From owner-freebsd-security Wed Mar 19 14: 7:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2505037B401; Wed, 19 Mar 2003 14:07:39 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B60543F85; Wed, 19 Mar 2003 14:07:38 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2JM7arj024884; Wed, 19 Mar 2003 17:07:37 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030319170809.082d2c98@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 19 Mar 2003 17:13:06 -0500 To: security@FreeBSD.org From: Mike Tancsa Subject: Re: Fwd: EEYE: XDR Integer Overflow In-Reply-To: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One of the patches seems to deal with =================================================================== RCS file: /cvs/glibc/libc/sunrpc/rpc/xdr.h,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 --- libc/sunrpc/rpc/xdr.h 1999/10/09 21:26:03 1.26 +++ libc/sunrpc/rpc/xdr.h 2002/12/16 02:05:49 1.27 @@ -126,7 +126,7 @@ /* returns bytes off from beginning */ bool_t (*x_setpostn) (XDR *__xdrs, u_int __pos); /* lets you reposition the stream */ - int32_t *(*x_inline) (XDR *__xdrs, int __len); + int32_t *(*x_inline) (XDR *__xdrs, u_int __len); /* buf quick ptr to buffered data */ void (*x_destroy) (XDR *__xdrs); /* free privates of this xdr_stream */ @@ -139,7 +139,7 @@ caddr_t x_public; /* users' data */ caddr_t x_private; /* pointer to private data */ caddr_t x_base; /* private used for position info */ - int x_handy; /* extra private word */ + u_int x_handy; /* extra private word */ }; /* NetBSD is not vulnerable due to, "The length types of the various xdr*_getbytes functions were made consistent somewhere back in 1997 (all u_int), so we're not vulnerable in that area." However, FreeBSD still seems to have the above as an int as well. So it appears to be vulnerable ? ---Mike At 03:54 PM 19/03/2003 -0500, Mike Tancsa wrote: >Anyone know if this effects FreeBSD ? There is no mention in the CERT >advisory. > > ---Mike > > >>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >>List-Id: >>List-Post: >>List-Help: >>List-Unsubscribe: >>List-Subscribe: >>Delivered-To: mailing list bugtraq@securityfocus.com >>Delivered-To: moderator for bugtraq@securityfocus.com >>From: "Marc Maiffret" >>To: "BUGTRAQ" >>Subject: EEYE: XDR Integer Overflow >>Date: Wed, 19 Mar 2003 12:20:14 -0800 >>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) >>Importance: Normal >>X-Spam-Status: No, hits=0.6 required=7.0 >> tests=DISCLAIMER,KNOWN_MAILING_LIST,SPAM_PHRASE_01_02, >> TO_LOCALPART_EQ_REAL,USER_AGENT_OUTLOOK >> version=2.43 >>X-Virus-Scanned: by Sentex Communications (avscan1/20021227) >> >>XDR Integer Overflow >> >>Release Date: >>March 19, 2003 >> >>Severity: >>High (Remote Code Execution/Denial of Service) >> >>Systems Affected: >> >>Sun Microsystems Network Services Library (libnsl) >>BSD-derived libraries with XDR/RPC routines (libc) >>GNU C library with sunrpc (glibc) >> >>Description: >> >>XDR is a standard for the description and encoding of data which is used >>heavily in RPC implementations. Several libraries exist that allow a >>developer to incorporate XDR into his or her applications. Vulnerabilities >>were discovered in these libraries during the testing of new Retina auditing >>technologies developed by the eEye research department. >> >>ADAM and EVE are two technologies developed by eEye to remotely and locally >>audit applications for the existence of common vulnerabilities. During an >>ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR >>library. By supplying specific integer values in length fields during an RPC >>transaction, we were able to produce various overflow conditions in UNIX RPC >>services. >> >>Technical Description: >> >>The xdrmem_getbytes() function in the XDR library provided by Sun >>Microsystems contains an integer overflow. Depending on the location and use >>of the vulnerable xdrmem_getbytes() routine, various conditions may be >>presented that can permit an attacker to remotely exploit a service using >>this vulnerable routine. >> >>For the purpose of signature development and further security research a >>sample session is included below that replicates an integer overflow in the >>rpcbind shipped with various versions of the Solaris operating system. >> >>char evil_rpc[] = >> >>"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86" >>"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00" >>"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C" >>"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" >>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86" >>"\xa0\x00\x00\x00\x02\x00\x00\x00\x04" >>"\xFF\xFF\xFF\xFF" // RPC argument length >>"EEYECLIPSE2003"; >> >>Vendor Status: >> >>Sun Microsystems was contacted on November 13, 2002 and CERT was contacted >>shortly afterwards. Vendors believed to be vulnerable were contacted by CERT >>during a grace period of several months. Due to some difficulties >>communicating with vendors, after rescheduling several times a release date >>was set for March 18, 2003. >> >>eEye recommends obtaining the necessary patches or updates from vendors as >>they become available after the release of this and the CERT advisory. >> >>For a list of vendors and their responses, please review the CERT advisory >>at: http://www.cert.org/advisories/CA-2003-10.html >> >>You can find the latest copy of this advisory, along with other eEye >>research at http://www.eeye.com/. >> >>Credit: >>Riley Hassell - Senior Research Associate >> >>Greetings: >>Liver destroyers of the world: >>Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn. >> >>Copyright (c) 1998-2003 eEye Digital Security >>Permission is hereby granted for the redistribution of this alert >>electronically. It is not to be edited in any way without express consent of >>eEye. If you wish to reprint the whole or any part of this alert in any >>other medium excluding electronic medium, please e-mail alert@eEye.com for >>permission. >> >>Disclaimer >>The information within this paper may change without notice. Use of this >>information constitutes acceptance for use in an AS IS condition. There are >>NO warranties with regard to this information. In no event shall the author >>be liable for any damages whatsoever arising out of or in connection with >>the use or spread of this information. Any use of this information is at the >>user's own risk. >> >>Feedback >>Please send suggestions, updates, and comments to: >> >>eEye Digital Security >>http://www.eEye.com >>info@eEye.com > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message