<<< Date Index >>>     <<< Thread Index >>>

OpenLinux: Linux NFS utils package contains remotely exploitable off-by-one bug



To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx security-alerts@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: Linux NFS utils package contains remotely 
exploitable off-by-one bug
Advisory number:        CSSA-2003-037.0
Issue date:             2003 November 17
Cross reference:        sr882699 fz528148 erg712382
______________________________________________________________________________


1. Problem Description

        Janusz Niewiadomski has discovered an off-by-one overflow in
        xlog() in the nfs-utils package. It is rumoured this bug is
        exploitable, however as it writes a single zero byte to memory,
        an exploit may be difficult to write. 

        CAN-2003-0252 Off-by-one error in the xlog function of mountd 
        in the Linux NFS utils package (nfs-utils) before 1.0.4 allows 
        remote attackers to cause a denial of service and possibly execute 
        arbitrary code via certain RPC requests to mountd that do not 
        contain newlines.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------
        OpenLinux 3.1.1 Server          prior to nfs-0.2.1-12.i386.rpm
                                        prior to nfs-lockd-0.2.1-12.i386.rpm
                                        prior to nfs-server-0.2.1-12.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to nfs-0.2.1-12.i386.rpm
                                        prior to nfs-lockd-0.2.1-12.i386.rpm
                                        prior to nfs-server-0.2.1-12.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/RPMS

        4.2 Packages

        30ea43154970596e70e4fe28d975384e        nfs-0.2.1-12.i386.rpm
        680b5214c57a02e1265229458ae881d3        nfs-lockd-0.2.1-12.i386.rpm
        32ee130750f4502fc5bfb51ed46bbbd9        nfs-server-0.2.1-12.i386.rpm

        4.3 Installation

        rpm -Fvh nfs-0.2.1-12.i386.rpm
        rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
        rpm -Fvh nfs-server-0.2.1-12.i386.rpm

        4.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/SRPMS

        4.5 Source Packages

        da4e028d9ffe374c7be7e24ffad2b360        nfs-0.2.1-12.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/RPMS

        5.2 Packages

        40c11bad18969b6587a9d94b79c2e41c        nfs-0.2.1-12.i386.rpm
        f98629ebc8412a30a1ab6fe16ea55f77        nfs-lockd-0.2.1-12.i386.rpm
        6407294bbb284c9e42f2769ef9941e8a        nfs-server-0.2.1-12.i386.rpm

        5.3 Installation

        rpm -Fvh nfs-0.2.1-12.i386.rpm
        rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
        rpm -Fvh nfs-server-0.2.1-12.i386.rpm

        5.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/SRPMS

        5.5 Source Packages

        f47fea29ce99c7979c50ffb3e91ddf99        nfs-0.2.1-12.src.rpm


6. References

        Specific references for this advisory:
                http://marc.theaimsgroup.com/?l=bugtraq&m=105839032403325&w=2
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0252

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr882699 fz528148
        erg712382.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgements

        SCO would like to thank Janusz Niewiadomski for reporting this issue.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/uU5lbluZssSXDTERAjKTAKCwv9o4wj3AnK++/g6/MObc4WFUFgCgqdA8
xmjzczTc7zXZECQEkCsW3M4=
=Kq/p
-----END PGP SIGNATURE-----