View Source

Original release date: September 16, 1999<BR>
Last revised: --<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<UL>
<LI>Systems running <I>amd</I>, the Berkeley Automounter Daemon
</UL>

<H2><A NAME="description"></A>I. Description</H2>

<P>There is a buffer overflow vulnerability in the logging facility of
the <I>amd</I> daemon.

<P>This daemon automatically mounts file systems in response to
attempts to access files that reside on those file systems.  Similar
functionality on some systems is provided by a daemon named
<I>automountd</I>.

<P>Systems that include automounter daemons based on BSD 4.x source
code may also be vulnerable.  A vulnerable implementation of
<I>amd</I> is included in the am-utils package, provided with many
Linux distributions.

<P>

<H2><A NAME="impact"></A>II. Impact</H2>

<P>Remote intruders can execute arbitrary code as the user running the
<I>amd</I> daemon (usually root).

<H2><A NAME="solution"></A>III. Solution</H2>

<H4>Install a patch from your vendor</H4>

<P>Appendix A contains information provided by vendors for this
advisory.  We will update the appendix as we receive more information.
If you do not see your vendor's name, the CERT/CC did not hear from
that vendor. Please contact your vendor directly.

<P>We will update this advisory as more information becomes
available. Please check the CERT/CC Web site for the most current
revision.

<H4>Disable amd</H4>

<P>If you are unable to apply a patch for this problem, you can
disable the <I>amd</I> daemon to prevent this vulnerability from being
exploited.  Disabling <I>amd</I> may prevent your system from
operating normally.

<H2><A NAME="vendor"></A>Appendix A. Vendor Information</H2>


<H4><U>BSDI</U></H4>

BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has
been configured.  The amd daemon is not started if it has not been
configured locally.  Mods (M410-017 for 4.0.1 and M310-057) are
available via ftp from 
<A HREF="ftp://ftp.bsdi.com/bsdi/patches">
ftp://ftp.bsdi.com/bsdi/patches</A>
or via our web site at 
<A HREF="http://www.bsdi.com/support/patches">
http://www.bsdi.com/support/patches</A>

<H4><U>Compaq Computer Corporation</U></H4>

<P>Not vulnerable

<H4><U>Data General</U></H4>

<P>DG/UX is not vulnerable to this problem.

<H4><U>Erez Zadok (am-utils maintainer)</U></H4>

The latest stable version of am-utils includes several important
security fixes.  To retrieve it, use anonymous ftp for the following
URL

<DL><DD>
<A HREF="ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/">
ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/</A>
</DL>

<P>The MD5 checksum of the am-utils-6.0.1.tar.gz archive is

<DL><DD>
MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999
</DL>

<P>The simplest instructions to build, install, and run am-utils are as
follows:

<OL>
<LI>Retrieve the package via FTP.
<P>

<LI>Unpack it:
<P>$ gunzip am-utils-6.0.1.tar.gz
<BR>$ tar xf am-utils-6.0.1.tar

<P>If you have GNU tar and gunzip, you can issue a single command:

<P>$ tar xzf am-utils-6.0.1.tar.gz

<P>

<LI>Build it:
<P>$ cd am-utils-6.0.1
<BR>$ ./buildall

<P>This would configure and build am-utils for installation in
/usr/local.  If you built am-utils in the past using a different
procedure, you may repeat that procedure instead.  For example, to
build am-utils using shared libraries and to enable debugging, use
either:

<P>$ ./buildall -Ds -b
<BR>or
<BR>$ ./configure --enable-debug=yes --enable-shared --disable-static

<P>You may run "./configure --help" to get a full list of available
options.  You may run "./buildall -H" to get a full list of options it
offers.  The buildall script is a simple wrapper script that
configures and builds am-utils for the most common desired
configurations.

<P>

<LI>Install it:
<P>$ make install

<P>This would install the programs, scripts, libraries, manual pages,
and info pages in /usr/local/{sbin,bin,lib,man,info}, etc.
<P>

<LI>Run it.
<P>Assuming you have an Amd configuration file in /etc/amd.conf, you
can simply run:

<P>$ /usr/local/sbin/ctl-amd restart

<P>That will stop the older running Amd, and start a new one.  If you
use a different Amd start-up script, you may use it instead.

</OL>

<H4><U>FreeBSD</U></H4>

<P>Please see the FreeBSD advisory at

<DL><DD>
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd.asc">
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd.asc</A>
</DL>

for information on patches for this problem.

<H4><U>Fujitsu</U></H4>

This vulnerability is still under investigation by Fujitsu.

<H4><U>Hewlett-Packard Company</U></H4>

<P>HP is not vulnerable.

<H4><U>IBM Corporation</U></H4>

<P>AIX is not vulnerable.  It does not ship the am-utils package.

<H4><U>OpenBSD</U></H4>

<P>OpenBSD is not vulnerable.

<H4><U>RedHat Inc.</U></H4>

<P>RedHat has released a security advisory on this topic. It is
available from our ftp server at:

<DL><DD>
<A HREF="http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html">
http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html</A>
</DL>

<H4><U>SCO Unix</U></H4>

<P>No SCO products are vulnerable.

<H4><U>SGI</U></H4>

<P>SGI does not distribute am-utils in either IRIX or UNICOS operating
systems.

<H4><U>Sun Microsystems, Inc.</U></H4>

<P>SunOS - All versions are not vulnerable.

<P>Solaris - All versions are not vulnerable.

<HR NOSHADE>

<P>The CERT Coordination Center would like to thank Erez Zadok, the
maintainer of the am-utils package, for his assistance in preparing
this advisory.


<P><!--#include virtual="/include/footer_nocopyright.html" --></P>
<P>Copyright 1999 Carnegie Mellon University.</P>
<HR>

Revision History
<PRE>
Sep 16, 1999:  Initial release
</PRE>