CVE-2013-4256

Public Exploit

Description

Multiple stack-based and heap-based buffer overflows in Network Audio System (NAS) 1.9.3 allow local users to cause a denial of service (crash) or possibly execute arbitrary code via the (1) display command argument to the ProcessCommandLine function in server/os/utils.c; (2) ResetHosts function in server/os/access.c; (3) open_unix_socket, (4) open_isc_local, (5) open_xsight_local, (6) open_att_local, or (7) open_att_svr4_local function in server/os/connection.c; the (8) AUDIOHOST environment variable to the CreateWellKnownSockets or (9) AmoebaTCPConnectorThread function in server/os/connection.c; or (10) unspecified vectors related to logging in the osLogMsg function in server/os/aulog.c.

References

Link	Tags
http://www.openwall.com/lists/oss-security/2013/08/19/3	mailing list patch
http://radscan.com/pipermail/nas/2013-August/001270.html	mailing list exploit
http://www.openwall.com/lists/oss-security/2013/08/16/2	mailing list patch
http://sourceforge.net/p/nas/code/288	patch exploit
http://www.debian.org/security/2013/dsa-2771	vendor advisory
http://www.securityfocus.com/bid/61848	vdb entry
http://www.ubuntu.com/usn/USN-1986-1	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2013-4256?: CVE-2013-4256 has been scored as a medium severity vulnerability.
How to fix CVE-2013-4256?: To fix CVE-2013-4256, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2013-4256 being actively exploited in the wild?: It is possible that CVE-2013-4256 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer

References

Frequently Asked Questions