exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NILESA-20050101.txt

NILESA-20050101.txt
Posted Jan 12, 2005
Authored by Yun Jonglim | Site nilesoft.co.kr

SCO UnixWare mountd suffers from a denial of service vulnerability. Versions 7.1.4, 7.1.3, 7.1.1, and 7.0.1 are affected.

tags | advisory, denial of service
systems | unixware
advisories | CVE-2004-1039
SHA-256 | 2abd68286135616dddfa95724b7ef045c27b565df8b1b2e6c23e36686593305e

NILESA-20050101.txt

Change Mirror Download


================================================================================

NileSOFT Security Advisory

--------------------------------------------------------------------------------

ID : NILESA-20050101

Title : Denial of Service vulnerability due to the mountd bug

Vendor : SCO

URL : www.sco.com

Product : UnixWare 7.1.4, 7.1.3, 7.1.1, 7.0.1 (and maybe other versions)

Severity: Moderate

Local : Yes

Remote : Yes

Date : 11 Jan. 2005

CVE ID : CAN-2004-1039

Author : Yun Jonglim / NileSOFT. Ltd(www.nilesoft.co.kr)

================================================================================



1. SUMMARY



The NFS mountd service for UnixWare OS is generally run by

the RC script(/etc/rc3.d/S22nfs) on the NFS server system's boot run-level 3.



When the NFS mountd service is run by inetd, if a NFS mount related request is

received from the remote (or local) host, inetd will repeatedly create

the mountd process and as a result increasingly consume memory.





2. VULNERABILITY DESCRIPTION



The UnixWare operating system provides the NFS mountd service by

RC script(/etc/rc3.d/S22nfs) by default. However, as shown below, the service

is registered in the inetd.conf configuration file so that the inetd daemon can

also provide the service.



# The mount server is usually started in /etc/rc.local only on machines that

# are NFS servers. It can be run by inetd as well.

#

#mountd/1 dgram rpc/udp wait root /usr/sbin/in.tcpd /usr/lib/nfs/mountd

#mountd/1 dgram rpc/udp wait root /usr/lib/nfs/mountd mountd



By default, the mountd service registered in inetd.conf is commented out

(disabled) but the service can be enabled by removing the corresponding

'#' character and restarting inetd.(like below)



# The mount server is usually started in /etc/rc.local only on machines that

# are NFS servers. It can be run by inetd as well.

#

mountd/1 dgram rpc/udp wait root /usr/sbin/in.tcpd /usr/lib/nfs/mountd

#mountd/1 dgram rpc/udp wait root /usr/lib/nfs/mountd mountd



Like this, when the NFS mountd service is configured to be run by inetd,

the mountd process is run when the NFS mount service related request is received

from the remote (or local) host as shown below.



showmount -e <affected_ip>



However, inetd does not created just one instance of the mountd process for the

request but repeatedly creates the process. This would cause the use of the

system memory to increase by time.



The same problem occurs regardless of which line or lines the # character is

removed. This problem has been identified for UnixWare versions 7.1.4 ~ 7.0.1

and other versions may also have this problem.





3. IMPACT



Due to the increase of the number of mountd processes, the system's memory

would become exhausted therefore resulting in system crash down.





4. REMEDY



Installation of the fixed binary packages will address this vulnerability.

Packages can be downloaded from below ftp site.

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.1



SCO had released Security Advisory SCOSA-2005.1.

http://www.sco.com/support/security/index.html





5. DISCLOSURE TIMELINE



2004/10/22 Vulnerability found and analysis

2004/11/08 CVE notified and candidate number reservation request

2004/11/16 CVE candidate reserved

2004/11/16 Vender notified and initial response

2005/01/07 Vender Confirmed and patch prepared

2005/01/11 Advisory released





6. CVE INFORMATION



The Common Vulnerabilities and Exposures (CVE) project has assigned the

names CAN-2004-1039 to these issues. This is a candidate for inclusion

in the CVE list (http://cve.mitre.org), which standardizes names for

security problems.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close