|
Vulnerability gnuserv/XEmacs Affected gnuserv/XEmacs prior to 3.12 Description Jan Vroonhof posted following. All currently available versions of gnuserv for unix prior to 3.12 are vulnerable to remote exploit due to a buffer overflow and weak security. Gnuserv is a remote control facility for Emacsen. Gnuserv ships with XEmacs but is also available stand-alone from various sources for use with GNU Emacs. An attacker can excute remote commands with the uid of the user that is running gnuserv. This problem was discovered by Klaus Frank. Klaus provided a fix as well. gnuserv/gnuclient is a pair of utility programs used to sent commands to an already running Emacs process. gnuserv is the helper binary used by the running Emacs to listen for commands. It must be started explicitly using the gnuserv-start command (However we have seen many icons for XEmacs in UI's start "xemacs -f gnuserv" so it is not always obvious to the user he is running gnuserv). gnuserv can use several different communication mechanisms, one of them being a tcp port. This can be switched off at compile time, but defaults to on. If enabled gnuserv binds to a user specified TCP port, with the default being (21490 + uid). Note that (if enabled) gnuserv _always_ listens for TCP connections, even if one of the other mechanisms is normally used by the user. Connections on the gnuserv port are authenticated either against a list of trusted hosts or using a MIT-MAGIC-COOKIE based system. (MIT-MAGIC_COOKIE authentication can be switched of, but again is the default.) The problem lies in the fact that the gnuserv program trusts the remote sides specification for the lenght of the cookie without any sanity checking. This allows the attacker to: 1. Overflow the buffer used to hold a copy of the cookie. 2. Force the comparison of the cookies to be restricted to a prefix of a length chosen by him, e.g. 1 byte, making bruteforcing the authentication trivial. Both problems are sufficient to give any attacker easy access to running arbitrary commands under the uid of the user running gnuserv. Unfortunately gnuserv has rather a complicated history. gnuserv was origionally written by Andy Norman (ange). The problematic Xauth based authentication was later added by somebody else. As ange effectively stopped maintaining his version (gnuserv-2.1alpha.tar.gz) various people have put up their own modified copies. That includes among others the version shipped with XEmacs and fgnuserv by Noah Friedman, which is an easier to compile stand-alone version. After a recent rewrite the XEmacs version the official verion (with permission form Andy Norman), and bumped the version number to the 3.x range. Martin Schwenke has made a backport of this version for use with Emacs using fgnuserv's build mecahnism. All of the above versions should be assumbed vulnerable, including those shipped with XEmacs 21.1.x for x < 14. As a test run strings gnuserv | grep "gnuserv version" If this gives either nothing or a version below 3.12, then you are vulnerable. Solution There is a seperate fork for gnuserv on windows for use with NTEmacs. This is not vulnerable as it uses a completely different communication channel. This is, however, unconfirmed. A fix by Klaus Frank is in gnuserv 3.12. If you are using XEmacs we suggest upgrading to XEmacs 21.1.14 that contains this version (or 21.2.43 if you are running betas). This version can be had from http://www.xemacs.org/Releases/21.1.14.html or mirrors. If you are using a standalone gnuserv with GNU Emacs on unix we suggest getting Martin Schwenkes fixed version from http://www.linuxcare.com.au/people/martins/hacks/emacs/src/gnuserv-3.12.1.tar.gz For RedHat: ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-21.1.14-2.62.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-el-21.1.14-2.62.alpha.rpm ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-info-21.1.14-2.62.alpha.rpm ftp://updates.redhat.com/powertools/6.2/i386/xemacs-21.1.14-2.62.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/xemacs-el-21.1.14-2.62.i386.rpm ftp://updates.redhat.com/powertools/6.2/i386/xemacs-info-21.1.14-2.62.i386.rpm ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-21.1.14-2.62.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-el-21.1.14-2.62.sparc.rpm ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-info-21.1.14-2.62.sparc.rpm