-----BEGIN
PGP SIGNED MESSAGE-----
CERT Advisory
CA-2002-25 Integer Overflow In XDR Library
Original
release date: August 05, 2002
Last revised: --
Source: CERT/CC
A complete
revision history can be found at the end of this file.
Systems
Affected
Applications
using vulnerable implementations of SunRPC-derived XDR
libraries, which include, but are not limited to:
* Sun
Microsystems network services library (libnsl)
* BSD-derived libraries with XDR/RPC routines (libc)
* GNU C library with sunrpc (glibc)
Overview
There
is an integer overflow present in the xdr_array() function
distributed as part of the Sun Microsystems XDR library. This overflow
has been shown to lead to remotely exploitable buffer overflows in
multiple applications, leading to the execution of arbitrary code.
Although the library was originally distributed by Sun Microsystems,
multiple vendors have included the vulnerable code in their own
implementations.
I. Description
The XDR
(external data representation) libraries are used to provide
platform-independent methods for sending data from one system process
to another, typically over a network connection. Such routines are
commonly used in remote procedure call (RPC) implementations to
provide transparency to application programmers who need to use common
interfaces to interact with many different types of systems. The
xdr_array() function in the XDR library provided by Sun Microsystems
contains an integer overflow that can lead to improperly sized dynamic
memory allocation. Subsequent problems like buffer overflows may
result, depending on how and where the vulnerable xdr_array() function
is used.
This issue
is currently being tracked as VU#192995 by the CERT/CC and
CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE)
dictionary.
II. Impact
Because
SunRPC-derived XDR libraries are used by a variety of vendors
in a variety of applications, this defect may lead to a number of
differing security problems. Exploiting this vulnerability will lead
to denial of service, execution of arbitrary code, or the disclosure
of sensitive information.
Specific
impacts reported include the ability to execute arbitrary
code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind,
for example). In addition, intruders who exploit the XDR overflow in
MIT KRB5 kadmind may be able to gain control of a Key Distribution
Center (KDC) and improperly authenticate to other services within a
trusted Kerberos realm.
III. Solution
Apply a
patch from your vendor
Appendix
A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below or in the vulnerability note, we have not
received their comments. Please contact your vendor directly.
Note that
XDR libraries can be used by multiple applications on most
systems. It may be necessary to upgrade or apply multiple patches and
then recompile statically linked applications.
Applications
that are statically linked must be recompiled using
patched libraries. Applications that are dynamically linked do not
need to be recompiled; however, running services need to be restarted
in order to use the patched libraries.
System
administrators should consider the following process when
addressing this issue:
1. Patch
or obtain updated XDR/RPC libraries.
2. Restart any dynamically linked services that make use of the
XDR/RPC libraries.
3. Recompile any statically linked applications using the patched or
updated XDR/RPC libraries.
Disable
access to vulnerable services or applications
Until
patches are available and can be applied, you may wish to
disable access to services or applications compiled with the
vulnerable xdr_array() function. Such applications include, but are
not limited to, the following:
* DMI
Service Provider daemon (dmispd)
* CDE Calendar Manager Service daemon (rpc.cmsd)
* MIT Kerberos 5 Administration daemon (kadmind)
As a best
practice, the CERT/CC recommends disabling all services that
are not explicitly required.
Appendix
A. - Vendor Information
This appendix
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
a
particular vendor is not listed below or in the individual
vulnerability notes, we have not received their comments.
Apple Computer,
Inc.
The vulnerability
described in this note is fixed with Security Update
2002-08-02.
Debian
GNU/Linux
The Debian
GNU/Linux distribution was vulnerable with regard to the
the XDR problem as stated above with the following vulnerability
matrix:
OpenAFS
Kerberos5 GNU libc
_______ _________ ________
Debian 2.2 (potato) not included not included vulnerable
Debian 3.0 (woody) vulnerable(DSA 142-1) vulnerable(DSA 143-1) vulnerable
Debian unstable (sid) vulnerable(DSA 142-1) vulnerable(DSA 143-1) vulnerable
However,
the following advisories were raised recently which contain
and announced fixes:
DSA 142-1
OpenAFS (safe version are: 1.2.3final2-6 (woody) and
1.2.6-1 (sid))
DSA 143-1
Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and
1.2.5-2 (sid))
The advisory
for the GNU libc is pending, it is currently being
recompiled. The fixed versions will probably be:
Debian
2.2 (potato) glibc 2.1.3-23 or later
Debian 3.0 (woody) glibc 2.2.5-11 or later
Debian unstable (sid) glibc 2.2.5-12 or later
GNU glibc
Version
2.2.5 and earlier versions of the GNU C Library are
vulnerable. For Version 2.2.5, we suggest the following patch. This
patch is also available from the GNU C Library CVS repository at:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.
c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc
2002-08-02
Jakub Jelinek <jakub@redhat.com>
* sunrpc/xdr_array.c
(xdr_array): Check for overflow on
multiplication. Patch by Solar Designer <solar@openwall.com>.
[ text
of diff available in CVS repository link above --CERT/CC ]
FreeBSD,
Inc.
Please
see
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc
.asc
Hewlett-Packard
Company
SOURCE:
Hewlett-Packard Company
RE: Potential
RPC XDR buffer overflow
At the
time of writing this document, Hewlett Packard is currently
investigating the potential impact to HP's released operating System
software products.
As further
information becomes available HP will provide notice of the
availability of any necessary patches through standard security
bulletin announcements and be available from your normal HP Services
support channel.
Juniper
Networks
The Juniper
Networks SDX-300 Service Deployment System (SSC) does use
XDR for communication with an ERX edge router, but does not make use
of the Sun RPC libraries. The SDX-300 product is not vulnerable to the
Sun RPC XDR buffer overflow as outlined in this CERT advisory.
KTH and
Heimdal Kerberos
kth-krb
and heimdal are not vulnerable to this problem since they do
not use any Sun RPC at all.
MIT Kerberos
Development Team
Please
see
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt
The patch
is available directly:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt
The following
detached PGP signature should be used to verify the
authenticity and integrity of the patch:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.tx
t.asc
Microsoft
Corporation
Microsoft
is currently conducting an investigation based on this
report. We will update this advisory with information once it is
complete.
NetBSD
Please
see
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.
txt.asc
Network
Appliance
NetApp
systems are not vulnerable to this problem.
OpenAFS
OpenAFS
is an affected vendor for this vulnerability.
http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt details
how we have dealt with the issue.
Openwall
Project
The xdr_array(3)
integer overflow was present in the glibc package on
Openwall GNU/*/Linux until 2002/08/01 when it was corrected for
Owl-current and documented as a security fix in the system-wide change
log available at:
http://www.openwall.com/Owl/CHANGES.shtml
The same
glibc package update also fixes a very similar but different
calloc(3) integer overflow possibility that is currently not known to
allow for an attack on a particular application, but has been patched
as a proactive measure. The Sun RPC xdr_array(3) overflow may allow
for passive attacks on mount(8) by malicious or spoofed NFSv3 servers
as well as for both passive and active attacks on RPC clients or
services that one might install on Owl. (There're no RPC services
included with Owl.)
RedHat
Inc.
Red Hat
distributes affected packages glibc and Kerberos in all Red
Hat Linux distributions. We are currently working on producing errata
packages, when complete these will be available along with our
advisory at the URLs below. At the same time users of the Red Hat
Network will be able to update their systems using the 'up2date' tool.
http://rhn.redhat.com/errata/RHSA-2002-166.html
(glibc)
http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)
SGI
SGI is
currently looking into the matter, per:
ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A
Sun Microsystems,
Inc.
Sun can
confirm that there is a type overflow vulnerability in the
xdr_array(3NSL) function which is part of the network services
library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published
Sun Alert 46122 which describes the issue, applications affected, and
workaround information. The Sun Alert will be updated as more
information or patches become available and is located here:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122
Sun will
be publishing a Sun Security Bulletin for this issue once all
of the patches are available which will be located at:
http://sunsolve.sun.com/security
_________________________________________________________________
Appendix
B. - References
1. Manual
entry for xdr_array(3)
2. VU#192995
3. RFC1831
4. RFC1832
5. Sun Alert 46122
6. Security Alert MITKRB5-SA-2002-001-xdr
7. Flaw in calloc and similar routines, Florian Weimer, University of
Stuttgart, RUS-CERT, 2002-08-05
_________________________________________________________________
Thanks
to Sun Microsystems for working with the CERT/CC to make this
document possible. The initial vulnerability research and
demonstration was performed by Internet Security Systems (ISS).
_________________________________________________________________
Authors:
Jeffrey S. Havrilla and Cory F. Cohen.
______________________________________________________________________
This document
is available from:
http://www.cert.org/advisories/CA-2002-25.html
______________________________________________________________________
CERT/CC
Contact Information
Email:
cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using
encryption
We strongly
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you
prefer to use DES, please call the CERT hotline for more
information.
Getting
security information
CERT publications
and other security information are available from
our web site
http://www.cert.org/
To subscribe
to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe
cert-advisory
* "CERT"
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions
for use, disclaimers, and sponsorship information
Copyright
2002 Carnegie Mellon University.
Revision
History
August 05, 2002: Initial release
-----BEGIN
PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPU8KIqCVPMXQI2HJAQFG2QQAumw8DlNwSDbrbGvkqrKX2wXVokgQ1vFU
a8iJhuSab79YLvO5OiWMvOKxiVWln74Jr2DSAP5JVTmtACIWLN4/pOWB71OJSC0L
gBUpjSAn/i+jR6YkmAC0XvLn1P+BuEYoOC2RWkhF/KjI7/f/O3/M9XokkhoXYYnx
MyMRLmOap2Y=
=vtJG
-----END PGP SIGNATURE-----
