TUCoPS :: Unix :: General :: n-059.txt

Integer overflow in Sun RPC XDR library routines (CIAC N-059)


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                Integer overflow in Sun RPC XDR library routines
                          [CERTŪ Advisory CA-2003-10]

March 19, 2003 21:00 GMT                                          Number N-059
[REVISED 11 APR 2003]
[REVISED 16 Oct 2003]
______________________________________________________________________________
PROBLEM:       There is an integer overflow in the xdrmem_getbytes() function
               distributed as part of the Sun Microsystems XDR library. This
               overflow can cause remotely exploitable buffer overflows in
               multiple applications, leading to the execution of arbitrary
               code.
AFFECTED       Sun Microsystems network services library (libnsl) 
SOFTWARE:      BSD-derived libraries with XDR/RPC routines (libc) 
               GNU C library with sunrpc (glibc)
               Hewlett Packard libc.1
DAMAGE:        Exploiting this vulnerability could lead to denial of service,
               possibly gaining root privileges, execution of arbitrary code,
               or the disclosure of sensitive information.
SOLUTION:      Check with your vendor for platform-specific patches or other
               solutions.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Specific impacts reported include the ability
ASSESSMENT:    to crash the rpcbind service and possibly execute arbitrary
               code with root privileges. In addition, intruders may be able
               to crash the MIT KRB5 kadmind or cause it to leak sensitive
               information, such as secret keys.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-059.shtml
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2003-10.html
                     Monitor the CERT Advisory for vendor updates.
 ADDITIONAL LINKS:   Red Hat updated glibc packages (not included in CERT's 
                     Advisory).
                     https://rhn.redhat.com/errata/RHSA-2003-089.html
                     Visit Hewlett Packard Subscription Section for:
                     HPSBUX0303-252 SSRT2439 (rev. 7)
______________________________________________________________________________
REVISION HISTORY:
10/16/03 - added Hewlett Packards link for HPSBUX0303-252 SSRT2439 (rev. 7)


[***** Start CERTŪ Advisory CA-2003-10 *****]

CERTŪ Advisory CA-2003-10 Integer overflow in
Sun RPC XDR library routines

Original release date: March 19, 2003
Last revised: -- 
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Applications using vulnerable implementations of SunRPC-derived XDR libraries, 
which include 

  Sun Microsystems network services library (libnsl) 
  BSD-derived libraries with XDR/RPC routines (libc) 
  GNU C library with sunrpc (glibc) 


Overview

There is an integer overflow in the xdrmem_getbytes() function distributed 
as part of the Sun Microsystems XDR library. This overflow can cause 
remotely exploitable buffer overflows in multiple applications, leading to 
the execution of arbitrary code. Although the library was originally 
distributed by Sun Microsystems, multiple vendors have included the vulnerable 
code in their own implementations. 


I. Description

XDR (external data representation) libraries are used to provide 
platform-independent methods for sending data from one system process to another, 
typically over a network connection. Such routines are commonly used in remote 
procedure call (RPC) implementations to provide transparency to application 
programmers who need to use common interfaces to interact with many different 
types of systems. The xdrmem_getbytes() function in the XDR library provided by 
Sun Microsystems contains an integer overflow that can lead to improperly sized 
dynamic memory allocation. Depending on how and where the vulnerable
xdrmem_getbytes() function is used, subsequent problems like buffer overflows 
may result. 

Researchers at eEye Digital Security discovered this vulnerability and have 
also published an advisory. This issue is currently being tracked as VU#516825 
by the CERT/CC and as CAN-2003-0028 in the Common Vulnerabilities and Exposures 
(CVE) dictionary. Note that this vulnerability is similar to, but distinct 
from, VU#192995. 

II. Impact

Because SunRPC-derived XDR libraries are used by a variety of vendors in a 
variety of applications, this defect may lead to a number of security problems. 
Exploiting this vulnerability will lead to denial of service, execution of 
arbitrary code, or the disclosure of sensitive information. 

Specific impacts reported include the ability to crash the rpcbind service and 
possibly execute arbitrary code with root privileges. In addition, intruders may 
be able to crash the MIT KRB5 kadmind or cause it to leak sensitive information, 
such as secret keys. 

III. Solution

Apply a patch from your vendor

Apply the appropriate patch or upgrade as specified by your vendor. See 
Appendix A below and the Systems Affected section of VU#516825 for 
further information. 

Note that XDR libraries can be used by multiple applications on most systems. 
It may be necessary to upgrade or apply multiple patches and then recompile 
statically linked applications. 

Applications that are statically linked must be recompiled using patched 
libraries. Applications that are dynamically linked do not need to be recompiled; 
however, running services need to be restarted in order to use the patched 
libraries. 

System administrators should consider the following process when addressing 
this issue: 

1.Patch or obtain updated XDR/RPC libraries. 
2.Restart any dynamically linked services that make use of the XDR/RPC libraries. 
3.Recompile any statically linked applications using the patched or updated XDR/RPC libraries. 

Disable access to vulnerable services or applications

Until patches are available and can be applied, you may wish to disable 
access to services or applications compiled with the vulnerable 
xdrmem_getbytes() function. 

As a best practice, the CERT/CC recommends disabling all services that are 
not explicitly required. 

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. 
As vendors report new information to the CERT/CC, we will update this section 
and note the changes in our revision history. If a particular vendor is not 
listed below, we have not received their comments. 

Apple Computer, Inc.

Mac OS X and Mac OS X Server do not contain the vulnerabilities described 
in this report. 

Cray, Inc.

Cray Inc. may be vulnerable and has opened spr's 724153 and 724154 to 
investigate. 

Fujitsu

We are currently investigating how the vulnerability reported under VU#516825 
affects the Fujitsu UXP/V O.S. We will update this statement as soon as new 
information becomes available. 

GNU glibc

Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also 
vulnerable. The following patches have been installed into the CVS sources, 
and should appear in the next version of the GNU C Library. These patches are 
also available from the following URLs:

http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=
   1.26&r2=1.27&cvsroot=glibc
   
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=
   1.13&r2=1.15&cvsroot=glibc
   
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=
   1.26&r2=1.27&cvsroot=glibc
   
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=
   1.5&r2=1.6&cvsroot=glibc
   
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=
   1.15&r2=1.16&cvsroot=glibc 

   2002-12-16  Roland McGrath  

        * sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type.
        * sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
        * sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.

   2002-12-13  Paul Eggert  

        * sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg
        is now u_int, not int.
        (struct XDR.x_handy): Now u_int, not int.
        * sunrpc/xdr_mem.c: Include .
        (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
        xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
        x_handy is now unsigned, not signed.
        Do not decrement x_handy if no change is made.
        (xdrmem_setpos): Check for int overflow.
        * sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
        (xdr_sizeof): Remove cast that is now unnecessary, now that
        x_handy is unsigned.


[ text of diffs available in the links included above --CERT/CC ] 

Hewlett-Packard Company

RE: HP Case ID SSRT2439 

At the time of writing this document, Hewlett Packard is currently 
investigating the potential impact to HP's released Operating
System software products. 

As further information becomes available HP will provide notice of the 
availability of any necessary patches through standard security bulletin 
announcements and be available from your normal HP Services support channel. 

Hitachi

Hitachi's GR2000 gibabit router series - is NOT vulnerable.

IBM Corporation

The AIX operating system is vulnerable to the issues discussed in CERT 
vulnerability note VU#516825 in releases 4.3.3, 5.1.0 and 5.2.0. 

  IBM provides the following official fixes: 

                      APAR number for AIX 4.3.3: IY38524
                      APAR number for AIX 5.1.0: IY38434
                      APAR number for AIX 5.2.0: IY39231

  Please contact your local IBM AIX support center for any assistance. 

Ingrian Networks

Ingrian Networks products are not succeptable to the vulnerabilities in 
VU#516825. 

MIT Kerberos Development Team 

It may be possible for a remote attacker to exploit an integer overflow in 
xdrmem_getbytes() to crash the kadmind server process by a read segmentation 
fault. For this to succeed, the kadmind process must be able to allocate 
more than MAX_INT bytes of memory. This is believed to be unlikely, as most 
installations are not likely to permit that the allocation of that much memory. 

It may also be possible for a remote attacker to exploit this integer overflow 
to obtain sensitive information, such as secret keys, from the kadmind process. 
This is believed to be extremely unlikely, as there are unlikely to be ways for 
the information, once improperly copied, of being returned to the attacker. 
In addition, the above condition of the kadmind being able to allocate huge
amounts of memory must be satisfied. 

Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt 

This patch may also be found at:
  http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt 

The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt.asc 

NEC Corporation

[Server Products] * EWS/UP 48 Series operating system - is NOT vulnerable. 

NetBSD

The length types of the various xdr*_getbytes functions were made consistent 
somewhere back in 1997 (all u_int), so we're not vulnerable in that area. 

Network Appliance

NetApp products are not vulnerable to this issue.

Nokia

This issue has no relationship to the product we ship. 

SGI

SGI acknowledges receiving CERT VU#516825 and is currently investigating. 
This is being tracked as SGI Bug# 880925. No further information is available 
at this time. 

For the protection of all our customers, SGI does not disclose, discuss or 
confirm vulnerabilities until a full investigation has occurred and any 
necessary patch(es) or release streams are available for all vulnerable and 
supported SGI operating systems. Until SGI has more definitive information to 
provide, customers are encouraged to assume all security vulnerabilities as 
exploitable and take appropriate steps according to local site security policies 
and requirements. As further information becomes available, additional advisories 
will be issued via the normal SGI security information distribution methods 
including the wiretap mailing list on http://www.sgi.com/support/security/ 

Sun Microsystems

Solaris 2.6, 7, 8 and 9 are vulnerable to VU#516825.

Sun will be publishing a Sun Alert for the issue at the following 
location shortly:
   http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51884 

The Sun Alert will be updated with the patch information as soon as the 
patches are available.

At that time, the patches listed in the Sun Alert will be available from: 
  http://sunsolve.sun.com/securitypatch 



Appendix B. - References

1.AD20030318.html - http://www.eeye.com/html/Research/Advisories/AD20030318.html 
2.VU#192995 - http://www.kb.cert.org/vuls/id/192995 
3.VU#516825 - http://www.kb.cert.org/vuls/id/516825 
4.RFC1831 - http://www.ietf.org/rfc/rfc1831.txt 
5.RFC1832 - http://www.ietf.org/rfc/rfc1832.txt 



Thanks to Riley Hassell of eEye Digital Security for discovering and reporting 
this vulnerability. Thanks also to Sun Microsystems for additional technical 
details.

Authors: Chad Dougherty and Jeffrey Havrilla 

This document is available from: http://www.cert.org/advisories/CA-2003-10.html 


CERT/CC Contact Information

                 Email: cert@cert.org
                 Phone: +1 412-268-7090 (24-hour hotline)
                 Fax: +1 412-268-6989
                 Postal address:
                      CERT Coordination Center
                      Software Engineering Institute
                      Carnegie Mellon University
                      Pittsburgh PA 15213-3890
                      U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) 
Monday through Friday; they are on call for emergencies during other hours, 
on U.S. holidays, and on weekends. 

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public 
PGP key is available from 

   http://www.cert.org/CERT_PGP.key 

If you prefer to use DES, please call the CERT hotline for more information. 

Getting security information

CERT publications and other security information are available from our web site 

       http://www.cert.org/ 

To subscribe to the CERT mailing list for advisories and bulletins, send email 
to majordomo@cert.org. Please include in the body of your message

  subscribe cert-advisory 

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and 
Trademark Office. 


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering 
Institute is furnished on an "as is" basis. Carnegie Mellon University makes no 
warranties of any kind, either expressed or implied as to any matter including, 
but not limited to, warranty of fitness for a particular purpose or merchantability, 
exclusivity or results obtained from use of the material. Carnegie Mellon University 
does not make any warranty of any kind with respect to freedom from patent, 
trademark, or copyright infringement. 


Conditions for use, disclaimers, and sponsorship information 

Copyright 2003 Carnegie Mellon University.

Revision History 

Mar 19, 2003:  Initial release

[***** End CERTŪ Advisory CA-2003-10 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT Coordination Center for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-049: Snort RPC Preprocessing Vulnerability
N-050: Sun sendmail(1M) ".forward" Constructs Vulnerability
N-051: Red Hat Updated OpenSSL Packages Fix Timing Attack
N-052: PeopleSoft PeopleTools Remote Command Execution Vulnerability
N-053: Increased Activity Targeting Microsoft Windows Shares
N-054: Unchecked Buffer in Windows Component Could Cause Web Server Compromise
N-055: Samba smbd Buffer Overrun Vulnerability
N-056: Red Hat Updated 2.4 Kernel Fix for ptrace Vulnerability
N-057: Cryptographic weaknesses in Kerberos v4 protocol
N-058: Vulnerabilities in Webmin/Usermin


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH