LinuxNode Format String and Overflow Flaws Yield Root Access to Remote Users

SecurityTracker Alert ID: 1007595
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Aug 29 2003

Impact: Execution of arbitrary code via network, Root access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 0.3.2

Description: Some buffer overflow and format string vulnerabilities were reported in the LinuxNode amateur radio packet node software. A remote user can gain root privileges on the system.

It is reported that a remote user can send specially crafted data to the LinuxNode daemon to cause arbitrary code to be executed with root privileges.

The flaws include a format string vulnerability in 'ipc.c', where user-supplied input is passed to the node_msg() function without the appropriate format string specifier.

Another format string flaw is reported in 'util.c', where a syslog() call is made without the format string specifier.

Another flaw is reported to be a buffer overflow in calling the expand_string() function.

'cmdparse.c' also contains a flaw.

Morgan (SM6TKY) is credited with discovering and fixing these vulnerabilities.

Impact: A remote user can execute arbitrary code on the system with root level privileges.

Solution: The vendor has released a fixed version (0.3.2), available at:

http://hes.iki.fi/pub/ham/unix/linux/ax25/

Vendor URL: hes.iki.fi/pub/ham/unix/linux/ax25/ (Links to External Site)

Cause: Boundary error, Input validation error

Underlying OS: Linux (Any)



Message History: This archive entry has one or more follow-up message(s) listed below.
Aug 29 2003 (Debian Issues Fix) LinuxNode Format String and Overflow Flaws Yield Root Access to Remote Users (joey@infodrom.org (Martin Schulze))
Debian has released a fix.