[VulnWatch] Linux nfs-utils xlog() off-by-one bug

From: Janusz Niewiadomski (funkysh_at_isec.pl)
Date: 07/14/03

  • Next message: tb0b: "[VulnWatch] Reality of the rpc.mountd bug"
    Date: Mon, 14 Jul 2003 17:02:02 +0200 (CEST)
    To: vulnwatch@vulnwatch.org, <bugtraq@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Synopsis: Linux nfs-utils xlog() off-by-one bug
    Product: nfs-utils
    Version: <= 1.0.3
    Vendor: http://sourceforge.net/projects/nfs/

    URL: http://isec.pl/vulnerabilities/
    CVE: CAN-2003-0252
    Author: Janusz Niewiadomski <funkysh@isec.pl>
    Date: July 14, 2003

    Issue:
    ======

    Linux NFS utils package contains remotely exploitable off-by-one bug.
    A local or remote attacker could exploit this vulnerability by sending
    specially crafted request to rpc.mountd daemon.

    Details:
    ========

    An off-by-one bug exist in xlog() function which handles logging of
    requests. An overflow occurs when function is trying to add missing
    trailing newline character to logged string.

    Due to miscalculation, if a string passed to the functions is equal
    or longer than 1023 bytes, the '\0' byte will be written beyond the
    buffer:
      

    - ------8<------cut-here------8<------

            char buff[1024];
            ...
     
            va_start(args, fmt);
            vsnprintf(buff, sizeof (buff), fmt, args);
            va_end(args);
            buff[sizeof (buff) - 1] = 0;

            if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
                    buff[n++] = '\n'; buff[n++] = '\0';
            }

    - ------8<------cut-here------8<------

    Impact:
    =======

    Local or remote attacker which is capable to send RPC request to
    vulnerable mountd daemon could execute artitrary code or cause
    denial of service.

    Status:
    =======

    Vendor has been notified on June 10, 2003. The fix is incorporated
    in recent 1.0.4 release of nfs-utils.

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2003-0252 to this issue.

    - --
    Janusz Niewiadomski
    iSEC Security Research
    http://isec.pl/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE/EsX3C+8U3Z5wpu4RArLdAKDD40fr/uq21jn47nZ3y4drrx7AaQCgvYKv
    ji74jUOQtgjaGVoQn63d05Q=
    =OqOQ
    -----END PGP SIGNATURE-----


  • Next message: tb0b: "[VulnWatch] Reality of the rpc.mountd bug"

    Relevant Pages

    • Linux nfs-utils xlog() off-by-one bug
      ... Linux NFS utils package contains remotely exploitable off-by-one bug. ... A local or remote attacker could exploit this vulnerability by sending ... Local or remote attacker which is capable to send RPC request to ...
      (Bugtraq)
    • [Full-disclosure] CVE-2013-0634 Original sample can not be confirmed until now
      ... entity that claimed to be first to find the threat in the wild. ... That's why in vulnerability assessment and research, is not a mere request, ... Adobe claimed to find CVE-2013-0634 in the wild in websites (is plural, ...
      (Full-Disclosure)
    • [NT] Vulnerability Report for Windows SMB DoS
      ... cross-platform mechanism for client systems to request file services from ... In order to exploit the vulnerability a user account is needed for the ... is therefore vulnerable to a denial of service attack. ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
      (Securiteam)
    • CORE-20020618: Vulnerabilities in Windows SMB (DoS)
      ... Denial of Service Vulnerabilities in Windows SMB implementation ... mechanism for client systems to request file services from server ... It might be possible to abuse this vulnerability to execute arbitrary ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
      (NT-Bugtraq)
    • CORE-20020618: Vulnerabilities in Windows SMB (DoS)
      ... Denial of Service Vulnerabilities in Windows SMB implementation ... mechanism for client systems to request file services from server ... It might be possible to abuse this vulnerability to execute arbitrary ... Later in the processing of the request, at SRV.SYS+33209h another buffer ...
      (Bugtraq)