2.1 CVE-2011-3149

Exploit Buffer Overflow Patch Ransomware Risk

 

The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c) in Linux-PAM (aka pam) before 1.1.5 does not properly handle when environment variable expansion can overflow, which allows local users to cause a denial of service (CPU consumption).
https://nvd.nist.gov/vuln/detail/CVE-2011-3149

Categories

CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. The "buffer overflow" term has many different meanings to different audiences. From a CWE mapping perspective, this term should be avoided where possible. Some researchers, developers, and tools intend for it to mean "write past the end of a buffer," whereas other use the same term to mean "any read or write outside the boundaries of a buffer, whether before the beginning of the buffer or after the end of the buffer." Still others using the same term could mean "any action after the end of a buffer, whether it is a read or write." Since the term is commonly used for exploitation and for vulnerabilities, it further confuses things. Some prominent vendors and researchers use the term "buffer overrun," but most people use "buffer overflow." See the alternate term for "buffer overflow" for context. "Memory safety" is generally used for techniques that avoid weaknesses related to memory access, such as those identified by CWE-119 and its descendants. However, the term is not formal, and there is likely disagreement between practitioners as to which weaknesses are implicitly covered by the "memory safety" term. This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61]. Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available. Incorrect URI normalization in application traffic product leads to buffer overflow, as exploited in the wild per CISA KEV. Buffer overflow in Wi-Fi router web interface, as exploited in the wild per CISA KEV. Classic stack-based buffer overflow in media player using a long entry in a playlist Heap-based buffer overflow in media player using a long entry in a playlist large precision value in a format string triggers overflow negative offset value leads to out-of-bounds read malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption chain: lack of synchronization leads to memory corruption Chain: machine-learning product can have a heap-basedbuffer overflow (CWE-122) when some integer-oriented bounds arecalculated by using ceiling() and floor() on floating point values(CWE-1339) attacker-controlled array index leads to code execution chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead. chain: incorrect calculations lead to incorrect pointer dereference and memory corruption product accepts crafted messages that lead to a dereference of an arbitrary pointer chain: malformed input causes dereference of uninitialized memory OS kernel trusts userland-supplied length value, allowing reading of sensitive information Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology. buffer overflow involving a regular expression with a large number of captures chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:linux-pam:linux-pam:0.99.1.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.2.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.2.1:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.3.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.4.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.5.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.6.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.6.1:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.6.2:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.6.3:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.7.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.7.1:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.8.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.8.1:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.9.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:0.99.10.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:linux-pam:linux-pam:*:*:*:*:*:*:*:* <= 1.1.4

Exploits

id description date
No known exploits

CAPEC

id description severity
123 Buffer Manipulation
Very High
46 Overflow Variables and Tags
High
9 Buffer Overflow in Local Command-Line Utilities
High
47 Buffer Overflow via Parameter Expansion
High
24 Filter Failure through Buffer Overflow
High
8 Buffer Overflow in an API Call
High
100 Overflow Buffers
Very High
44 Overflow Binary Resource File
Very High
42 MIME Conversion
High
45 Buffer Overflow via Symbolic Links
High
10 Buffer Overflow via Environment Variables
High
14 Client-side Injection-induced Buffer Overflow
High

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution