Date: Wed, 19 Mar 2003 17:13:06 -0500 From: Mike Tancsa <mike@sentex.net> To: security@FreeBSD.org Subject: Re: Fwd: EEYE: XDR Integer Overflow Message-ID: <5.2.0.9.0.20030319170809.082d2c98@marble.sentex.ca> In-Reply-To: <5.2.0.9.0.20030319155420.080cbab8@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
One of the patches seems to deal with
===================================================================
RCS file: /cvs/glibc/libc/sunrpc/rpc/xdr.h,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- libc/sunrpc/rpc/xdr.h 1999/10/09 21:26:03 1.26
+++ libc/sunrpc/rpc/xdr.h 2002/12/16 02:05:49 1.27
@@ -126,7 +126,7 @@
/* returns bytes off from beginning */
bool_t (*x_setpostn) (XDR *__xdrs, u_int __pos);
/* lets you reposition the stream */
- int32_t *(*x_inline) (XDR *__xdrs, int __len);
+ int32_t *(*x_inline) (XDR *__xdrs, u_int __len);
/* buf quick ptr to buffered data */
void (*x_destroy) (XDR *__xdrs);
/* free privates of this xdr_stream */
@@ -139,7 +139,7 @@
caddr_t x_public; /* users' data */
caddr_t x_private; /* pointer to private data */
caddr_t x_base; /* private used for position info */
- int x_handy; /* extra private word */
+ u_int x_handy; /* extra private word */
};
/*
NetBSD is not vulnerable due to, "The length types of the various
xdr*_getbytes functions were made consistent somewhere back in 1997 (all
u_int), so we're not vulnerable in that area."
However, FreeBSD still seems to have the above as an int as well. So it
appears to be vulnerable ?
---Mike
At 03:54 PM 19/03/2003 -0500, Mike Tancsa wrote:
>Anyone know if this effects FreeBSD ? There is no mention in the CERT
>advisory.
>
> ---Mike
>
>
>>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>>List-Id: <bugtraq.list-id.securityfocus.com>
>>List-Post: <mailto:bugtraq@securityfocus.com>
>>List-Help: <mailto:bugtraq-help@securityfocus.com>
>>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>>Delivered-To: mailing list bugtraq@securityfocus.com
>>Delivered-To: moderator for bugtraq@securityfocus.com
>>From: "Marc Maiffret" <marc@eeye.com>
>>To: "BUGTRAQ" <BUGTRAQ@securityfocus.com>
>>Subject: EEYE: XDR Integer Overflow
>>Date: Wed, 19 Mar 2003 12:20:14 -0800
>>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>>Importance: Normal
>>X-Spam-Status: No, hits=0.6 required=7.0
>> tests=DISCLAIMER,KNOWN_MAILING_LIST,SPAM_PHRASE_01_02,
>> TO_LOCALPART_EQ_REAL,USER_AGENT_OUTLOOK
>> version=2.43
>>X-Virus-Scanned: by Sentex Communications (avscan1/20021227)
>>
>>XDR Integer Overflow
>>
>>Release Date:
>>March 19, 2003
>>
>>Severity:
>>High (Remote Code Execution/Denial of Service)
>>
>>Systems Affected:
>>
>>Sun Microsystems Network Services Library (libnsl)
>>BSD-derived libraries with XDR/RPC routines (libc)
>>GNU C library with sunrpc (glibc)
>>
>>Description:
>>
>>XDR is a standard for the description and encoding of data which is used
>>heavily in RPC implementations. Several libraries exist that allow a
>>developer to incorporate XDR into his or her applications. Vulnerabilities
>>were discovered in these libraries during the testing of new Retina auditing
>>technologies developed by the eEye research department.
>>
>>ADAM and EVE are two technologies developed by eEye to remotely and locally
>>audit applications for the existence of common vulnerabilities. During an
>>ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR
>>library. By supplying specific integer values in length fields during an RPC
>>transaction, we were able to produce various overflow conditions in UNIX RPC
>>services.
>>
>>Technical Description:
>>
>>The xdrmem_getbytes() function in the XDR library provided by Sun
>>Microsystems contains an integer overflow. Depending on the location and use
>>of the vulnerable xdrmem_getbytes() routine, various conditions may be
>>presented that can permit an attacker to remotely exploit a service using
>>this vulnerable routine.
>>
>>For the purpose of signature development and further security research a
>>sample session is included below that replicates an integer overflow in the
>>rpcbind shipped with various versions of the Solaris operating system.
>>
>>char evil_rpc[] =
>>
>>"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
>>"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
>>"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
>>"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
>>"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
>>"\xFF\xFF\xFF\xFF" // RPC argument length
>>"EEYECLIPSE2003";
>>
>>Vendor Status:
>>
>>Sun Microsystems was contacted on November 13, 2002 and CERT was contacted
>>shortly afterwards. Vendors believed to be vulnerable were contacted by CERT
>>during a grace period of several months. Due to some difficulties
>>communicating with vendors, after rescheduling several times a release date
>>was set for March 18, 2003.
>>
>>eEye recommends obtaining the necessary patches or updates from vendors as
>>they become available after the release of this and the CERT advisory.
>>
>>For a list of vendors and their responses, please review the CERT advisory
>>at: http://www.cert.org/advisories/CA-2003-10.html
>>
>>You can find the latest copy of this advisory, along with other eEye
>>research at http://www.eeye.com/.
>>
>>Credit:
>>Riley Hassell - Senior Research Associate
>>
>>Greetings:
>>Liver destroyers of the world:
>>Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn.
>>
>>Copyright (c) 1998-2003 eEye Digital Security
>>Permission is hereby granted for the redistribution of this alert
>>electronically. It is not to be edited in any way without express consent of
>>eEye. If you wish to reprint the whole or any part of this alert in any
>>other medium excluding electronic medium, please e-mail alert@eEye.com for
>>permission.
>>
>>Disclaimer
>>The information within this paper may change without notice. Use of this
>>information constitutes acceptance for use in an AS IS condition. There are
>>NO warranties with regard to this information. In no event shall the author
>>be liable for any damages whatsoever arising out of or in connection with
>>the use or spread of this information. Any use of this information is at the
>>user's own risk.
>>
>>Feedback
>>Please send suggestions, updates, and comments to:
>>
>>eEye Digital Security
>>http://www.eEye.com
>>info@eEye.com
>
>--------------------------------------------------------------------
>Mike Tancsa, tel +1 519 651 3400
>Sentex Communications, mike@sentex.net
>Providing Internet since 1994 www.sentex.net
>Cambridge, Ontario Canada www.sentex.net/mike
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030319170809.082d2c98>