CVE-2003-0252
CVSS10.0
发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:31:15
NMCOPS    

[原文]Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines.


[CNNVD]Linux nfs-utils xlog()远程缓冲区单字节溢出漏洞(CNNVD-200308-096)

        
        Linux NFS utils是网络文件系统实现。
        nfs-utils存在单字节溢出漏洞,远程攻击者可以利用这个漏洞构造伪造的请求给rpc.mountd守护程序,可能以root用户权限在系统上执行任意指令。
        问题存在于xlog()函数,处理请求的日志记录,当函数尝试增加新行字符到要记录的字符串时会触发溢出。由于错误的计算,如果传递给函数的字符串等于或超过1023字节,会由于写'\0'字节超过缓冲区边界:
        - ------8<------cut-here------8<------
         char buff[1024];
         ...
         va_start(args, fmt);
         vsnprintf(buff, sizeof (buff), fmt, args);
         va_end(args);
         buff[sizeof (buff) - 1] = 0;
         if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
         buff[n++] = '\n'; buff[n++] = '\0';
         }
        - ------8<------cut-here------8<------
        本地或远程攻击者可以发送精心构建的RPC请求,发送到rpc.mountd守护进程中,可导致拒绝服务攻击,或者以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:nfs:nfs-utils:1.0.3
cpe:/a:nfs:nfs-utils:1.0
cpe:/a:nfs:nfs-utils:0.2
cpe:/a:nfs:nfs-utils:0.3.3
cpe:/a:nfs:nfs-utils:0.3.1
cpe:/a:nfs:nfs-utils:0.2.1
cpe:/a:nfs:nfs-utils:1.0.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:443mountd xlog Function Off-by-One Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0252
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0252
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-096
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0023.html
(VENDOR_ADVISORY)  VULNWATCH  20030714 Linux nfs-utils xlog() off-by-one bug
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0024.html
(VENDOR_ADVISORY)  VULNWATCH  20030714 Reality of the rpc.mountd bug
http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt
(UNKNOWN)  MISC  http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt
http://marc.info/?l=bugtraq&m=105820223707191&w=2
(UNKNOWN)  BUGTRAQ  20030714 Linux nfs-utils xlog() off-by-one bug
http://marc.info/?l=bugtraq&m=105830921519513&w=2
(UNKNOWN)  BUGTRAQ  20030715 [slackware-security] nfs-utils packages replaced (SSA:2003-195-01b)
http://marc.info/?l=bugtraq&m=105839032403325&w=2
(UNKNOWN)  BUGTRAQ  20030716 Immunix Secured OS 7+ nfs-utils update -- bugtraq
http://securitytracker.com/id?1007187
(UNKNOWN)  SECTRACK  1007187
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001262.1-1
(UNKNOWN)  SUNALERT  1001262
http://www.debian.org/security/2003/dsa-349
(UNKNOWN)  DEBIAN  DSA-349
http://www.kb.cert.org/vuls/id/258564
(UNKNOWN)  CERT-VN  VU#258564
http://www.mandriva.com/security/advisories?name=MDKSA-2003:076
(UNKNOWN)  MANDRAKE  MDKSA-2003:076
http://www.novell.com/linux/security/advisories/2003_031_nfs_utils.html
(UNKNOWN)  SUSE  SuSE-SA:2003:031
http://www.redhat.com/support/errata/RHSA-2003-206.html
(UNKNOWN)  REDHAT  RHSA-2003:206
http://www.redhat.com/support/errata/RHSA-2003-207.html
(UNKNOWN)  REDHAT  RHSA-2003:207
http://www.securityfocus.com/bid/8179
(UNKNOWN)  BID  8179
http://www.turbolinux.com/security/TLSA-2003-44.txt
(UNKNOWN)  TURBO  TLSA-2003-44
http://xforce.iss.net/xforce/xfdb/12600
(UNKNOWN)  XF  nfs-utils-offbyone-bo(12600)

- 漏洞信息

Linux nfs-utils xlog()远程缓冲区单字节溢出漏洞
危急 边界条件错误
2003-08-18 00:00:00 2005-10-20 00:00:00
远程  
        
        Linux NFS utils是网络文件系统实现。
        nfs-utils存在单字节溢出漏洞,远程攻击者可以利用这个漏洞构造伪造的请求给rpc.mountd守护程序,可能以root用户权限在系统上执行任意指令。
        问题存在于xlog()函数,处理请求的日志记录,当函数尝试增加新行字符到要记录的字符串时会触发溢出。由于错误的计算,如果传递给函数的字符串等于或超过1023字节,会由于写'\0'字节超过缓冲区边界:
        - ------8<------cut-here------8<------
         char buff[1024];
         ...
         va_start(args, fmt);
         vsnprintf(buff, sizeof (buff), fmt, args);
         va_end(args);
         buff[sizeof (buff) - 1] = 0;
         if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
         buff[n++] = '\n'; buff[n++] = '\0';
         }
        - ------8<------cut-here------8<------
        本地或远程攻击者可以发送精心构建的RPC请求,发送到rpc.mountd守护进程中,可导致拒绝服务攻击,或者以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-349-1)以及相应补丁:
        DSA-349-1:New nfs-utils package fixes buffer overflow
        链接:
        http://www.debian.org/security/2002/dsa-349

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-utils_1.0-2woody1.dsc

        Size/MD5 checksum: 547 a4c33f7a535608512f31b7ee34d4272e
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-utils_1.0-2woody1.tar.gz

        Size/MD5 checksum: 240859 5c573fee27a1e10ff7f664b4bdf732a2
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_alpha.deb

        Size/MD5 checksum: 52698 29882fb7f6fd28f81f815ed562ac68a7
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_alpha.deb

        Size/MD5 checksum: 79386 49ff8885c51710a768cd93f6dd649d71
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_alpha.deb

        Size/MD5 checksum: 36662 0dc3e1ba2c91f2232e3fcb20918057e4
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_arm.deb

        Size/MD5 checksum: 44804 296f0f554fd1cf4b59d9ea1cdab9321d
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_arm.deb

        Size/MD5 checksum: 67516 f3bea88a8d1ba73a2534b8c0bd7c423c
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_arm.deb

        Size/MD5 checksum: 34344 3c266dc34f4ac4be196b499c5eef3975
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_i386.deb

        Size/MD5 checksum: 44400 233409f10f8767e36f6ad10072ede8ab
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_i386.deb

        Size/MD5 checksum: 66596 07ea3180828ef48a92c58855d9b5b54a
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_i386.deb

        Size/MD5 checksum: 33482 11d03d87740fb81054b46a859741d77c
        Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_ia64.deb

        Size/MD5 checksum: 58974 33483f9fe4df2b84cb26d4e1cd76fc91
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_ia64.deb

        Size/MD5 checksum: 93340 eb51718186119e3b73d193c4eb7f5707
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_ia64.deb

        Size/MD5 checksum: 41470 3ad514dec2b983446a2fb704e56be337
        HP Precision architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_hppa.deb

        Size/MD5 checksum: 49896 9444fd4edfbb2abbcf83e838fda6d214
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_hppa.deb

        Size/MD5 checksum: 74924 2270c3317f7453cec6966e2e16147d42
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_hppa.deb

        Size/MD5 checksum: 36746 3f10fa97c70fa41776f874e670e57642
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_m68k.deb

        Size/MD5 checksum: 43548 1896cab837cdfaabdcb728668e6f0273
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_m68k.deb

        Size/MD5 checksum: 64216 822c887cd14d049528029f36cc1a2240
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_m68k.deb

        Size/MD5 checksum: 33168 11468a2b2cc746b6ed363fa481575124
        Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_mips.deb

        Size/MD5 checksum: 47534 2dc98eeed2317d0dfc7a564b4148491f
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_mips.deb

        Size/MD5 checksum: 74732 eff1441d229295fecc3e46113763b242
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_mips.deb

        Size/MD5 checksum: 35674 e58f28fd4ed296573efda02226f68f78
        Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_mipsel.deb

        Size/MD5 checksum: 47672 4b4f9619231ee353a4a9585c5d25d97f
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_mipsel.deb

        Size/MD5 checksum: 74758 5cb3ed2cc13787e8e4cec25bae4888fd
        
        http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_mipsel.deb

        Size/MD5 checksum: 35592 c0f83d36cbf8ce91068aab57b67e27e3
        PowerPC architect

- 漏洞信息 (F31366)

linuxNFSutils.txt (PacketStormID:F31366)
2003-07-15 00:00:00
Janusz Niewiadomski  
advisory,remote,denial of service,arbitrary,local
linux
CVE-2003-0252
[点击下载]

nfs-utils version 1.0.3 and below for Linux has an off-by-one bug that allows a local or remote attacker to send an RPC request to mountd that could execute arbitrary code or cause a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:	Linux nfs-utils xlog() off-by-one bug 
Product:	nfs-utils
Version:	<= 1.0.3
Vendor:		http://sourceforge.net/projects/nfs/

URL:		http://isec.pl/vulnerabilities/
CVE:		CAN-2003-0252
Author:		Janusz Niewiadomski <funkysh@isec.pl>
Date:		July 14, 2003


Issue:
======

Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending 
specially crafted request to rpc.mountd daemon.


Details:
========

An off-by-one bug exist in xlog() function which handles logging of 
requests. An overflow occurs when function is trying to add missing
trailing newline character to logged string. 

Due to miscalculation, if a string passed to the functions is equal
or longer than 1023 bytes, the '\0' byte will be written beyond the 
buffer:
  

- ------8<------cut-here------8<------

        char            buff[1024];
        ...
 
        va_start(args, fmt);
        vsnprintf(buff, sizeof (buff), fmt, args);
        va_end(args);
        buff[sizeof (buff) - 1] = 0;

        if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
                buff[n++] = '\n'; buff[n++] = '\0';
        }

- ------8<------cut-here------8<------


Impact:
=======

Local or remote attacker which is capable to send RPC request to
vulnerable mountd daemon could execute artitrary code or cause
denial of service.


Status:
=======

Vendor has been notified on June 10, 2003. The fix is incorporated
in recent 1.0.4 release of nfs-utils.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0252 to this issue.


- -- 
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/EsX3C+8U3Z5wpu4RArLdAKDD40fr/uq21jn47nZ3y4drrx7AaQCgvYKv
ji74jUOQtgjaGVoQn63d05Q=
=OqOQ
-----END PGP SIGNATURE-----


    

- 漏洞信息

2317
nfs-utils mountd xlog Function Off-by-one Remote Overflow
Local Access Required, Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity

- 漏洞描述

nfs-utils contains a flaw that allows a remote attacker to gain root privileges. The issue is due to a buffer overflow caused by an off-by-one error in the "xlog" function. If an attacker creates a specially crafted RPC request to the rpc.mountd daemon they may be able to execute arbitrary code.

- 时间线

2003-07-14 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

NFS-Utils Xlog Remote Buffer Overrun Vulnerability
Boundary Condition Error 8179
Yes No
2003-07-14 12:00:00 2009-07-11 10:56:00
Discovery is credited to Janusz Niewiadomski.

- 受影响的程序版本

Sun Cobalt RaQ4 3001R
Sun Cobalt RaQ XTR
SCO OpenLinux Workstation 3.1.1
SCO OpenLinux Server 3.1.1
nfs nfs-utils 1.0.3
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Slackware Linux -current
+ Sun Linux 5.0
nfs nfs-utils 1.0.1
+ Conectiva Linux 9.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 8.2
+ Terra Soft Solutions Yellow Dog Linux 3.0
+ Trustix Secure Linux 2.0
nfs nfs-utils 1.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
nfs nfs-utils 0.3.3
+ S.u.S.E. Linux 8.0
nfs nfs-utils 0.3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
nfs nfs-utils 0.2.1
nfs nfs-utils 0.2
nfs nfs-utils 1.0.4

- 不受影响的程序版本

nfs nfs-utils 1.0.4

- 漏洞讨论

A remote exploitable buffer overrun vulnerability has been reported in the xlog component of nfs-utils. It is possible to exploit this issue via mountd. It has been reported that exploitation of this issue will most likely result in a denial of service. There is a possibility that this issue could be exploited to run arbitrary code in the context of mountd, which runs as root.

- 漏洞利用

There are reports of an exploit circulating in the wild.

- 解决方案

This issue has been addressed in nfs-utils 1.0.4. Users are advised to upgrade.

Red Hat has released an advisory (RHSA-2003:206-08) that addresses this issue. This advisory is an updated release that includes fixes for additional platforms. See the referenced advisory for details on obtaining and applying fixes.

Debian has released an advisory (DSA 349-1) for this issue. Please see the attached advisory for information on how to obtain and apply fixes.

SuSE has released an advisory (SuSE-SA:2003:031) that contains information about updates for this issue. Please see the attached advisory for further details on obtaining and applying updates.

Slackware has released an advisory (SSA:2003-149-01) as well as updates to correct these issues.

WireX has released Immunix advisory IMNX-2003-7+-018-01 to address this issue.

Trustix has released an advisory (TSLSA-2003-0027) to address this issue.

Gentoo has released an advisory to address this issue. Upgrades can be applied with the following commands:

emerge sync
emerge nfs-utils
emerge clean

Mandrake has released advisory MDKSA-2003:076 to address this issue. Please see referenced advisory for additional details and fix information.

TurboLinux has released advisory TLSA-2003-44 to address this issue. Vulnerable users are advised to use the turbopkg tool to update affected systems. See referenced advisory for additional details.

Sun Microsystems has released a fix for Sun Linux 5.0.6.

Updates are available for Yellow Dog Linux. These updates can be applied manually or by issuing the following command:

yum update nfs-utils

SCO has released an advisory (CSSA-2003-037.0) that includes updates for this issue.

Sun has released fixes to address this issue in Sun Cobalt RaQXRT and RaQ4.

Fixes are available:


Sun Cobalt RaQ XTR

nfs nfs-utils 0.2

nfs nfs-utils 0.2.1

nfs nfs-utils 0.3.1

nfs nfs-utils 0.3.3

nfs nfs-utils 1.0

nfs nfs-utils 1.0.1

nfs nfs-utils 1.0.3

SCO OpenLinux Workstation 3.1.1

SCO OpenLinux Server 3.1.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站