd_overflow.nasl by Xue Yong Zhi <[email protected]> # as a template # # include("compat.inc"); if (description) { script_id(11420); script_version("1.29"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_cve_id("CVE-2003-0028", "CVE-2013-1950"); script_bugtraq_id(7123, 59365); script_xref(name:"CERT-CC", value:"CA-2003-10"); script_xref(name:"EDB-ID", value:"26887"); script_name(english:"Sun RPC XDR xdrmem_getbytes Function Remote Overflow"); script_summary(english:"Checks for the xdrmem_getbytes() overflow"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code may be run on the remote server."); script_set_attribute(attribute:"description", value: "The RPC library has an integer overflow in the function xdrmem_getbytes(). An attacker may use this flaw to execute arbitrary code on this host with the privileges your RPC programs are running with (typically root), by sending a specially crafted request to them. Note that this issue affects Solaris, as well as Red Hat Enterprise Linux and Fedora. Nessus used this flaw to crash the portmapper."); script_set_attribute(attribute:"solution", value:"Contact the vendor for a patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"RPC"); script_dependencie("rpc_portmap.nasl"); script_require_keys("rpc/portmap", "Settings/ParanoidReport"); exit(0); } # # The script code starts here # include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("nfs_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); function portmap_alive(portmap) { local_var broken, req, soc, r, port; local_var a, b, c, d, p_a, p_b, p_c, p_d, pt_a, pt_b, pt_c, pt_d; local_var program, protocol; program = 100000; protocol = IPPROTO_UDP; a = rand() % 255; b = rand() % 255; c = rand() % 255; d = rand() % 255; p_a = program / 16777216; p_a = p_a % 256; p_b = program / 65356; p_b = p_b % 256; p_c = program / 256; p_c = p_c % 256; p_d = program % 256; pt_a = protocol / 16777216; pt_a = pt_a % 256; pt_b = protocol / 65535 ; pt_b = pt_b % 256; pt_c = protocol / 256; ; pt_c = pt_c % 256; pt_d = protocol % 256; req = raw_string(a, b, c, d, # XID 0x00, 0x00, 0x00, 0x00, # Msg type: call 0x00, 0x00, 0x00, 0x02, # RPC Version 0x00, 0x01, 0x86, 0xA0, # Program 0x00, 0x00, 0x00, 0x02, # Program version 0x00, 0x00, 0x00, 0x03, # Procedure 0x00, 0x00, 0x00, 0x00, # Credentials - flavor 0x00, 0x00, 0x00, 0x00, # Credentials - length 0x00, 0x00, 0x00, 0x00, # Verifier - Flavor 0x00, 0x00, 0x00, 0x00, # Verifier - Length p_a, p_b, p_c, p_d, # Program 0xFF, 0xFF, 0xFF, 0xFF, # Version (any) pt_a, pt_b, pt_c, pt_d, # Proto (udp) 0x00, 0x00, 0x00, 0x00 # Port ); if(isnull(portmap)){ port = int(get_kb_item("rpc/portmap")); if(port == 0)port = 111; } else port = portmap; if (! get_udp_port_state(port)) return 0; broken = get_kb_item(string("/tmp/rpc/noportmap/", port)); if(broken)return(0); soc = open_sock_udp(port); if (!soc) return(0); send(socket:soc, data:req); r = recv(socket:soc, length:1024); close(soc); if(!r)return(0); else return(port); } port = portmap_alive(); if(!port)exit(0); if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "UDP"); soc = open_sock_udp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port, "UDP"); host = this_host_name(); pad = padsz(len:strlen(host)); len = 20 + strlen(host) + pad; soc = open_sock_udp(port); req = rpclong(val:rand()) + #unsigned int xid; rpclong(val:0) + #msg_type mtype case CALL(0): rpclong(val:2) + #unsigned int rpcvers;/* must be equal to two (2) */ rpclong(val:100000) + #unsigned int prog(protmap); rpclong(val:2) + #unsigned int vers(2); rpclong(val:5) + #unsigned int proc(CALLIT); rpclong(val:1) + #AUTH_UNIX rpclong(val:len) + #len rpclong(val:rand()) + #stamp rpclong(val:strlen(host)) + #length host + #contents(Machine name) rpcpad(pad:pad) + #fill bytes rpclong(val:0) + #uid rpclong(val:0) + #gid rpclong(val:0) + #auxiliary gids rpclong(val:0) + #AUTH_NULL rpclong(val:0) + rpclong(val:100024) + rpclong(val:2) + rpclong(val:4) + raw_string(0xFF, 0xFF, 0xFF, 0xFF) + rpclong(val:0) + rpclong(val:0); send(socket:soc, data:req); r = recv(socket:soc, length:4096); close(soc); alive = portmap_alive(portmap:port); if(!alive)security_hole(port:port, proto:"udp");NASL family Fedora Local Security Checks NASL id FEDORA_2013-6262.NASL description CVE-2013-1950 EMBARGOED rpcbind: invalid pointer free leads to crash Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-29 plugin id 66246 published 2013-04-29 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66246 title Fedora 19 : libtirpc-0.2.3-2.fc19 (2013-6262) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL19157044.NASL description The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer. (CVE-2013-1950) last seen 2020-06-01 modified 2020-06-02 plugin id 88848 published 2016-02-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88848 title F5 Networks BIG-IP : libtirpc vulnerability (K19157044) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0884.NASL description Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 66707 published 2013-05-31 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66707 title RHEL 6 : libtirpc (RHSA-2013:0884) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1076.NASL description An updated rhev-hypervisor6 package that fixes one security issue and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. It was discovered that the fix for the CVE-2013-1619 issue released via RHSA-2013:0636 introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS. (CVE-2013-2116) This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2013-2174 (curl issue) CVE-2012-6548, CVE-2013-0914, CVE-2013-1848, CVE-2013-2128, CVE-2013-2634, CVE-2013-2635, CVE-2013-2852, CVE-2013-3222, CVE-2013-3224, CVE-2013-3225, and CVE-2013-3301 (kernel issues) CVE-2002-2443 (krb5 issue) CVE-2013-1950 (libtirpc issue) Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization Hypervisor through the 3.2 Manager administration portal, the Host may appear with the status of last seen 2020-06-01 modified 2020-06-02 plugin id 78965 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78965 title RHEL 6 : rhev-hypervisor6 (RHSA-2013:1076)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/122431/rpcbind_udp_crash_poc.rb.txt |
| id | PACKETSTORM:122431 |
| last seen | 2016-12-05 |
| published | 2013-07-17 |
| reporter | Sean Verity |
| source | https://packetstormsecurity.com/files/122431/rpcbind-CALLIT-UDP-Crash.html |
| title | rpcbind CALLIT UDP Crash |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|