lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0307141700310.16309-100000@isec.pl>
Date: Mon, 14 Jul 2003 17:02:02 +0200 (CEST)
From: Janusz Niewiadomski <funkysh@...c.pl>
To: vulnwatch@...nwatch.org, <bugtraq@...urityfocus.com>
Subject: Linux nfs-utils xlog() off-by-one bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:	Linux nfs-utils xlog() off-by-one bug 
Product:	nfs-utils
Version:	<= 1.0.3
Vendor:		http://sourceforge.net/projects/nfs/

URL:		http://isec.pl/vulnerabilities/
CVE:		CAN-2003-0252
Author:		Janusz Niewiadomski <funkysh@...c.pl>
Date:		July 14, 2003


Issue:
======

Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending 
specially crafted request to rpc.mountd daemon.


Details:
========

An off-by-one bug exist in xlog() function which handles logging of 
requests. An overflow occurs when function is trying to add missing
trailing newline character to logged string. 

Due to miscalculation, if a string passed to the functions is equal
or longer than 1023 bytes, the '\0' byte will be written beyond the 
buffer:
  

- ------8<------cut-here------8<------

        char            buff[1024];
        ...
 
        va_start(args, fmt);
        vsnprintf(buff, sizeof (buff), fmt, args);
        va_end(args);
        buff[sizeof (buff) - 1] = 0;

        if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
                buff[n++] = '\n'; buff[n++] = '\0';
        }

- ------8<------cut-here------8<------


Impact:
=======

Local or remote attacker which is capable to send RPC request to
vulnerable mountd daemon could execute artitrary code or cause
denial of service.


Status:
=======

Vendor has been notified on June 10, 2003. The fix is incorporated
in recent 1.0.4 release of nfs-utils.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0252 to this issue.


- -- 
Janusz Niewiadomski
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/EsX3C+8U3Z5wpu4RArLdAKDD40fr/uq21jn47nZ3y4drrx7AaQCgvYKv
ji74jUOQtgjaGVoQn63d05Q=
=OqOQ
-----END PGP SIGNATURE-----




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ