Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:2184 |
| Message | RPC mountd TCP mount path overflow attempt |
| Summary | This event is generated when an attempt is made to exploit a known vulnerability in the xlog function of certain Linux NFS Utils packages. Specifically this event is generated when TCP is used as the attack medium. |
| Impact | Denial of Service (DoS), possible arbitrary code execution. |
| Detailed Information | The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. A vulnerability exists in some versions of the Linux NFS Utilities package prior to 1.0.4 that can lead to the possible execution of arbitrary code or a DoS against the affected server. A programming error in the xlog function may be exploited by an attacker by sending RPC requests to mountd that do not contain any newline characters. This causes a buffer to overflow thus presenting the attacker with the opportunity to execute code. |
| Affected Systems | Systems using Linux NFS Utils prior to version 1.0.4. |
| Attack Scenarios | An attacker may send a specially crafted RPC request or mount command to the NFS server that does not contain any newline characters. |
| Ease of Attack | Moderate. |
| Corrective Action | Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. Upgrade to the latest non-affected version of the software. Apply the appropriate vendor supplied patches. |
| Additional References | |
| Rule References | bugtraq: 8179 cve: 2003-0252 nessus: 11800 |
--
DID:816770
--
http://www.aanval.com/