[UNIX] Integer Overflow in XDR Library

From: support@securiteam.com
Date: 08/10/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 10 Aug 2002 23:37:31 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Integer Overflow in XDR Library
------------------------------------------------------------------------

SUMMARY

There is an integer overflow present in the xdr_array() function
distributed as part of the Sun Microsystems XDR library. This overflow has
been shown to lead to remotely exploitable buffer overflows in multiple
applications, leading to the execution of arbitrary code. Although the
library was originally distributed by Sun Microsystems, multiple vendors
have included the vulnerable code in their own implementations.

DETAILS

Vulnerable systems:
Applications using vulnerable implementations of SunRPC-derived XDR
libraries, which include, but are not limited to:
 * Sun Microsystems network services library (libnsl)
 * BSD-derived libraries with XDR/RPC routines (libc)
 * GNU C library with sunrpc (glibc)

Description:
The XDR (external data representation) libraries are used to provide
platform-independent methods for sending data from one system process to
another, typically over a network connection. Such routines are commonly
used in remote procedure call (RPC) implementations to provide
transparency to application programmers who need to use common interfaces
to interact with many different types of systems. The xdr_array() function
in the XDR library provided by Sun Microsystems contains an integer
overflow that can lead to improperly sized dynamic memory allocation.
Subsequent problems like buffer overflows may result, depending on how and
where the vulnerable xdr_array() function is used.

Impact:
Because SunRPC-derived XDR libraries are used by a variety of vendors in a
variety of applications, this defect may lead to a number of differing
security problems. Exploiting this vulnerability will lead to denial of
service, execution of arbitrary code, or the disclosure of sensitive
information.

Specific impacts reported include the ability to execute arbitrary code
with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for
example). In addition, intruders who exploit the XDR overflow in MIT KRB5
kadmind may be able to gain control of a Key Distribution Center (KDC) and
improperly authenticate to other services within a trusted Kerberos realm.

Solution:
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. As
vendors report new information to the CERT/CC, we will update this section
and note the changes in our revision history. If a particular vendor is
not listed below or in the vulnerability note, we have not received their
comments. Please contact your vendor directly.

Note that XDR libraries can be used by multiple applications on most
systems. It may be necessary to upgrade or apply multiple patches and then
recompile statically linked applications.

Applications that are statically linked must be recompiled using patched
libraries. Applications that are dynamically linked do not need to be
recompiled; however, running services need to be restarted in order to use
the patched libraries.

System administrators should consider the following process when
addressing this issue:

1. Patch or obtain updated XDR/RPC libraries.
2. Restart any dynamically linked services that make use of the XDR/RPC
libraries.
3. Recompile any statically linked applications using the patched or
updated XDR/RPC libraries.

Disable access to vulnerable services or applications
Until patches are available and can be applied, you may wish to disable
access to services or applications compiled with the vulnerable
xdr_array() function. Such applications include, but are not limited to,
the following:
 * DMI Service Provider daemon (dmispd)
 * CDE Calendar Manager Service daemon (rpc.cmsd)
 * MIT Kerberos 5 Administration daemon (kadmind)

As a best practice, the CERT/CC recommends disabling all services that are
not explicitly required.

Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below or in the individual vulnerability notes, we
have not received their comments.

Apple Computer, Inc.
The vulnerability described in this note is fixed with Security Update
2002-08-02.

Debian GNU/Linux
The Debian GNU/Linux distribution was vulnerable with regard to the the
XDR problem as stated above with the following vulnerability matrix:

                       OpenAFS Kerberos5 GNU
libc
                       _______ _________
________
 Debian 2.2 (potato) not included not included
vulnerable
 Debian 3.0 (woody) vulnerable(DSA 142-1) vulnerable(DSA 143-1)
vulnerable Debian unstable (sid) vulnerable(DSA 142-1) vulnerable(DSA
143-1) vulnerable

However, the following advisories were raised recently which contain and
announced fixes:

     DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and
1.2.6-1 (sid))
     DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and
1.2.5-2 (sid))

The advisory for the GNU libc is pending, it is currently being
recompiled. The fixed versions will probably be:
     Debian 2.2 (potato) glibc 2.1.3-23 or later
     Debian 3.0 (woody) glibc 2.2.5-11 or later
     Debian unstable (sid) glibc 2.2.5-12 or later

GNU glibc
Version 2.2.5 and earlier versions of the GNU C Library are vulnerable.
For Version 2.2.5, we suggest the following patch. This patch is also
available from the GNU C Library CVS repository at:
 
<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc> http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc

2002-08-02 <mailto:jakub@redhat.com> Jakub Jelinek

 * sunrpc/xdr_array.c (xdr_array): Check for overflow on multiplication.
Patch by <mailto:solar@openwall.com> Solar Designer.

FreeBSD, Inc.
Please see
<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc

Hewlett-Packard Company
SOURCE: Hewlett-Packard Company

RE: Potential RPC XDR buffer overflow
At the time of writing this document, Hewlett Packard is currently
investigating the potential impact to HP's released operating System
software products.

As further information becomes available, HP will provide notice of the
availability of any necessary patches through standard security bulletin
announcements and be available from your normal HP Services support
channel.

Juniper Networks
The Juniper Networks SDX-300 Service Deployment System (SSC) does use XDR
for communication with an ERX edge router, but does not make use of the
Sun RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC
XDR buffer overflow as outlined in this CERT advisory.

KTH and Heimdal Kerberos
kth-krb and heimdal are not vulnerable to this problem since they do not
use any Sun RPC at all.

MIT Kerberos Development Team
Please see
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt>
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt

The patch is available directly:
<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt>
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

The following detached PGP signature should be used to verify the
authenticity and integrity of the patch:
<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc> http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

Microsoft Corporation
Microsoft is currently conducting an investigation based on this report.
We will update this advisory with information once it is complete.

NetBSD
Please see
<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc> ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc

Network Appliance
NetApp systems are not vulnerable to this problem.

OpenAFS
OpenAFS is an affected vendor for this vulnerability.
<http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt>
http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt details how
we have dealt with the issue.

Openwall Project
The xdr_array(3) integer overflow was present in the glibc package on
Openwall GNU/*/Linux until 2002/08/01 when it was corrected for
Owl-current and documented as a security fix in the system-wide change log
available at: <http://www.openwall.com/Owl/CHANGES.shtml>
http://www.openwall.com/Owl/CHANGES.shtml

The same glibc package update also fixes a very similar but different
calloc(3) integer overflow possibility that is currently not known to
allow for an attack on a particular application, but has been patched as a
proactive measure. The Sun RPC xdr_array(3) overflow may allow for passive
attacks on mount(8) by malicious or spoofed NFSv3 servers as well as for
both passive and active attacks on RPC clients or services that one might
install on Owl. (There're no RPC services included with Owl.)

RedHat Inc.
Red Hat distributes affected packages glibc and Kerberos in all Red Hat
Linux distributions. We are currently working on producing errata
packages, when complete these will be available along with our advisory at
the URLs below. At the same time, users of the Red Hat Network will be
able to update their systems using the 'up2date' tool.

 <http://rhn.redhat.com/errata/RHSA-2002-166.html>
http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
 <http://rhn.redhat.com/errata/RHSA-2002-172.html>
http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)

SGI
SGI is currently looking into the matter, per:
<ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A>
ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A

Sun Microsystems, Inc.
Sun can confirm that there is a type overflow vulnerability in the
xdr_array(3NSL) function which is part of the network services library,
libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert
46122 which describes the issue, applications affected, and workaround
information. The Sun Alert will be updated as more information or patches
become available and is located here:
<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122>
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122

Sun will be publishing a Sun Security Bulletin for this issue once all of
the patches are available which will be located at:
<http://sunsolve.sun.com/security> http://sunsolve.sun.com/security

ADDITIONAL INFORMATION

Appendix B. - References
1. Manual entry for xdr_array(3)

2. VU#192995

3. RFC1831

4. RFC1832

5. Sun Alert 46122

6. Security Alert MITKRB5-SA-2002-001-xdr

7. Flaw in calloc and similar routines, Florian Weimer, University of
Stuttgart, RUS-CERT, 2002-08-05

The information has been provided by <mailto:rfp@vulnwatch.org> Rain
Forest Puppy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages