TUCoPS :: Unix :: General :: ca200225.txt

-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2002-25 Integer Overflow In XDR Library
 Original release date: August 05, 2002
 Last revised: --
 Source: CERT/CC
 A complete revision history can be found at the end of this file.
Systems Affected
 Applications using vulnerable implementations of SunRPC-derived XDR
 libraries, which include, but are not limited to:
 * Sun Microsystems network services library (libnsl)
 * BSD-derived libraries with XDR/RPC routines (libc)
 * GNU C library with sunrpc (glibc)
Overview
 There is an integer overflow present in the xdr_array() function
 distributed as part of the Sun Microsystems XDR library. This overflow
 has been shown to lead to remotely exploitable buffer overflows in
 multiple applications, leading to the execution of arbitrary code.
 Although the library was originally distributed by Sun Microsystems,
 multiple vendors have included the vulnerable code in their own
 implementations.
I. Description
 The XDR (external data representation) libraries are used to provide
 platform-independent methods for sending data from one system process
 to another, typically over a network connection. Such routines are
 commonly used in remote procedure call (RPC) implementations to
 provide transparency to application programmers who need to use common
 interfaces to interact with many different types of systems. The
 xdr_array() function in the XDR library provided by Sun Microsystems
 contains an integer overflow that can lead to improperly sized dynamic
 memory allocation. Subsequent problems like buffer overflows may
 result, depending on how and where the vulnerable xdr_array() function
 is used.
 This issue is currently being tracked as VU#192995 by the CERT/CC and
 CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE)
 dictionary.
II. Impact
 Because SunRPC-derived XDR libraries are used by a variety of vendors
 in a variety of applications, this defect may lead to a number of
 differing security problems. Exploiting this vulnerability will lead
 to denial of service, execution of arbitrary code, or the disclosure
 of sensitive information.
 Specific impacts reported include the ability to execute arbitrary
 code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind,
 for example). In addition, intruders who exploit the XDR overflow in
 MIT KRB5 kadmind may be able to gain control of a Key Distribution
 Center (KDC) and improperly authenticate to other services within a
 trusted Kerberos realm.
III. Solution
Apply a patch from your vendor
 Appendix A contains information provided by vendors for this advisory.
 As vendors report new information to the CERT/CC, we will update this
 section and note the changes in our revision history. If a particular
 vendor is not listed below or in the vulnerability note, we have not
 received their comments. Please contact your vendor directly.
 Note that XDR libraries can be used by multiple applications on most
 systems. It may be necessary to upgrade or apply multiple patches and
 then recompile statically linked applications.
 Applications that are statically linked must be recompiled using
 patched libraries. Applications that are dynamically linked do not
 need to be recompiled; however, running services need to be restarted
 in order to use the patched libraries.
 System administrators should consider the following process when
 addressing this issue:
 1. Patch or obtain updated XDR/RPC libraries.
 2. Restart any dynamically linked services that make use of the
 XDR/RPC libraries.
 3. Recompile any statically linked applications using the patched or
 updated XDR/RPC libraries.
Disable access to vulnerable services or applications
 Until patches are available and can be applied, you may wish to
 disable access to services or applications compiled with the
 vulnerable xdr_array() function. Such applications include, but are
 not limited to, the following:
 * DMI Service Provider daemon (dmispd)
 * CDE Calendar Manager Service daemon (rpc.cmsd)
 * MIT Kerberos 5 Administration daemon (kadmind)
 As a best practice, the CERT/CC recommends disabling all services that
 are not explicitly required.
Appendix A. - Vendor Information
 This appendix contains information provided by vendors for this
 advisory. As vendors report new information to the CERT/CC, we will
 update this section and note the changes in our revision history. If a
 particular vendor is not listed below or in the individual
 vulnerability notes, we have not received their comments.
Apple Computer, Inc.
 The vulnerability described in this note is fixed with Security Update
 2002年08月02日.
Debian GNU/Linux
 The Debian GNU/Linux distribution was vulnerable with regard to the
 the XDR problem as stated above with the following vulnerability
 matrix:
 OpenAFS Kerberos5 GNU libc
 _______ _________ ________
 Debian 2.2 (potato) not included not included vulnerable
 Debian 3.0 (woody) vulnerable(DSA 142-1) vulnerable(DSA 143-1) vulnerable
 Debian unstable (sid) vulnerable(DSA 142-1) vulnerable(DSA 143-1) vulnerable
 However, the following advisories were raised recently which contain
 and announced fixes:
 DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and
 1.2.6-1 (sid))
 DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and
 1.2.5-2 (sid))
 The advisory for the GNU libc is pending, it is currently being
 recompiled. The fixed versions will probably be:
 Debian 2.2 (potato) glibc 2.1.3-23 or later
 Debian 3.0 (woody) glibc 2.2.5-11 or later
 Debian unstable (sid) glibc 2.2.5-12 or later
GNU glibc
 Version 2.2.5 and earlier versions of the GNU C Library are
 vulnerable. For Version 2.2.5, we suggest the following patch. This
 patch is also available from the GNU C Library CVS repository at:
 http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.
 c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc
 2002年08月02日 Jakub Jelinek <jakub@redhat.com>
* sunrpc/xdr_array.c (xdr_array): Check for overflow on
 multiplication. Patch by Solar Designer <solar@openwall.com>.
 [ text of diff available in CVS repository link above --CERT/CC ]
FreeBSD, Inc.
 Please see
 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc
Hewlett-Packard Company
 SOURCE: Hewlett-Packard Company
 RE: Potential RPC XDR buffer overflow
 At the time of writing this document, Hewlett Packard is currently
 investigating the potential impact to HP's released operating System
 software products.
 As further information becomes available HP will provide notice of the
 availability of any necessary patches through standard security
 bulletin announcements and be available from your normal HP Services
 support channel.
Juniper Networks
 The Juniper Networks SDX-300 Service Deployment System (SSC) does use
 XDR for communication with an ERX edge router, but does not make use
 of the Sun RPC libraries. The SDX-300 product is not vulnerable to the
 Sun RPC XDR buffer overflow as outlined in this CERT advisory.
KTH and Heimdal Kerberos
 kth-krb and heimdal are not vulnerable to this problem since they do
 not use any Sun RPC at all.
MIT Kerberos Development Team
 Please see
 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt
The patch is available directly:
 http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt
The following detached PGP signature should be used to verify the
 authenticity and integrity of the patch:
 http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc
Microsoft Corporation
 Microsoft is currently conducting an investigation based on this
 report. We will update this advisory with information once it is
 complete.
NetBSD
 Please see
 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
Network Appliance
 NetApp systems are not vulnerable to this problem.
OpenAFS
 OpenAFS is an affected vendor for this vulnerability.
 http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt details
 how we have dealt with the issue.
Openwall Project
 The xdr_array(3) integer overflow was present in the glibc package on
 Openwall GNU/*/Linux until 2002年08月01日 when it was corrected for
 Owl-current and documented as a security fix in the system-wide change
 log available at:
 http://www.openwall.com/Owl/CHANGES.shtml
The same glibc package update also fixes a very similar but different
 calloc(3) integer overflow possibility that is currently not known to
 allow for an attack on a particular application, but has been patched
 as a proactive measure. The Sun RPC xdr_array(3) overflow may allow
 for passive attacks on mount(8) by malicious or spoofed NFSv3 servers
 as well as for both passive and active attacks on RPC clients or
 services that one might install on Owl. (There're no RPC services
 included with Owl.)
RedHat Inc.
 Red Hat distributes affected packages glibc and Kerberos in all Red
 Hat Linux distributions. We are currently working on producing errata
 packages, when complete these will be available along with our
 advisory at the URLs below. At the same time users of the Red Hat
 Network will be able to update their systems using the 'up2date' tool.
 http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
 http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)
SGI
 SGI is currently looking into the matter, per:
 ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A
Sun Microsystems, Inc.
 Sun can confirm that there is a type overflow vulnerability in the
 xdr_array(3NSL) function which is part of the network services
 library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published
 Sun Alert 46122 which describes the issue, applications affected, and
 workaround information. The Sun Alert will be updated as more
 information or patches become available and is located here:
 http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122
Sun will be publishing a Sun Security Bulletin for this issue once all
 of the patches are available which will be located at:
 http://sunsolve.sun.com/security
_________________________________________________________________
Appendix B. - References
 1. Manual entry for xdr_array(3)
 2. VU#192995
 3. RFC1831
 4. RFC1832
 5. Sun Alert 46122
 6. Security Alert MITKRB5-SA-2002-001-xdr
 7. Flaw in calloc and similar routines, Florian Weimer, University of
 Stuttgart, RUS-CERT, 2002年08月05日
 _________________________________________________________________
 Thanks to Sun Microsystems for working with the CERT/CC to make this
 document possible. The initial vulnerability research and
 demonstration was performed by Internet Security Systems (ISS).
 _________________________________________________________________
 Authors: Jeffrey S. Havrilla and Cory F. Cohen.
 ______________________________________________________________________
 This document is available from:
 http://www.cert.org/advisories/CA-2002-25.html
______________________________________________________________________
CERT/CC Contact Information
 Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
 Fax: +1 412-268-6989
 Postal address:
 CERT Coordination Center
 Software Engineering Institute
 Carnegie Mellon University
 Pittsburgh PA 15213-3890
 U.S.A.
 CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
 EDT(GMT-4) Monday through Friday; they are on call for emergencies
 during other hours, on U.S. holidays, and on weekends.
 Using encryption
 We strongly urge you to encrypt sensitive information sent by email.
 Our public PGP key is available from
 http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
 information.
 Getting security information
 CERT publications and other security information are available from
 our web site
 http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
 send email to majordomo@cert.org. Please include in the body of your
 message
 subscribe cert-advisory
 * "CERT" and "CERT Coordination Center" are registered in the U.S.
 Patent and Trademark Office.
 ______________________________________________________________________
 NO WARRANTY
 Any material furnished by Carnegie Mellon University and the Software
 Engineering Institute is furnished on an "as is" basis. Carnegie
 Mellon University makes no warranties of any kind, either expressed or
 implied as to any matter including, but not limited to, warranty of
 fitness for a particular purpose or merchantability, exclusivity or
 results obtained from use of the material. Carnegie Mellon University
 does not make any warranty of any kind with respect to freedom from
 patent, trademark, or copyright infringement.
 _________________________________________________________________
 Conditions for use, disclaimers, and sponsorship information
 Copyright 2002 Carnegie Mellon University.
 Revision History
August 05, 2002: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPU8KIqCVPMXQI2HJAQFG2QQAumw8DlNwSDbrbGvkqrKX2wXVokgQ1vFU
a8iJhuSab79YLvO5OiWMvOKxiVWln74Jr2DSAP5JVTmtACIWLN4/pOWB71OJSC0L
gBUpjSAn/i+jR6YkmAC0XvLn1P+BuEYoOC2RWkhF/KjI7/f/O3/M9XokkhoXYYnx
MyMRLmOap2Y=
=vtJG
-----END PGP SIGNATURE-----