Original release date: August 05, 2002<br>
Last revised: October 03, 2002<br>
Source: CERT/CC<br>
<p>A complete revision history can be found at the end of this file.</p>
<br>
<a name="affected"></a>
<h3>Systems Affected</h3>
Applications using vulnerable implementations of SunRPC-derived XDR
libraries, which include, but are not limited to:
<ul>
<li>Sun Microsystems network services library (libnsl)
<li>BSD-derived libraries with XDR/RPC routines (libc)
<li>GNU C library with sunrpc (glibc)
</ul>
<br>
<a name="overview"></a>
<h2>Overview</h2>
<P>
There is an integer overflow present in the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html"><i>xdr_array()</i></a>
function distributed as part of the Sun Microsystems <a
href="ftp://ftp.isi.edu/in-notes/rfc1832.txt">XDR library</a>. This
overflow has been shown to lead to remotely exploitable buffer
overflows in multiple applications, leading to the execution of
arbitrary code. Although the library was originally distributed by Sun
Microsystems, multiple vendors have included the vulnerable code in
their own implementations.
</p>
<a name="description"></a>
<h2>I. Description</h2>
<p>
The XDR (external data representation) libraries are used to provide
platform-independent methods for sending data from one system process
to another, typically over a network connection. Such routines are
commonly used in remote procedure call (<a
href="ftp://ftp.isi.edu/in-notes/rfc1831.txt">RPC</a>) implementations
to provide transparency to application programmers who need to use
common interfaces to interact with many different types of
systems. The <i>xdr_array()</i> function in the XDR library provided
by Sun Microsystems contains an <a
href="http://www.kb.cert.org/vuls/id/192995">integer overflow</a> that
can lead to improperly sized dynamic memory allocation. Subsequent
problems like buffer overflows may result, depending on how and where
the vulnerable <i>xdr_array()</i> function is used.
</p>
<p>This issue is currently being tracked as <a
href="http://www.kb.cert.org/vuls/id/192995">VU#192995</a> by the CERT/CC and <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391">CAN-2002-0391</a>
in the Common Vulnerabilities and Exposures (CVE) dictionary.
<a name="impact"></a>
<h2>II. Impact</h2>
<p>
Because SunRPC-derived XDR libraries are used by a variety of vendors
in a variety of applications, this defect may lead to a number of
differing security problems. Exploiting this vulnerability will lead
to denial of service, execution of arbitrary code, or the disclosure
of sensitive information.
</P>
<P>Specific impacts reported include the ability to execute arbitrary
code with root privileges (by exploiting <a
href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity">dmispd,
rpc.cmsd, or kadmind, for example</a>). In addition, intruders who
exploit the XDR overflow in <a
href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt">MIT
KRB5</a> kadmind may be able to gain control of a Key Distribution
Center (KDC) and improperly authenticate to other services within a
trusted Kerberos realm.
</P>
<a name="solution"></a>
<h2>III. Solution</h2>
<h4>Apply a patch from your vendor</h4>
<p><a href="#vendors">Appendix A</a> contains information provided by
vendors for this advisory. As vendors report new information to the
CERT/CC, we will update this section and note the changes in our
revision history. If a particular vendor is not listed below or in
the <a href="http://www.kb.cert.org/vuls/id/192995">vulnerability note</a>, we have not received
their comments. Please contact your vendor directly.</p>
<p>
Note that XDR libraries can be used by multiple applications on most
systems. It may be necessary to upgrade or apply multiple patches and
then recompile statically linked applications.
</P>
<p>
Applications that are statically linked must be recompiled using
patched libraries. Applications that are dynamically linked do not
need to be recompiled; however, running services need to be restarted
in order to use the patched libraries.
</P>
<p>
System administrators should consider the following process when
addressing this issue: <br>
<ol>
<li>Patch or obtain updated XDR/RPC libraries.
<li>Restart any dynamically linked services that make use of the XDR/RPC libraries.
<li>Recompile any statically linked applications using the patched or updated XDR/RPC libraries.
</ol>
</p>
<h4>Disable access to vulnerable services or applications</h4>
<p>Until patches are available and can be applied, you may wish to
disable access to services or applications compiled with the
vulnerable <i>xdr_array()</i> function. Such applications include, but
are not limited to, the following:
<BR>
<ul>
<li>DMI Service Provider daemon (dmispd)
<li>CDE Calendar Manager Service daemon (rpc.cmsd)
<li>MIT Kerberos 5 Administration daemon (kadmind)
</ul>
<BR>
As a best practice, the CERT/CC recommends disabling all services
that are not explicitly required.
</P>
<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>
<p>This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
a particular vendor is not listed below or in the individual <a
href="http://www.kb.cert.org/vuls/">vulnerability notes</a>, we have
not received their comments.
<a name="apple"></a>
<h4>Apple Computer, Inc.</h4>
<P>
The vulnerability described in this note is fixed with <a
href="http://www.info.apple.com/usen/security/security_updates.html">Security
Update 2002-08-02</a>.
</P>
<!-- end vendor -->
<a name="debian"></a>
<h4>Debian GNU/Linux</h4>
<p>
The Debian GNU/Linux distribution was vulnerable with regard to the
the XDR problem as stated above with the following vulnerability
matrix:<br>
<blockquote>
<table>
<TR>
<TH ALIGN="LEFT"></TH><TH ALIGN="LEFT">OpenAFS</TH><TH ALIGN="LEFT">Kerberos5</TH><TH ALIGN="LEFT">GNU libc</TH>
</TR>
<TR>
<TD align="left">Debian 2.2 (potato)</TD> <TD align="left">not included</TD> <TD align="left">not included</TD> <TD align="left">vulnerable</TD>
</TR>
<TR>
<TD align="left">Debian 3.0 (woody)</TD> <TD align="left">vulnerable (DSA 142-1)</TD> <TD align="left">vulnerable (DSA 143-1)</TD> <TD align="left">vulnerable</TD>
</TR>
<TR>
<TD align="left">Debian unstable (sid)</TD> <TD align="left">vulnerable (DSA 142-1)</TD> <TD align="left">vulnerable (DSA 143-1)</TD> <TD align="left">vulnerable</TD>
</TR>
</table>
</blockquote>
</p>
<p>
However, the following advisories were raised recently which contain
and announced fixes:<br>
<blockquote>
<a href="http://www.debian.org/security/2002/dsa-142">DSA 142-1 OpenAFS</a> (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))<BR>
<a href="http://www.debian.org/security/2002/dsa-142">DSA 143-1 Kerberos5</a> (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))
</blockquote>
</P>
<p>
The advisory for the GNU libc is pending, it is currently being
recompiled. The fixed versions will probably be:<br>
<blockquote>
Debian 2.2 (potato) glibc 2.1.3-23 or later<BR>
Debian 3.0 (woody) glibc 2.2.5-11.1 or later<BR>
Debian unstable (sid) glibc 2.2.5-12 or later
</blockquote>
</p>
<!-- end vendor -->
<a name="glibc"></a>
<h4>GNU glibc</h4>
<p>
Version 2.2.5 and earlier versions of the GNU C Library are
vulnerable. For Version 2.2.5, we suggest the following patch. This
patch is also available from the GNU C Library CVS repository at:<BR>
<blockquote>
<a href="http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc">http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc</a>
</blockquote>
</P>
<blockquote>
2002-08-02 Jakub Jelinek <jakub@redhat.com><BR>
<BR>
<ul>
<li> sunrpc/xdr_array.c (xdr_array): Check for overflow on
multiplication. Patch by Solar Designer <solar@openwall.com>.
</ul>
<BR>
[ text of diff available in <a
href="http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc">CVS
repository</a> link above --CERT/CC ]
</blockquote>
</P>
<!-- end vendor -->
<a name="freebsd"></a>
<h4>FreeBSD, Inc.</h4>
<P>
Please see <a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc">ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc</a>
</P>
<!-- end vendor -->
<a name="compaq"></a>
<a name="dec"></a>
<a name="hp"></a>
<h4>Hewlett-Packard Company</h4>
<p>
SOURCE: Hewlett-Packard Company
<p>
RE: Potential RPC XDR buffer overflow
<p>
At the time of writing this document, Hewlett Packard is currently
investigating the potential impact to HP's released operating System
software products.
<p>
As further information becomes available HP will provide notice of the
availability of any necessary patches through standard security
bulletin announcements and be available from your normal HP Services
support channel.
<!-- end vendor -->
<a name="ibm"></a>
<h4>IBM Corporation</h4>
<p>
IBM is vulnerable to the above XDR Library issues in both the 4.3
and 5.1 releases of AIX. A temporary patch is currently available
through an efix pacakge. Efixes are available from<BR>
<blockquote>
<a href="http://ftp.software.ibm.com/aix/efixes/">ftp.software.ibm.com/aix/efixes/security/</a>
</blockquote>
See the <a href="http://ftp.software.ibm.com/aix/efixes/security/README">README</a> file in this directory for additional information on the efixes.
</p>
<p>
The following APARs will be available in the near future:<BR>
<blockquote>
AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 )<BR>
AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 )
</blockquote>
</p>
<!-- end vendor -->
<a name="juniper"></a>
<h4>Juniper Networks</h4>
<p>The Juniper Networks SDX-300 Service Deployment System (SSC) does
use XDR for communication with an ERX edge router, but does not make
use of the Sun RPC libraries. The SDX-300 product is not vulnerable to
the Sun RPC XDR buffer overflow as outlined in this CERT advisory.
<!-- end vendor -->
<a name="kth-kerberos"></a>
<a name="heimdal-kerberos"></a>
<h4>KTH and Heimdal Kerberos</h4>
<p>
kth-krb and heimdal are not vulnerable to this problem since they do
not use any Sun RPC at all.
</P>
<!-- end vendor -->
<a name="kerberos-mit"></a>
<h4>MIT Kerberos Development Team </h4>
<p>
Please see <a href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt">http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt</a>
<p>
The patch is available directly:<BR>
<a href="http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt">http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt</a>
<p>
The following detached PGP signature should be used to verify the authenticity and integrity of the patch:<br>
<a href="http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc">http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc</a>
<!-- end vendor -->
<a name="microsoft"></a>
<h4>Microsoft Corporation</h4>
<p>
Microsoft is currently conducting an investigation based on this
report. We will update this advisory with information once it is
complete.
</P>
<!-- end vendor -->
<a name="netbsd"></a>
<h4>NetBSD</h4>
<P>
Please see <a href="ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc">ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc</a>
</P>
<!-- end vendor -->
<a name="netapp"></a>
<h4>Network Appliance</h4>
<p>
NetApp systems are not vulnerable to this problem.
</P>
<!-- end vendor -->
<a name="openafs"></a>
<h4>OpenAFS</h4>
<p>
OpenAFS is an affected vendor for this vulnerability. <a href="http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt">http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt</a>
details how we have dealt with the issue.
</P>
<!-- end vendor -->
<a name="openwall"></a>
<h4>Openwall Project</h4>
<P>
The <i>xdr_array(3)</I> integer overflow was present in the glibc package on
Openwall GNU/*/Linux until 2002/08/01 when it was corrected for
Owl-current and documented as a security fix in the system-wide change
log available at:<br>
<blockquote>
<a href="http://www.openwall.com/Owl/CHANGES.shtml">http://www.openwall.com/Owl/CHANGES.shtml</a>
</blockquote>
</P>
<p>
The same glibc package update also fixes a very similar but different
<i>calloc(3)</I> <a
href="http://CERT.Uni-Stuttgart.DE/advisories/calloc.php">integer
overflow</a> possibility that is currently not known to allow for an
attack on a particular application, but has been patched as a
proactive measure. The Sun RPC <i>xdr_array(3)</I> overflow may allow
for passive attacks on <i>mount(8)</I> by malicious or spoofed NFSv3
servers as well as for both passive and active attacks on RPC clients
or services that one might install on Owl. (There're no RPC services
included with Owl.)
</P>
<!-- end vendor -->
<a name="redhat"></a>
<h4>RedHat Inc.</h4>
<P>
Red Hat distributes affected packages glibc and Kerberos in all Red Hat
Linux distributions. We are currently working on producing errata
packages, when complete these will be available along with our advisory at
the URLs below. At the same time users of the Red Hat Network will be
able to update their systems using the 'up2date' tool.
<blockquote>
<a href="http://rhn.redhat.com/errata/RHSA-2002-166.html">http://rhn.redhat.com/errata/RHSA-2002-166.html</a> (glibc)<BR>
<a href="http://rhn.redhat.com/errata/RHSA-2002-172.html">http://rhn.redhat.com/errata/RHSA-2002-172.html</a> (Kerberos 5)
</blockquote>
</P>
<!-- end vendor -->
<a name="sgi"></a>
<h4>SGI</h4>
<p>
SGI now has patches available to fix this problem, <a href="ftp://patches.sgi.com/support/free/security/advisories/20020801-01-P">per 20020801-01-P</a>:<BR>
<blockquote>
<a href="ftp://patches.sgi.com/support/free/security/advisories/20020801-01-P">ftp://patches.sgi.com/support/free/security/advisories/20020801-01-P</a>
</blockquote>
</P>
<!-- end vendor -->
<a name="sun"></a>
<h4>Sun Microsystems, Inc.</h4>
<P>
Sun can confirm that there is a type overflow vulnerability in the
<i>xdr_array(3NSL)</I> function which is part of the network services library,
<i>libnsl(3LIB)</I>, on Solaris 2.5.1 through 9. Sun has published <a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122">Sun Alert
46122</a> which describes the issue, applications affected, and workaround
information. The Sun Alert will be updated as more information or patches
become available and is located here:<BR>
<blockquote>
<a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122">http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122</a>
</blockquote>
<P>Sun will be publishing a Sun Security Bulletin for this issue once all of
the patches are available which will be located at:<BR>
<blockquote>
<a href="http://sunsolve.sun.com/security">http://sunsolve.sun.com/security</a>
</blockquote>
</P>
<!-- end vendor -->
<hr noshade>
<a name="refs"></a>
<h2>Appendix B. - References</h2>
<ol>
<li><a name="man-page"></a><a href="http://www.FreeBSD.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html">Manual entry for xdr_array(3)</a>
<li><a name="vul-note"></a><a href="http://www.kb.cert.org/vuls/id/192995">VU#192995</a>
<li><a name="rpc"></a><a href="ftp://ftp.isi.edu/in-notes/rfc1831.txt">RFC1831</a>
<li><a name="xdr"></a><a href="ftp://ftp.isi.edu/in-notes/rfc1832.txt">RFC1832</a>
<li><a name="sun-alert"></a><a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity">Sun Alert 46122</a>
<li><a href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt"><a name="mit-alert"></a><a href="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt">Security Alert MITKRB5-SA-2002-001-xdr</a>
<li><a name="calloc"></a><a href="http://CERT.Uni-Stuttgart.DE/advisories/calloc.php"><i>Flaw in calloc and similar routines</i>, Florian Weimer, University of Stuttgart, RUS-CERT, 2002-08-05</a>
<li><a href="http://www.microsoft.com/technet/security/bulletin/MS02-057.asp.
">MS02-057: Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209)</a></li>
</ol>
<hr noshade>
<p>Thanks to Sun Microsystems for working with the CERT/CC to make
this document possible. The initial vulnerability research and
demonstration was performed by Internet Security Systems (ISS).</p>
<p></p>
<hr noshade>
<p>Authors: <a
href="mailto:cert@cert.org?subject=CA-2002-25%20Feedback%20VU%23192995">Jeffrey
S. Havrilla and Cory F. Cohen.</a>
<p></p>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2002 Carnegie Mellon University.</p>
<p>Revision History
<pre>
Aug 05, 2002: Initial release
Aug 06, 2002: Minor update to Debian statement, corrected glibc for Debian 3.0 (woody) will be 2.2.5-11.1 or later
Aug 06, 2002: Added IBM statement
Aug 19, 2002: Updated SGI statement
Sep 03, 2002: Updated IBM statement
Oct 03, 2002: Added Microsoft Bulletin MS02-057 to list of references
</pre>
</p>
|