Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:2184 |
Message | RPC mountd TCP mount path overflow attempt |
Summary | This event is generated when an attempt is made to exploit a known vulnerability in the xlog function of certain Linux NFS Utils packages. Specifically this event is generated when TCP is used as the attack medium. |
Impact | Denial of Service (DoS), possible arbitrary code execution. |
Detailed Information | The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. A vulnerability exists in some versions of the Linux NFS Utilities package prior to 1.0.4 that can lead to the possible execution of arbitrary code or a DoS against the affected server. A programming error in the xlog function may be exploited by an attacker by sending RPC requests to mountd that do not contain any newline characters. This causes a buffer to overflow thus presenting the attacker with the opportunity to execute code. |
Affected Systems | Systems using Linux NFS Utils prior to version 1.0.4. |
Attack Scenarios | An attacker may send a specially crafted RPC request or mount command to the NFS server that does not contain any newline characters. |
Ease of Attack | Moderate. |
Corrective Action | Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. Upgrade to the latest non-affected version of the software. Apply the appropriate vendor supplied patches. |
Additional References | |
Rule References | bugtraq: 8179 cve: 2003-0252 nessus: 11800 |
--
DID:816770
--
http://www.aanval.com/