CERT Advisory CA-2002-25 Integer Overflow In XDR Library

From: CERT Advisory (cert-advisory@cert.org)
Date: 08/06/02

Date: Mon, 5 Aug 2002 19:49:31 -0400
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org


CERT Advisory CA-2002-25 Integer Overflow In XDR Library

   Original release date: August 05, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Applications using vulnerable implementations of SunRPC-derived XDR
   libraries, which include, but are not limited to:

     * Sun Microsystems network services library (libnsl)
     * BSD-derived libraries with XDR/RPC routines (libc)
     * GNU C library with sunrpc (glibc)


   There is an integer overflow present in the xdr_array() function
   distributed as part of the Sun Microsystems XDR library. This overflow
   has been shown to lead to remotely exploitable buffer overflows in
   multiple applications, leading to the execution of arbitrary code.
   Although the library was originally distributed by Sun Microsystems,
   multiple vendors have included the vulnerable code in their own

I. Description

   The XDR (external data representation) libraries are used to provide
   platform-independent methods for sending data from one system process
   to another, typically over a network connection. Such routines are
   commonly used in remote procedure call (RPC) implementations to
   provide transparency to application programmers who need to use common
   interfaces to interact with many different types of systems. The
   xdr_array() function in the XDR library provided by Sun Microsystems
   contains an integer overflow that can lead to improperly sized dynamic
   memory allocation. Subsequent problems like buffer overflows may
   result, depending on how and where the vulnerable xdr_array() function
   is used.

   This issue is currently being tracked as VU#192995 by the CERT/CC and
   CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE)

II. Impact

   Because SunRPC-derived XDR libraries are used by a variety of vendors
   in a variety of applications, this defect may lead to a number of
   differing security problems. Exploiting this vulnerability will lead
   to denial of service, execution of arbitrary code, or the disclosure
   of sensitive information.

   Specific impacts reported include the ability to execute arbitrary
   code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind,
   for example). In addition, intruders who exploit the XDR overflow in
   MIT KRB5 kadmind may be able to gain control of a Key Distribution
   Center (KDC) and improperly authenticate to other services within a
   trusted Kerberos realm.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As vendors report new information to the CERT/CC, we will update this
   section and note the changes in our revision history. If a particular
   vendor is not listed below or in the vulnerability note, we have not
   received their comments. Please contact your vendor directly.

   Note that XDR libraries can be used by multiple applications on most
   systems. It may be necessary to upgrade or apply multiple patches and
   then recompile statically linked applications.

   Applications that are statically linked must be recompiled using
   patched libraries. Applications that are dynamically linked do not
   need to be recompiled; however, running services need to be restarted
   in order to use the patched libraries.

   System administrators should consider the following process when
   addressing this issue:

    1. Patch or obtain updated XDR/RPC libraries.
    2. Restart any dynamically linked services that make use of the
       XDR/RPC libraries.
    3. Recompile any statically linked applications using the patched or
       updated XDR/RPC libraries.

Disable access to vulnerable services or applications

   Until patches are available and can be applied, you may wish to
   disable access to services or applications compiled with the
   vulnerable xdr_array() function. Such applications include, but are
   not limited to, the following:

     * DMI Service Provider daemon (dmispd)
     * CDE Calendar Manager Service daemon (rpc.cmsd)
     * MIT Kerberos 5 Administration daemon (kadmind)

   As a best practice, the CERT/CC recommends disabling all services that
   are not explicitly required.

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. As vendors report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below or in the individual
   vulnerability notes, we have not received their comments.

Apple Computer, Inc.

   The vulnerability described in this note is fixed with Security Update

Debian GNU/Linux

   The Debian GNU/Linux distribution was vulnerable with regard to the
   the XDR problem as stated above with the following vulnerability

                       OpenAFS Kerberos5 GNU libc
                       _______ _________ ________
 Debian 2.2 (potato) not included not included vulnerable
 Debian 3.0 (woody) vulnerable(DSA 142-1) vulnerable(DSA 143-1) vulnerable
 Debian unstable (sid) vulnerable(DSA 142-1) vulnerable(DSA 143-1) vulnerable

   However, the following advisories were raised recently which contain
   and announced fixes:

     DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and
     1.2.6-1 (sid))

     DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and
     1.2.5-2 (sid))

   The advisory for the GNU libc is pending, it is currently being
   recompiled. The fixed versions will probably be:

     Debian 2.2 (potato) glibc 2.1.3-23 or later
     Debian 3.0 (woody) glibc 2.2.5-11 or later
     Debian unstable (sid) glibc 2.2.5-12 or later

GNU glibc

   Version 2.2.5 and earlier versions of the GNU C Library are
   vulnerable. For Version 2.2.5, we suggest the following patch. This
   patch is also available from the GNU C Library CVS repository at:


     2002-08-02 Jakub Jelinek <jakub@redhat.com>

     * sunrpc/xdr_array.c (xdr_array): Check for overflow on
       multiplication. Patch by Solar Designer <solar@openwall.com>.

     [ text of diff available in CVS repository link above --CERT/CC ]

FreeBSD, Inc.

   Please see

Hewlett-Packard Company

   SOURCE: Hewlett-Packard Company

   RE: Potential RPC XDR buffer overflow

   At the time of writing this document, Hewlett Packard is currently
   investigating the potential impact to HP's released operating System
   software products.

   As further information becomes available HP will provide notice of the
   availability of any necessary patches through standard security
   bulletin announcements and be available from your normal HP Services
   support channel.

Juniper Networks

   The Juniper Networks SDX-300 Service Deployment System (SSC) does use
   XDR for communication with an ERX edge router, but does not make use
   of the Sun RPC libraries. The SDX-300 product is not vulnerable to the
   Sun RPC XDR buffer overflow as outlined in this CERT advisory.

KTH and Heimdal Kerberos

   kth-krb and heimdal are not vulnerable to this problem since they do
   not use any Sun RPC at all.

MIT Kerberos Development Team

   Please see

   The patch is available directly:

   The following detached PGP signature should be used to verify the
   authenticity and integrity of the patch:


Microsoft Corporation

   Microsoft is currently conducting an investigation based on this
   report. We will update this advisory with information once it is


   Please see

Network Appliance

   NetApp systems are not vulnerable to this problem.


   OpenAFS is an affected vendor for this vulnerability.
   http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt details
   how we have dealt with the issue.

Openwall Project

   The xdr_array(3) integer overflow was present in the glibc package on
   Openwall GNU/*/Linux until 2002/08/01 when it was corrected for
   Owl-current and documented as a security fix in the system-wide change
   log available at:


   The same glibc package update also fixes a very similar but different
   calloc(3) integer overflow possibility that is currently not known to
   allow for an attack on a particular application, but has been patched
   as a proactive measure. The Sun RPC xdr_array(3) overflow may allow
   for passive attacks on mount(8) by malicious or spoofed NFSv3 servers
   as well as for both passive and active attacks on RPC clients or
   services that one might install on Owl. (There're no RPC services
   included with Owl.)

RedHat Inc.

   Red Hat distributes affected packages glibc and Kerberos in all Red
   Hat Linux distributions. We are currently working on producing errata
   packages, when complete these will be available along with our
   advisory at the URLs below. At the same time users of the Red Hat
   Network will be able to update their systems using the 'up2date' tool.

     http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
     http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)


   SGI is currently looking into the matter, per:


Sun Microsystems, Inc.

   Sun can confirm that there is a type overflow vulnerability in the
   xdr_array(3NSL) function which is part of the network services
   library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published
   Sun Alert 46122 which describes the issue, applications affected, and
   workaround information. The Sun Alert will be updated as more
   information or patches become available and is located here:


   Sun will be publishing a Sun Security Bulletin for this issue once all
   of the patches are available which will be located at:


Appendix B. - References

    1. Manual entry for xdr_array(3)
    2. VU#192995
    3. RFC1831
    4. RFC1832
    5. Sun Alert 46122
    6. Security Alert MITKRB5-SA-2002-001-xdr
    7. Flaw in calloc and similar routines, Florian Weimer, University of
       Stuttgart, RUS-CERT, 2002-08-05

   Thanks to Sun Microsystems for working with the CERT/CC to make this
   document possible. The initial vulnerability research and
   demonstration was performed by Internet Security Systems (ISS).

   Authors: Jeffrey S. Havrilla and Cory F. Cohen.

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If you prefer to use DES, please call the CERT hotline for more

    Getting security information

   CERT publications and other security information are available from
   our web site

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
August 05, 2002: Initial release

Version: PGP 6.5.8