TUCoPS :: Linux :: Apps A-M
:: gnuser.htm
Gnuserv/XEmacs 3.12 Exploitable Buffer Overflow
Vulnerability
gnuserv/XEmacs
Affected
gnuserv/XEmacs prior to 3.12
Description
Jan Vroonhof posted following. All currently available versions
of gnuserv for unix prior to 3.12 are vulnerable to remote
exploit due to a buffer overflow and weak security. Gnuserv is a
remote control facility for Emacsen. Gnuserv ships with XEmacs
but is also available stand-alone from various sources for use
with GNU Emacs.
An attacker can excute remote commands with the uid of the user
that is running gnuserv.
This problem was discovered by Klaus Frank. Klaus provided a fix
as well.
gnuserv/gnuclient is a pair of utility programs used to sent
commands to an already running Emacs process. gnuserv is the
helper binary used by the running Emacs to listen for commands.
It must be started explicitly using the gnuserv-start command
(However we have seen many icons for XEmacs in UI's start "xemacs
-f gnuserv" so it is not always obvious to the user he is running
gnuserv).
gnuserv can use several different communication mechanisms, one of
them being a tcp port. This can be switched off at compile time,
but defaults to on. If enabled gnuserv binds to a user specified
TCP port, with the default being (21490 + uid). Note that (if
enabled) gnuserv _always_ listens for TCP connections, even if one
of the other mechanisms is normally used by the user.
Connections on the gnuserv port are authenticated either against a
list of trusted hosts or using a MIT-MAGIC-COOKIE based system.
(MIT-MAGIC_COOKIE authentication can be switched of, but again is
the default.)
The problem lies in the fact that the gnuserv program trusts the
remote sides specification for the lenght of the cookie without
any sanity checking. This allows the attacker to:
1. Overflow the buffer used to hold a copy of the cookie.
2. Force the comparison of the cookies to be restricted to a
prefix of a length chosen by him, e.g. 1 byte, making
bruteforcing the authentication trivial.
Both problems are sufficient to give any attacker easy access to
running arbitrary commands under the uid of the user running
gnuserv.
Unfortunately gnuserv has rather a complicated history. gnuserv
was origionally written by Andy Norman (ange). The problematic
Xauth based authentication was later added by somebody else. As
ange effectively stopped maintaining his version
(gnuserv-2.1alpha.tar.gz) various people have put up their own
modified copies. That includes among others the version shipped
with XEmacs and fgnuserv by Noah Friedman, which is an easier to
compile stand-alone version.
After a recent rewrite the XEmacs version the official verion
(with permission form Andy Norman), and bumped the version number
to the 3.x range. Martin Schwenke has made a backport of this
version for use with Emacs using fgnuserv's build mecahnism.
All of the above versions should be assumbed vulnerable, including
those shipped with XEmacs 21.1.x for x < 14. As a test run
strings gnuserv | grep "gnuserv version"
If this gives either nothing or a version below 3.12, then you are
vulnerable.
Solution
There is a seperate fork for gnuserv on windows for use with
NTEmacs. This is not vulnerable as it uses a completely different
communication channel. This is, however, unconfirmed.
A fix by Klaus Frank is in gnuserv 3.12. If you are using XEmacs
we suggest upgrading to XEmacs 21.1.14 that contains this version
(or 21.2.43 if you are running betas). This version can be had
from
http://www.xemacs.org/Releases/21.1.14.html
or mirrors.
If you are using a standalone gnuserv with GNU Emacs on unix we
suggest getting Martin Schwenkes fixed version from
http://www.linuxcare.com.au/people/martins/hacks/emacs/src/gnuserv-3.12.1.tar.gz
For RedHat:
ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-21.1.14-2.62.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-el-21.1.14-2.62.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-info-21.1.14-2.62.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/i386/xemacs-21.1.14-2.62.i386.rpm
ftp://updates.redhat.com/powertools/6.2/i386/xemacs-el-21.1.14-2.62.i386.rpm
ftp://updates.redhat.com/powertools/6.2/i386/xemacs-info-21.1.14-2.62.i386.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-21.1.14-2.62.sparc.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-el-21.1.14-2.62.sparc.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-info-21.1.14-2.62.sparc.rpm