Linux nfs-utils xlog()远程缓冲区单字节溢出漏洞-一一网

漏洞信息详情

Linux nfs-utils xlog()远程缓冲区单字节溢出漏洞

CNNVD编号：CNNVD-200308-096

危害等级：超危
CVE编号：
CVE-2003-0252
漏洞类型：

边界条件错误
发布时间：

2003-07-14
威胁类型：

远程
更新时间：

2005-10-20
厂商：

nfs
漏洞来源：
Janusz Niewiadomsk…

漏洞简介

Linux NFS utils是网络文件系统实现。
nfs-utils存在单字节溢出漏洞，远程攻击者可以利用这个漏洞构造伪造的请求给rpc.mountd守护程序，可能以root用户权限在系统上执行任意指令。
问题存在于xlog()函数，处理请求的日志记录，当函数尝试增加新行字符到要记录的字符串时会触发溢出。由于错误的计算，如果传递给函数的字符串等于或超过1023字节，会由于写\’\’＼0\’\’字节超过缓冲区边界：
– ——8＜——cut-here——8＜——
char buff[1024];
…
va_start(args， fmt);
vsnprintf(buff， sizeof (buff)， fmt， args);
va_end(args);
buff[sizeof (buff) – 1] = 0;
if ((n = strlen(buff)) ＞ 0 ＆＆ buff[n-1] != \’\’＼n\’\’) {
buff[n++] = \’\’＼n\’\’; buff[n++] = \’\’＼0\’\’;
}
– ——8＜——cut-here——8＜——
本地或远程攻击者可以发送精心构建的RPC请求，发送到rpc.mountd守护进程中，可导致拒绝服务攻击，或者以root用户权限在系统上执行任意指令。

漏洞公告

厂商补丁：
Debian
——
Debian已经为此发布了一个安全公告(DSA-349-1)以及相应补丁:

DSA-349-1：New nfs-utils package fixes buffer overflow

链接：http://www.debian.org/security/2002/dsa-349” target=”_blank”>
http://www.debian.org/security/2002/dsa-349

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-utils_1.0-2woody1.dsc” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-utils_1.0-2woody1.dsc

Size/MD5 checksum: 547 a4c33f7a535608512f31b7ee34d4272e

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-utils_1.0-2woody1.tar.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-utils_1.0-2woody1.tar.gz

Size/MD5 checksum: 240859 5c573fee27a1e10ff7f664b4bdf732a2

Alpha architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_alpha.deb

Size/MD5 checksum: 52698 29882fb7f6fd28f81f815ed562ac68a7

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_alpha.deb

Size/MD5 checksum: 79386 49ff8885c51710a768cd93f6dd649d71

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_alpha.deb

Size/MD5 checksum: 36662 0dc3e1ba2c91f2232e3fcb20918057e4

ARM architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_arm.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_arm.deb

Size/MD5 checksum: 44804 296f0f554fd1cf4b59d9ea1cdab9321d

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_arm.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_arm.deb

Size/MD5 checksum: 67516 f3bea88a8d1ba73a2534b8c0bd7c423c

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_arm.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_arm.deb

Size/MD5 checksum: 34344 3c266dc34f4ac4be196b499c5eef3975

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_i386.deb

Size/MD5 checksum: 44400 233409f10f8767e36f6ad10072ede8ab

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_i386.deb

Size/MD5 checksum: 66596 07ea3180828ef48a92c58855d9b5b54a

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_i386.deb

Size/MD5 checksum: 33482 11d03d87740fb81054b46a859741d77c

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_ia64.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_ia64.deb

Size/MD5 checksum: 58974 33483f9fe4df2b84cb26d4e1cd76fc91

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_ia64.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_ia64.deb

Size/MD5 checksum: 93340 eb51718186119e3b73d193c4eb7f5707

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_ia64.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_ia64.deb

Size/MD5 checksum: 41470 3ad514dec2b983446a2fb704e56be337

HP Precision architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_hppa.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_hppa.deb

Size/MD5 checksum: 49896 9444fd4edfbb2abbcf83e838fda6d214

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_hppa.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_hppa.deb

Size/MD5 checksum: 74924 2270c3317f7453cec6966e2e16147d42

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_hppa.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_hppa.deb

Size/MD5 checksum: 36746 3f10fa97c70fa41776f874e670e57642

Motorola 680×0 architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_m68k.deb

Size/MD5 checksum: 43548 1896cab837cdfaabdcb728668e6f0273

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_m68k.deb

Size/MD5 checksum: 64216 822c887cd14d049528029f36cc1a2240

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_m68k.deb

Size/MD5 checksum: 33168 11468a2b2cc746b6ed363fa481575124

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_mips.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_mips.deb

Size/MD5 checksum: 47534 2dc98eeed2317d0dfc7a564b4148491f

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_mips.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_mips.deb

Size/MD5 checksum: 74732 eff1441d229295fecc3e46113763b242

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_mips.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_mips.deb

Size/MD5 checksum: 35674 e58f28fd4ed296573efda02226f68f78

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_mipsel.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-common_1.0-2woody1_mipsel.deb

Size/MD5 checksum: 47672 4b4f9619231ee353a4a9585c5d25d97f

http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_mipsel.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nfs-kernel-server_1.0-2woody1_mipsel.deb

Size/MD5 checksum: 74758 5cb3ed2cc13787e8e4cec25bae4888fd

http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_mipsel.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/n/nfs-utils/nhfsstone_1.0-2woody1_mipsel.deb

Size/MD5 checksum: 35592 c0f83d36cbf8ce91068aab57b67e27e3

PowerPC architect

参考网址

来源:US-CERT Vulnerability Note: VU#258564
名称: VU#258564
链接:http://www.kb.cert.org/vuls/id/258564

来源: BUGTRAQ
名称: 20030715 [slackware-security] nfs-utils packages replaced (SSA:2003-195-01b)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105830921519513&w=2

来源: XF
名称: nfs-utils-offbyone-bo(12600)
链接:http://xforce.iss.net/xforce/xfdb/12600

来源: TURBO
名称: TLSA-2003-44
链接:http://www.turbolinux.com/security/TLSA-2003-44.txt

来源: BID
名称: 8179
链接:http://www.securityfocus.com/bid/8179

来源: REDHAT
名称: RHSA-2003:207
链接:http://www.redhat.com/support/errata/RHSA-2003-207.html

来源: REDHAT
名称: RHSA-2003:206
链接:http://www.redhat.com/support/errata/RHSA-2003-206.html

来源: SUSE
名称: SuSE-SA:2003:031
链接:http://www.novell.com/linux/security/advisories/2003_031_nfs_utils.html

来源: DEBIAN
名称: DSA-349
链接:http://www.debian.org/security/2003/dsa-349

来源: SUNALERT
名称: 1001262
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001262.1-1

来源: SECTRACK
名称: 1007187
链接:http://securitytracker.com/id?1007187

来源: SECUNIA
名称: 9259
链接:http://secunia.com/advisories/9259

来源: BUGTRAQ
名称: 20030716 Immunix Secured OS 7+ nfs-utils update — bugtraq
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105839032403325&w=2

来源: BUGTRAQ
名称: 20030714 Linux nfs-utils xlog() off-by-one bug
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105820223707191&w=2

来源: isec.pl
链接:http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt

来源: VULNWATCH
名称: 20030714 Reality of the rpc.mountd bug
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0024.html

来源: VULNWATCH
名称: 20030714 Linux nfs-utils xlog() off-by-one bug
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0023.html

来源: MANDRAKE
名称: MDKSA-2003:076
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2003:076

来源: US Government Resource: oval:org.mitre.oval:def:443
名称: oval:org.mitre.oval:def:443
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:443