-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Synopsis: Linux nfs-utils xlog() off-by-one bug Product: nfs-utils Version: <= 1.0.3 Vendor: http://sourceforge.net/projects/nfs/ URL: http://isec.pl/vulnerabilities/ CVE: CAN-2003-0252 Author: Janusz Niewiadomski <funkyshat_private> Date: July 14, 2003 Issue: ====== Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. Details: ======== An off-by-one bug exist in xlog() function which handles logging of requests. An overflow occurs when function is trying to add missing trailing newline character to logged string. Due to miscalculation, if a string passed to the functions is equal or longer than 1023 bytes, the '\0' byte will be written beyond the buffer: - ------8<------cut-here------8<------ char buff[1024]; ... va_start(args, fmt); vsnprintf(buff, sizeof (buff), fmt, args); va_end(args); buff[sizeof (buff) - 1] = 0; if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') { buff[n++] = '\n'; buff[n++] = '\0'; } - ------8<------cut-here------8<------ Impact: ======= Local or remote attacker which is capable to send RPC request to vulnerable mountd daemon could execute artitrary code or cause denial of service. Status: ======= Vendor has been notified on June 10, 2003. The fix is incorporated in recent 1.0.4 release of nfs-utils. The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0252 to this issue. - -- Janusz Niewiadomski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/EsX3C+8U3Z5wpu4RArLdAKDD40fr/uq21jn47nZ3y4drrx7AaQCgvYKv ji74jUOQtgjaGVoQn63d05Q= =OqOQ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 10:49:53 PDT