[NT] Flaw in Services for UNIX 3.0 Interix SDK Could Allow Code Execution

From: support@securiteam.com
Date: 10/04/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri,  4 Oct 2002 22:28:04 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Flaw in Services for UNIX 3.0 Interix SDK Could Allow Code Execution
------------------------------------------------------------------------

SUMMARY

All three vulnerabilities discussed in this bulletin involve the inclusion
of the Sun RPC library in Microsoft's Services for UNIX (SFU) 3.0 on the
Interix SDK. Developers who created applications or utilities using the
Sun RPC library from the Interix SDK need to evaluate three
vulnerabilities.

Windows Services for UNIX (SFU) 3.0 provides a full range of
cross-platform services to integrate Windows into existing UNIX
environments. In version 3.0, the Interix subsystem technology is built in
so that Windows Services for UNIX 3.0 can provide platform
interoperability and application migration in one fully integrated and
supported product from Microsoft. Developers who have integrated Windows
into their existing UNIX environments may have used the Interix SDK to
develop custom applications and utilities so that applications that only
ran on the UNIX platform can now run in a Windows environment. Developers
who used the Interix SDK to develop applications or utilities should read
this bulletin.

The first vulnerability is an integer overflow in the XDR library that
ships with the Sun RPC library on the Interix SDK for Microsoft's Services
for Unix (SFU) 3.0. An attacker could send a malicious RPC request to the
RPC server from a remote machine and cause corruption in the server
program. This can cause the server to fail and potentially allow the
attacker to run code of his or her choice in the context of the server
program.

The second vulnerability is a buffer overrun. An attacker could send a
malicious RPC request to the RPC server with an improper parameter size
check. This could lead to a buffer overrun, causing the server to fail and
preventing it from servicing any further requests from clients.

The third vulnerability is an RPC implementation error. An application
using the Sun RPC library does not properly check the size of client TCP
requests. This could result in a denial of service to a server application
using the Sun RPC library. The RPC library expects client TCP requests to
specify the size of the record that follows. Because there is a flaw in
the way RPC detects client packets, an attacker could send a malformed RPC
request to the RPC server from a remote machine and cause the server to
fail by not servicing any further client requests.

After applying the patch, it is necessary to recompile any Interix
application that is statically linked with the Interix SDK Sun RPC
library.

DETAILS

Affected Software:
Only applications or utilities running on the following operating systems
using the Sun Microsystems RPC library on the Services for Unix 3.0
Interix SDK should consider applying the patch.
 * Microsoft Windows NT4
 * Microsoft Windows 2000
 * Microsoft Windows XP

Mitigating factors:
 * Only applications or utilities that were created using the Interix SDK
and specifically that use the Sun RPC library, would be affected by these
vulnerabilities.
 * If an administrator or developer has only installed the Interix SDK but
has not actually created applications with the SDK that use the Sun RPC
library, the systems where the SDK was installed would not be vulnerable.

Patch availability:
Download locations for this patch.
This patch can be installed on any of the following platforms:
 * Microsoft Windows NT4 Service Pack 6a
 * Windows 2000
 * Windows XP
 <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43447>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43447

All three vulnerabilities discussed in this bulletin involve the inclusion
of the SUN RPC library in Microsoft's Services for UNIX (SFU) 3.0 on the
Interix SDK. Developers who created applications or utilities using the
SUN RPC library on the Interix SDK need to evaluate the following three
vulnerabilities.

What is RPC?
RPC (Remote Procedure Call) is a technology that's used extensively to
support distributed applications -- that is, applications whose components
are located on different computers. The primary purpose of RPC is to
provide a way for the components to communicate with each other. This
allows the components to levy requests on each other and communicate the
results of these requests. This bulletin pertains to the Sun RPC protocol.

What is SFU?
SFU stands for Services for UNIX. Windows Services for UNIX version 3.0
provides a full range of cross-platform services for integrating Windows
into existing UNIX-based environments.

To get more detailed information regarding Services for Unix, please see
<http://www.microsoft.com/windows/sfu/docs/sfuwp.doc>
http://www.microsoft.com/windows/sfu/docs/sfuwp.doc

How are Microsoft Services for Unix 3.0 and Interix related?
The Interix technology provides a UNIX environment that runs on top the
Windows kernel, enabling UNIX applications and scripts to run natively on
the Windows platform alongside Windows applications. With this capability,
an installation can continue to get value out of its UNIX scripts and
applications - simply reuse them on Windows.

The key difference between Windows Services for UNIX 2.0 and 3.0 is that
Microsoft Interix is fully integrated into Windows Services for UNIX 3.0.
The Interix subsystem technology provides a universal environment in which
to run both Windows and UNIX applications on a single system. For a
technical overview of Services for UNIX 3.0 with Interix, click here.

What is the Interix SDK?
The Interix SDK, included with SFU 3.0, provides compilers, tools,
libraries & debuggers for migrating applications on UNIX to run in a
Windows environment.

What kinds of applications or utilities are being created using the
Interix SDK? The application might be any UNIX -based application. Largely
the Interix SDK is used to support existing applications that need to be
ported to the Windows platform without changing their source code.
Developers seldom write applications from scratch using the Interix SDK.

Doesn't Microsoft ship applications using the Sun RPC protocol along with
Services for Unix 3.0? Aren't they vulnerable?
No. Microsoft shipped Server for NFS, Server for NIS, Server for PCNFS,
PortMapper and User Name Mapping Server with Services for Unix 3.0. All of
these applications use the Sun RPC protocol; however none of these
applications uses the Interix SDK Sun RPC library. They have been verified
not to be affected by any of the vulnerabilities discussed in this
bulletin.

Does the SDK go to third party partners or is it generally available?
The SUN RPC Library ships with SFU 3.0 . Services for Unix 3.0 and Interix
are also bundled by some ISV's so they may be providing the SDK with their
products.

How do I tell if a third party product includes SFU 3.0 and the Interix
SDK?
There is no standard way to tell. If you use a 3rd party Interix server
application the best thing will be to contact the vendor to verify whether
the application uses the Sun RPC library from the Interix SDK.

Integer Overflow in XDR library:
What's the scope of this vulnerability?
There is a buffer overrun due to an overflow in a variable that contains a
parameter. This parameter defines the size of an array for applications
that use External Data Representation (XDR). The vulnerability can lead to
a denial of service by crashing the application or running code at a
higher privilege level in a server application using Sun XDR library. Sun
Microsystems distributed this functionality as part of their XDR library.
This library ships with Services for Unix (SFU) 3.0 on the Interix SDK.

Remote attackers could exploit this vulnerability to either cause the
application to fail or to cause the execution of arbitrary code on a
target server. An attacker could send a malicious RPC request to the RPC
server from a remote machine. This could cause heap corruption in the
server program. The heap corruption in turn could cause the server to
crash, thereby preventing it from servicing further requests from other
client programs. The attacker could also exploit the heap corruption to
run malicious code in the context of the server program.

What causes the vulnerability?
There is a buffer overrun in a variable used by applications developed
with the Sun XDR library that shipped with SFU 3.0. It is possible to
overflow a variable that holds the size of an array parameter.

What are the XDR libraries?
The XDR (external data representation) libraries are used to provide
platform-independent methods for sending data from one system process to
another over a network connection. These libraries shipped with Services
For Unix 3.0.

To learn more about XDR please refer to
<ftp://ftp.isi.edu/in-notes/rfc1832.txt> XDR: External Data Representation
Standard.

What's wrong with the XDR libraries?
There is a function in the XDR library that contains overflow which could
result in memory being improperly allocated. Because inputs are not
properly checked, the misallocation of memory could lead to a buffer
overflow.

Is this issue related to a CERT advisory?
Yes, this relates to
<http://www.securiteam.com/unixfocus/5LP0G0081U.html> VU#192995.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to send a malformed RPC
request that would cause the application to either fail or to run code as
system in a server application using the Sun RPC library. If an attacker
were able to run code on the RPC server, the attacker would have the same
privileges as the application.

How could an attacker exploit this vulnerability?
An attacker can send a malicious RPC request to the RPC server from a
remote machine. This can cause the heap corruption in the server program.
The heap corruption in turn can cause the server to crash, thereby
preventing it from servicing further requests from other client programs.

What does the patch do?
The patch eliminates the vulnerability by properly checking inputs for the
integer overflow that could lead to the denial of service or code
execution.

Improper parameter size check leading to denial of service:
What the scope of this vulnerability?
The RPC library expects client requests be broken down into variable sized
fragments, with each fragment's leading bit specifying whether it is the
last fragment. The next bits specify the size of the data to follow.

The RPC library expects that client requests sent to it will be broken
into variable sized fragments in a certain format. If a malicious client
were to send a particular malformed fragment to a service, the RPC library
would go into a "hung" state and be unable to respond to any further
requests - leading to a denial of service.

Any RPC server using the Sun RPC library is vulnerable.

What causes the vulnerability?
The RPC library expects that client requests will be broken down into
variable sized fragments with each fragment's leading bit specifying
whether it is the last fragment. The next bits specify the size of the
data to follow. There is a flaw in the RPC library that will cause the
application to hang if the fragmented packets are malformed in a
particular way.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause an RPC server to stop
responding to client requests. In other words, this is a denial of service
vulnerability.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by writing a program that
sent malformed packets to the RPC server and caused it to be unable to
service any further client requests.

Does the attacker need to be an authenticated user?
No. Anyone who can access a computer through a network could carry out
this attack.

Can a TCP attack be blocked at the firewall?
An administrator could block TCP port 111 on the firewall and block a
remote user from sending malformed packets to a RPC server inside the
firewall.

Is there any way to recover from the denial of service?
The administrator would normally only need to restart the application.
There may be cases where the specific application might require an
administrator to reboot the server.

What does the patch do?
The patch eliminates the vulnerability by properly checking inputs to the
RPC server.

Denial of service by sending an invalid RPC request:
What's the scope of this vulnerability?
The third vulnerability is an RPC implementation error. An application
using the Sun RPC library does not properly check the size of client TCP
requests. This could result in a denial of service to a server application
using the Sun RPC library. The RPC library expects client TCP requests to
specify the size of the record that follows. Because there is a flaw in
the way RPC detects client packets, an attacker could send a malformed RPC
request to the RPC server from a remote machine and cause the server to
fail by not servicing any further client requests

What causes the vulnerability?
The RPC library expects client TCP requests to be broken how into
fragments of variable sizes. Because there is a flaw in the way the RPC
library performs input validation on the fragmented client packets, an
attacker could cause the server to enter a state from which it could not
handle client requests.

What could this vulnerability enable an attacker to do?
An attacker could create a denial of service for client requests to the
RPC server and cause the server to fail.

How could an attacker exploit this vulnerability?
An attacker could write a program that invoked the RPC implementation
error by sending malformed data packets to the RPC server.

Does the attacker need to be an authenticated user?
No. Anyone who can access a computer through a network could carry out
this attack.

Can a TCP attack be blocked at the firewall?
An administrator could block TCP port 111 on the firewall and block a
remote user from sending malformed packets to a RPC server inside the
firewall.

Is there any way to recover from the denial of service?
The administrator would normally only need to restart the application.
There may be cases where the specific application might require an
administrator to reboot the server.

What does the patch do?
The patch corrects the RPC implementation error by detecting invalid
client packets and refusing to service them.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_37894_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages