TUCoPS :: Unix :: General :: ciacj071.txt

 __________________________________________________________
 The U.S. Department of Energy
 Computer Incident Advisory Capability
 ___ __ __ _ ___
 / | /_\ /
 \___ __|__ / \ \___
 __________________________________________________________
 INFORMATION BULLETIN
 Buffer Overflow Vulnerability in amd 
September 29, 1999 22:00 GMT Number J-071
______________________________________________________________________________
PROBLEM: There is a buffer overflow vulnerability in the amd daemon 
 that could allow remote users to execute arbitrary code 
 as root. 
PLATFORM: Systems running amd, the Berkeley Automounter Daemon
DAMAGE: If exploited, a remote intruder can cause a buffer overflow 
 leading to a root compromise. 
SOLUTION: Apply available vendor patch. 
______________________________________________________________________________
VULNERABILITY Risk is high. This exploit is available on the internet and can 
ASSESSMENT: lead to a total system compromise. 
______________________________________________________________________________
[Start CERT Advisory]
CERT Advisory CA-99-12 Buffer Overflow in amd
 Original release date: September 16, 1999
 Last revised: --
 Source: CERT/CC
 
 A complete revision history is at the end of this file.
 
Systems Affected
 * Systems running amd, the Berkeley Automounter Daemon
 
I. Description
 There is a buffer overflow vulnerability in the logging facility of
 the amd daemon.
 
 This daemon automatically mounts file systems in response to attempts
 to access files that reside on those file systems. Similar
 functionality on some systems is provided by a daemon named
 automountd.
 
 Systems that include automounter daemons based on BSD 4.x source code
 may also be vulnerable. A vulnerable implementation of amd is included
 in the am-utils package, provided with many Linux distributions.
 
II. Impact
 Remote intruders can execute arbitrary code as the user running the
 amd daemon (usually root).
 
III. Solution
Install a patch from your vendor
 Appendix A contains information provided by vendors for this advisory.
 We will update the appendix as we receive more information. If you do
 not see your vendor's name, the CERT/CC did not hear from that vendor.
 Please contact your vendor directly.
 
 We will update this advisory as more information becomes available.
 Please check the CERT/CC Web site for the most current revision.
 
Disable amd
 If you are unable to apply a patch for this problem, you can disable
 the amd daemon to prevent this vulnerability from being exploited.
 Disabling amd may prevent your system from operating normally.
 
Appendix A. Vendor Information
BSDI
 BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has
 been configured. The amd daemon is not started if it has not been
 configured locally. Mods (M410-017 for 4.0.1 and M310-057) are
 available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web
 site at http://www.bsdi.com/support/patches
 
Compaq Computer Corporation
 Not vulnerable
 
Data General
 DG/UX is not vulnerable to this problem.
 
Erez Zadok (am-utils maintainer)
 The latest stable version of am-utils includes several important
 security fixes. To retrieve it, use anonymous ftp for the following
 URL
 
 ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
 
 The MD5 checksum of the am-utils-6.0.1.tar.gz archive is
 
 MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999
 
 The simplest instructions to build, install, and run am-utils are as
 follows:
 1. Retrieve the package via FTP.
 2. Unpack it:
 $ gunzip am-utils-6.0.1.tar.gz
 $ tar xf am-utils-6.0.1.tar
 If you have GNU tar and gunzip, you can issue a single command:
 $ tar xzf am-utils-6.0.1.tar.gz
 3. Build it:
 $ cd am-utils-6.0.1
 $ ./buildall
 This would configure and build am-utils for installation in
 /usr/local. If you built am-utils in the past using a different
 procedure, you may repeat that procedure instead. For example, to
 build am-utils using shared libraries and to enable debugging, use
 either:
 $ ./buildall -Ds -b
 or
 $ ./configure --enable-debug=yes --enable-shared --disable-static
 You may run "./configure --help" to get a full list of available
 options. You may run "./buildall -H" to get a full list of options
 it offers. The buildall script is a simple wrapper script that
 configures and builds am-utils for the most common desired
 configurations.
 4. Install it:
 $ make install
 This would install the programs, scripts, libraries, manual pages,
 and info pages in /usr/local/{sbin,bin,lib,man,info}, etc.
 5. Run it.
 Assuming you have an Amd configuration file in /etc/amd.conf, you
 can simply run:
 $ /usr/local/sbin/ctl-amd restart
 That will stop the older running Amd, and start a new one. If you
 use a different Amd start-up script, you may use it instead.
 
FreeBSD
 Please see the FreeBSD advisory at
 
 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd
 .asc
 
 for information on patches for this problem.
 
Fujitsu
 This vulnerability is still under investigation by Fujitsu.
 
Hewlett-Packard Company
 HP is not vulnerable.
 
IBM Corporation
 AIX is not vulnerable. It does not ship the am-utils package.
 
OpenBSD
 OpenBSD is not vulnerable.
 
RedHat Inc.
 RedHat has released a security advisory on this topic. It is available
 from our ftp server at:
 
 http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html
 
SCO Unix
 No SCO products are vulnerable.
 
SGI
 SGI does not distribute am-utils in either IRIX or UNICOS operating
 systems.
 
Sun Microsystems, Inc.
 SunOS - All versions are not vulnerable.
 
 Solaris - All versions are not vulnerable.
 _________________________________________________________________
 
 The CERT Coordination Center would like to thank Erez Zadok, the
 maintainer of the am-utils package, for his assistance in preparing
 this advisory.
 ______________________________________________________________________
 
 This document is available from:
 http://www.cert.org/advisories/CA-99-12-amd.html
 ______________________________________________________________________
 
CERT/CC Contact Information
 Email: cert@cert.org
 Phone: +1 412-268-7090 (24-hour hotline)
 Fax: +1 412-268-6989
 Postal address:
 CERT Coordination Center
 Software Engineering Institute
 Carnegie Mellon University
 Pittsburgh PA 15213-3890
 U.S.A.
 
 CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
 Monday through Friday; they are on call for emergencies during other
 hours, on U.S. holidays, and on weekends.
 
Using encryption
 We strongly urge you to encrypt sensitive information sent by email.
 Our public PGP key is available from
 
 http://www.cert.org/CERT_PGP.key
 
 If you prefer to use DES, please call the CERT hotline for more
 information.
 
Getting security information
 CERT publications and other security information are available from
 our web site
 
 http://www.cert.org/
 
 To be added to our mailing list for advisories and bulletins, send
 email to cert-advisory-request@cert.org and include SUBSCRIBE
 your-email-address in the subject of your message.
 
 Copyright 1999 Carnegie Mellon University.
 Conditions for use, disclaimers, and sponsorship information can be
 found in
 
 http://www.cert.org/legal_stuff.html
 
 * "CERT" and "CERT Coordination Center" are registered in the U.S.
 Patent and Trademark Office.
 ______________________________________________________________________
 
 NO WARRANTY
 Any material furnished by Carnegie Mellon University and the Software
 Engineering Institute is furnished on an "as is" basis. Carnegie
 Mellon University makes no warranties of any kind, either expressed or
 implied as to any matter including, but not limited to, warranty of
 fitness for a particular purpose or merchantability, exclusivity or
 results obtained from use of the material. Carnegie Mellon University
 does not make any warranty of any kind with respect to freedom from
 patent, trademark, or copyright infringement.
 _________________________________________________________________
 
 Revision History
Sep 16, 1999: Initial release
[End CERT Advisory]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT for the 
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
 Voice: +1 925-422-8193
 FAX: +1 925-423-8002
 STU-III: +1 925-423-2604
 E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:
 1. Call the CIAC voice number 925-422-8193 and leave a message, or
 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or
 3. Send e-mail to 4498369@skytel.com, or
 4. Call 800-201-9288 for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
 World Wide Web: http://www.ciac.org/
 (or http://ciac.llnl.gov -- they're the same machine)
 Anonymous FTP: ftp.ciac.org
 (or ciac.llnl.gov -- they're the same machine)
 Modem access: +1 (925) 423-4753 (28.8K baud)
 +1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
 information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
 (SPI) software updates, new features, distribution and
 availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
 use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
 subscribe list-name 
 e.g., subscribe ciac-bulletin 
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes. 
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-061: Lotus Notes Domino Server Denial of Service Attacks
J-062: Netscape Enterprise and FastTrack Web Servers Buffer Overflow
J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks
J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities
J-065: Wu-ftpd Vulnerability
J-066: FreeBSD File Flags and Man-In-The-Middle Attack
J-067: Profiling Across FreeBSD Exec Calls
J-068: FreeBSD Vulnerabilities in wu-ftpd and proftpd
J-069: SunOS LC_MESSAGES Environment Variable Vulnerability
J-070: Microsoft Windows 95 and 98 Telnet Client Vulnerability