CVE-2016-1243 – CVE-2016-1243 is a critical stack-based buffer ... (How to Fix)

Q: What is the severity of CVE-2016-1243?

CVE-2016-1243 has a CVSS score of 9.8 (CRITICAL). CVE-2016-1243 is a critical stack-based buffer overflow vulnerability in unADF's extractTree function that allows remote attackers to execute arbitrary code by providing a specially crafted long pathname. This affects systems using unADF to extract Amiga Disk Files, potentially leading to complete system compromise. The vulnerability is particularly dangerous because it can be exploited remotely without authentication.

📋 TL;DR

CVE-2016-1243 is a critical stack-based buffer overflow vulnerability in unADF's extractTree function that allows remote attackers to execute arbitrary code by providing a specially crafted long pathname. This affects systems using unADF to extract Amiga Disk Files, potentially leading to complete system compromise. The vulnerability is particularly dangerous because it can be exploited remotely without authentication.

💻 Affected Systems

Products:

unADF

Versions: All versions prior to patched versions in Debian/Ubuntu repositories

Operating Systems: Linux distributions including Debian, Ubuntu

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing ADF files with long pathnames, affecting any system using unADF for extraction.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system takeover, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote attacker gains shell access on vulnerable system, potentially escalating privileges to root and establishing persistence.

🟢

If Mitigated

With proper network segmentation and least privilege, impact limited to the unADF process context and isolated system.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication via crafted ADF files.

🏢 Internal Only: MEDIUM - Requires user interaction or automated processing of malicious ADF files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public patch reveals exploitation method; buffer overflow with long pathname is straightforward to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Debian: unADF 0.7.11a-2+deb8u1, Ubuntu: See security updates

Vendor Advisory: http://www.debian.org/security/2016/dsa-3676

Restart Required: No

Instructions:

1. Update package: sudo apt-get update && sudo apt-get install unadf 2. Verify version: unadf --version 3. Ensure version is patched (0.7.11a-2+deb8u1 or later for Debian 8)

🔧 Temporary Workarounds

Disable unADF usage

linux

Remove or disable unADF if not required for operations

sudo apt-get remove unadf

Input validation wrapper

linux

Create wrapper script to validate pathname length before passing to unADF

#!/bin/bash
if [ ${#1} -gt 255 ]; then echo "Path too long"; exit 1; fi
unadf "$@"

🧯 If You Can't Patch

Network segmentation: Isolate systems using unADF from untrusted networks
Least privilege: Run unADF with non-root privileges and in restricted containers

🔍 How to Verify

Check if Vulnerable:

Check unADF version: dpkg -l | grep unadf or unadf --version

Check Version:

unadf --version 2>/dev/null || dpkg -l | grep unadf

Verify Fix Applied:

Verify installed version matches patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

Failed extraction attempts with unusually long filenames
Process crashes of unadf

Network Indicators:

Inbound ADF file transfers to systems with unADF

SIEM Query:

process:name="unadf" AND (event_type:crash OR cmdline:"*long_pathname*")

📊 Metadata

CVE ID: CVE-2016-1243

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: October 3, 2016

Last Updated: April 12, 2025

🔗 References

http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch Patch,Vendor Advisory
http://www.debian.org/security/2016/dsa-3676 Third Party Advisory
http://www.securityfocus.com/bid/93329
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248 Patch,Third Party Advisory,VDB Entry
https://lists.debian.org/debian-lts-announce/2024/03/msg00015.html
https://security.gentoo.org/glsa/201804-20
http://tmp.tjjr.fi/0001-Fix-unsafe-extraction-by-using-mkdir-instead-of-shel.patch Patch,Vendor Advisory
http://www.debian.org/security/2016/dsa-3676 Third Party Advisory
http://www.securityfocus.com/bid/93329
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248 Patch,Third Party Advisory,VDB Entry
https://lists.debian.org/debian-lts-announce/2024/03/msg00015.html
https://security.gentoo.org/glsa/201804-20

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-1243, you might also want to check these: