Date: Wed, 19 Mar 2003 15:54:49 -0500 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: EEYE: XDR Integer Overflow Message-ID: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Anyone know if this effects FreeBSD ? There is no mention in the CERT advisory.
---Mike
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>From: "Marc Maiffret" <marc@eeye.com>
>To: "BUGTRAQ" <BUGTRAQ@securityfocus.com>
>Subject: EEYE: XDR Integer Overflow
>Date: Wed, 19 Mar 2003 12:20:14 -0800
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>Importance: Normal
>X-Spam-Status: No, hits=0.6 required=7.0
> tests=DISCLAIMER,KNOWN_MAILING_LIST,SPAM_PHRASE_01_02,
> TO_LOCALPART_EQ_REAL,USER_AGENT_OUTLOOK
> version=2.43
>X-Virus-Scanned: by Sentex Communications (avscan1/20021227)
>
>XDR Integer Overflow
>
>Release Date:
>March 19, 2003
>
>Severity:
>High (Remote Code Execution/Denial of Service)
>
>Systems Affected:
>
>Sun Microsystems Network Services Library (libnsl)
>BSD-derived libraries with XDR/RPC routines (libc)
>GNU C library with sunrpc (glibc)
>
>Description:
>
>XDR is a standard for the description and encoding of data which is used
>heavily in RPC implementations. Several libraries exist that allow a
>developer to incorporate XDR into his or her applications. Vulnerabilities
>were discovered in these libraries during the testing of new Retina auditing
>technologies developed by the eEye research department.
>
>ADAM and EVE are two technologies developed by eEye to remotely and locally
>audit applications for the existence of common vulnerabilities. During an
>ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR
>library. By supplying specific integer values in length fields during an RPC
>transaction, we were able to produce various overflow conditions in UNIX RPC
>services.
>
>Technical Description:
>
>The xdrmem_getbytes() function in the XDR library provided by Sun
>Microsystems contains an integer overflow. Depending on the location and use
>of the vulnerable xdrmem_getbytes() routine, various conditions may be
>presented that can permit an attacker to remotely exploit a service using
>this vulnerable routine.
>
>For the purpose of signature development and further security research a
>sample session is included below that replicates an integer overflow in the
>rpcbind shipped with various versions of the Solaris operating system.
>
>char evil_rpc[] =
>
>"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
>"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
>"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
>"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
>"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
>"\xFF\xFF\xFF\xFF" // RPC argument length
>"EEYECLIPSE2003";
>
>Vendor Status:
>
>Sun Microsystems was contacted on November 13, 2002 and CERT was contacted
>shortly afterwards. Vendors believed to be vulnerable were contacted by CERT
>during a grace period of several months. Due to some difficulties
>communicating with vendors, after rescheduling several times a release date
>was set for March 18, 2003.
>
>eEye recommends obtaining the necessary patches or updates from vendors as
>they become available after the release of this and the CERT advisory.
>
>For a list of vendors and their responses, please review the CERT advisory
>at: http://www.cert.org/advisories/CA-2003-10.html
>
>You can find the latest copy of this advisory, along with other eEye
>research at http://www.eeye.com/.
>
>Credit:
>Riley Hassell - Senior Research Associate
>
>Greetings:
>Liver destroyers of the world:
>Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn.
>
>Copyright (c) 1998-2003 eEye Digital Security
>Permission is hereby granted for the redistribution of this alert
>electronically. It is not to be edited in any way without express consent of
>eEye. If you wish to reprint the whole or any part of this alert in any
>other medium excluding electronic medium, please e-mail alert@eEye.com for
>permission.
>
>Disclaimer
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There are
>NO warranties with regard to this information. In no event shall the author
>be liable for any damages whatsoever arising out of or in connection with
>the use or spread of this information. Any use of this information is at the
>user's own risk.
>
>Feedback
>Please send suggestions, updates, and comments to:
>
>eEye Digital Security
>http://www.eEye.com
>info@eEye.com
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030319155420.080cbab8>