CVE-2002-0391
CVSS10.0
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:20:02
NMCOPS    

[原文]Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.


[CNNVD]Sun RPC XDR库xdr_array()函数整数溢出漏洞(CNNVD-200208-079)

        
        Sun公司的XDR库中所带的xdr_array()函数中存在一个整数溢出漏洞,攻击者可能利用这个漏洞远程或本地获取root权限。由于很多厂商都使用了Sun的XDR库或者基于Sun的库进行开发,其中也包含了这些问题代码,因此很多厂商的应用程序也受此问题影响。
        XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程,比如通过一个网络连接发送。这种例程在远程过程调用(RPC)实现中被普遍使用,使其对程序员来说是透明的,他只需使用通用接口来与很多不同种类的系统通信。Sun公司开发的XDR库包含一个xdr_array()函数,它用来实现可变长度数组的本地C表示与它们的平台无关的XDR表示的转换。然而,它在计算nodesize变量时采用的方法可能导致一个整数溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdr_array()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓缓冲区溢出。攻击者可能造成远程服务崩溃或者利用malloc实现的一些特点来改变内存数据并执行任意代码。
        很多厂商的RPC XDR实现都是基于Sun公司的代码开发的,因此都存在上述漏洞。所有使用那些有问题的XDR实现的应用程序都可能受此漏洞影响。目前已知的受影响的厂商以及应用程序如下:
        * Sun Microsystems libnsl库 (dmispd和rpc.cmsd)
        * BSD系列的带XDR/RPC例程的库 (libc)
        * GNU C library 带sunrpc (glibc)
        * MIT Kerberos 5 管理系统 (kadmind)
        * OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2
        * Apple MacOS X
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.5.1
cpe:/o:sun:solaris:7.0
cpe:/o:freebsd:freebsd:4.6.1:release_p5
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:openbsd:openbsd:3.1OpenBSD 3.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9Solaris 8 RPC xdr_array Buffer Overflow
oval:org.mitre.oval:def:4728SunRPC xdr_array Function Integer Overflow
oval:org.mitre.oval:def:42Solaris 7 RPC xdr_array Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0391
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0391
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-079
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-055.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-055.0
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2002-011
ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A
(UNKNOWN)  SGI  20020801-01-P
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
(UNKNOWN)  AIXAPAR  IY34194
http://archives.neohapsis.com/archives/bugtraq/2002-07/0514.html
(UNKNOWN)  BUGTRAQ  20020803 OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers
http://archives.neohapsis.com/archives/hp/2002-q3/0077.html
(UNKNOWN)  HP  HPSBUX0209-215
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
(VENDOR_ADVISORY)  ISS  20020731 Remote Buffer Overflow Vulnerability in Sun RPC
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000515
(UNKNOWN)  CONECTIVA  CLA-2002:515
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535
(UNKNOWN)  CONECTIVA  CLA-2002:535
http://marc.info/?l=bugtraq&m=102813809232532&w=2
(UNKNOWN)  BUGTRAQ  20020731 Remote Buffer Overflow Vulnerability in Sun RPC
http://marc.info/?l=bugtraq&m=102821785316087&w=2
(UNKNOWN)  BUGTRAQ  20020801 RPC analysis
http://marc.info/?l=bugtraq&m=102821928418261&w=2
(UNKNOWN)  FREEBSD  FreeBSD-SA-02:34.rpc
http://marc.info/?l=bugtraq&m=102831443208382&w=2
(UNKNOWN)  BUGTRAQ  20020802 MITKRB5-SA-2002-001: Remote root vulnerability in MIT krb5 admin
http://marc.info/?l=bugtraq&m=103158632831416&w=2
(UNKNOWN)  BUGTRAQ  20020909 GLSA: glibc
http://online.securityfocus.com/advisories/4402
(UNKNOWN)  HP  HPSBTL0208-061
http://online.securityfocus.com/archive/1/285740
(UNKNOWN)  BUGTRAQ  20020802 kerberos rpc xdr_array
http://rhn.redhat.com/errata/RHSA-2002-166.html
(UNKNOWN)  REDHAT  RHSA-2002:166
http://rhn.redhat.com/errata/RHSA-2002-172.html
(UNKNOWN)  REDHAT  RHSA-2002:172
http://www.cert.org/advisories/CA-2002-25.html
(VENDOR_ADVISORY)  CERT  CA-2002-25
http://www.debian.org/security/2002/dsa-142
(UNKNOWN)  DEBIAN  DSA-142
http://www.debian.org/security/2002/dsa-143
(UNKNOWN)  DEBIAN  DSA-143
http://www.debian.org/security/2002/dsa-146
(UNKNOWN)  DEBIAN  DSA-146
http://www.debian.org/security/2002/dsa-149
(UNKNOWN)  DEBIAN  DSA-149
http://www.debian.org/security/2003/dsa-333
(UNKNOWN)  DEBIAN  DSA-333
http://www.iss.net/security_center/static/9170.php
(UNKNOWN)  XF  sunrpc-xdr-array-bo(9170)
http://www.kb.cert.org/vuls/id/192995
(UNKNOWN)  CERT-VN  VU#192995
http://www.linuxsecurity.com/advisories/other_advisory-2399.html
(UNKNOWN)  ENGARDE  ESA-20021003-021
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:057
(UNKNOWN)  MANDRAKE  MDKSA-2002:057
http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
(UNKNOWN)  MS  MS02-057
http://www.redhat.com/support/errata/RHSA-2002-167.html
(UNKNOWN)  REDHAT  RHSA-2002:167
http://www.redhat.com/support/errata/RHSA-2002-173.html
(UNKNOWN)  REDHAT  RHSA-2002:173
http://www.redhat.com/support/errata/RHSA-2003-168.html
(UNKNOWN)  REDHAT  RHSA-2003:168
http://www.redhat.com/support/errata/RHSA-2003-212.html
(UNKNOWN)  REDHAT  RHSA-2003:212
http://www.securityfocus.com/bid/5356
(UNKNOWN)  BID  5356

- 漏洞信息

Sun RPC XDR库xdr_array()函数整数溢出漏洞
危急 边界条件错误
2002-08-12 00:00:00 2005-05-02 00:00:00
远程  
        
        Sun公司的XDR库中所带的xdr_array()函数中存在一个整数溢出漏洞,攻击者可能利用这个漏洞远程或本地获取root权限。由于很多厂商都使用了Sun的XDR库或者基于Sun的库进行开发,其中也包含了这些问题代码,因此很多厂商的应用程序也受此问题影响。
        XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程,比如通过一个网络连接发送。这种例程在远程过程调用(RPC)实现中被普遍使用,使其对程序员来说是透明的,他只需使用通用接口来与很多不同种类的系统通信。Sun公司开发的XDR库包含一个xdr_array()函数,它用来实现可变长度数组的本地C表示与它们的平台无关的XDR表示的转换。然而,它在计算nodesize变量时采用的方法可能导致一个整数溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdr_array()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓缓冲区溢出。攻击者可能造成远程服务崩溃或者利用malloc实现的一些特点来改变内存数据并执行任意代码。
        很多厂商的RPC XDR实现都是基于Sun公司的代码开发的,因此都存在上述漏洞。所有使用那些有问题的XDR实现的应用程序都可能受此漏洞影响。目前已知的受影响的厂商以及应用程序如下:
        * Sun Microsystems libnsl库 (dmispd和rpc.cmsd)
        * BSD系列的带XDR/RPC例程的库 (libc)
        * GNU C library 带sunrpc (glibc)
        * MIT Kerberos 5 管理系统 (kadmind)
        * OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2
        * Apple MacOS X
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        
        * 禁止访问受影响的服务或应用程序
        管理员可以禁止用户访问用受影响的xdr_array()函数编写的服务或应用程序。这些应用程序包括但不仅限于下列程序:
         
        (1) Sun DMI Service Provider daemon (dmispd)
         # /etc/init.d/init.dmi stop
         # mv /etc/rc3.d/S77dmi /etc/rc3.d/DISABLED_S77dmi
        
        (2) Sun CDE Calendar Manager Service daemon (rpc.cmsd)
        
         编辑/etc/inetd.conf, 将下列行的前面加上'#'号以注释掉该服务:
         100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
         保存修改,然后重启inetd
         # ps -ef | grep inetd
         # kill -HUP
        
        (3) MIT Kerberos 5 Administration daemon (kadmind)
        厂商补丁:
        Apple
        -----
        目前厂商已经发布了升级补丁包Security Update 2002-08-02(SecurityUpd2002-08-02.dmg)以修复这个安全问题,您可以在厂商主页上下载:
        
        http://docs.info.apple.com/article.html?artnum=120139

        SSL server:
        https://depot.info.apple.com/security/129403bc5e184e3b7367.html
        Debian
        ------
        Debian已经为此发布了三个安全公告(DSA-142-1以及DSA-143-1,DSA-149-1)以及相应补丁:
        DSA-142-1:New OpenAFS packages fix integer overflow bug
        链接:
        http://www.debian.org/security/2002/dsa-142

        DSA-143-1:New krb5 packages fix integer overflow bug
        链接:
        http://www.debian.org/security/2002/dsa-143

        DSA-149-1:New glibc packages fix security related problems
        链接:
        http://www.debian.org/security/2002/dsa-149

        您可以参考上述安全公告进行升级。
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-02:34)以及相应补丁:
        FreeBSD-SA-02:34:Sun RPC XDR decoder contains buffer overflow
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc
        可采取下列解决方案之一:
        1) 将受影响系统升级到4.6-STABLE;或者修正日期后发布的RELENG_4_6、RELENG_4_5
         或RELENG_4_4 security branch(4.6.1-RELEASE-p6、4.5-RELEASE-p15或
         4.4-RELEASE-p22)。
        2) 为现有系统安装补丁:
        经验证,下列补丁适用于FreeBSD 4.4、4.5和FreeBSD 4.6系统。
        a) 从下列地址下载相关补丁,并用你的PGP工具核实分开的PGP签名。
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:34/rpc.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:34/rpc.patch.asc
        b) 以root身份执行下列命令:
        # cd /usr/src
        # patch < /path/to/patch
        c) 按下述介绍重编操作系统:
        
        http://www.freebsd.org/doc/handbook/makeworld.html>.
        注意,任何静态链接的应用程序均非基础系统的一部分(可能来自移植集或其它第三方来源),如果它们使用SunRPC,就必须重新编译。
        所有受影响的应用程序要使用已修复的库都必须重启。虽然这不是必须的步骤,但是重启系统可能是最简单的方法。
        GNU
        ---
        GNU C库的2.2.5及之前版本受此漏洞影响,对于2.2.5版,我们建议用户使用下列补丁。这一补丁也可以从GNU C Library CVS软件库下载:
        
        http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc

        MIT
        ---
        MIT已经为此发布了一个安全公告(MITKRB5-SA-2002-001)以及相应补丁:
        MITKRB5-SA-2002-001:Remote root vulnerability in MIT krb5 admin system
        链接:
        http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

        补丁下载:
        
        http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

        上述补丁是针对krb5-1.2.5的,在应用补丁之后需要重建软件树。
        NetBSD
        ------
        NetBSD已经为此发布了一个安全公告(NetBSD-SA2002-011)以及相应补丁:
        NetBSD-SA2002-011:Sun RPC XDR decoder contains buffer overflow
        链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
        补丁下载:
        * NetBSD-current:
         正在运行2002-08-01之前的NetBSD-current的系统应该升级到2002-08-01或者之后的系统
         从CVS升级、重建、重装libc的步骤如下:
         # cd src
         # cvs update -d -P lib/libc/rpc
         # cd lib/libc
         # make cleandir dependall
         # make install
        * NetBSD 1.6 beta:
         正在运行2002-08-02之前的NetBSD-1.6分支的系统应该升级到2002-08-02或者之后的系统
        
         从CVS升级、重建、重装libc的步骤如下:
         # cd src
         # cvs update -d -P -r netbsd-1-6 lib/libc/rpc
         # cd lib/libc
         # make cleandir dependall
         # make install
        * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
         正在运行2002-08-02之前的NetBSD-1.5分支的系统应该升级到2002-08-02或者之后的系统
         从CVS升级、重建、重装libc的步骤如下:
         # cd src
         # cvs update -d -P -r netbsd-1-5 lib/libc/rpc
         # cd lib/libc
         # make cleandir dependall
         # make install
        OpenBSD
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/012_xdr.patch
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2002:166-07)以及相应补丁:
        RHSA-2002:166-07:Updated glibc packages fix vulnerabilities in RPC XDR decoder
        链接:https://www.redhat.com/support/errata/RHSA-2002-166.html
        补丁下载:
        Red Hat Linux 6.2:
        SRPMS:
        ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-26.src.rpm
        alpha:
        ftp://updates.redhat.com/6.2/en/os/alpha/glibc-2.1.3-26.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/glibc-devel-2.1.3-26.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/glibc-profile-2.1.3-26.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/nscd-2.1.3-26.alpha.rpm
        i386:
        ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-26.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-26.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-26.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-26.i386.rpm
        sparc:
        ftp://updates.redhat.com/6.2/en/os/sparc/glibc-2.1.3-26.sparc.rp

- 漏洞信息 (F26509)

CA-2002-25.xdr (PacketStormID:F26509)
2002-08-06 00:00:00
 
overflow,arbitrary,root,vulnerability
CVE-2002-0391
[点击下载]

CERT Advisory CA-2002-25 - The Sun Microsystems XDR library contains overflows which lead to exploitable vulnerabilities in many applications. The xdr_array() function commonly used in RPC calls is the source of the vulnerabilities. Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-25 Integer Overflow In XDR Library

   Original release date: August 05, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Applications  using  vulnerable  implementations of SunRPC-derived XDR
   libraries, which include, but are not limited to:

     * Sun Microsystems network services library (libnsl)
     * BSD-derived libraries with XDR/RPC routines (libc)
     * GNU C library with sunrpc (glibc)

Overview

   There  is  an  integer  overflow  present  in the xdr_array() function
   distributed as part of the Sun Microsystems XDR library. This overflow
   has  been  shown  to  lead to remotely exploitable buffer overflows in
   multiple  applications,  leading  to  the execution of arbitrary code.
   Although  the  library was originally distributed by Sun Microsystems,
   multiple  vendors  have  included  the  vulnerable  code  in their own
   implementations.

I. Description

   The  XDR  (external data representation) libraries are used to provide
   platform-independent  methods for sending data from one system process
   to  another,  typically  over  a network connection. Such routines are
   commonly  used  in  remote  procedure  call  (RPC)  implementations to
   provide transparency to application programmers who need to use common
   interfaces  to  interact  with  many  different  types of systems. The
   xdr_array()  function  in the XDR library provided by Sun Microsystems
   contains an integer overflow that can lead to improperly sized dynamic
   memory  allocation.  Subsequent  problems  like  buffer  overflows may
   result, depending on how and where the vulnerable xdr_array() function
   is used.

   This  issue is currently being tracked as VU#192995 by the CERT/CC and
   CAN-2002-0391  in  the  Common  Vulnerabilities  and  Exposures  (CVE)
   dictionary.

II. Impact

   Because  SunRPC-derived XDR libraries are used by a variety of vendors
   in  a  variety  of  applications,  this defect may lead to a number of
   differing  security  problems. Exploiting this vulnerability will lead
   to  denial  of service, execution of arbitrary code, or the disclosure
   of sensitive information.

   Specific  impacts  reported  include  the ability to execute arbitrary
   code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind,
   for  example).  In addition, intruders who exploit the XDR overflow in
   MIT  KRB5  kadmind  may  be able to gain control of a Key Distribution
   Center  (KDC)  and  improperly authenticate to other services within a
   trusted Kerberos realm.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not listed below or in the vulnerability note, we have not
   received their comments. Please contact your vendor directly.

   Note  that  XDR libraries can be used by multiple applications on most
   systems.  It may be necessary to upgrade or apply multiple patches and
   then recompile statically linked applications.

   Applications  that  are  statically  linked  must  be recompiled using
   patched  libraries.  Applications  that  are dynamically linked do not
   need  to be recompiled; however, running services need to be restarted
   in order to use the patched libraries.

   System  administrators  should  consider  the  following  process when
   addressing this issue:

    1. Patch or obtain updated XDR/RPC libraries.
    2. Restart  any  dynamically  linked  services  that  make use of the
       XDR/RPC libraries.
    3. Recompile  any statically linked applications using the patched or
       updated XDR/RPC libraries.

Disable access to vulnerable services or applications

   Until  patches  are  available  and  can  be  applied, you may wish to
   disable   access   to  services  or  applications  compiled  with  the
   vulnerable  xdr_array()  function.  Such applications include, but are
   not limited to, the following:

     * DMI Service Provider daemon (dmispd)
     * CDE Calendar Manager Service daemon (rpc.cmsd)
     * MIT Kerberos 5 Administration daemon (kadmind)

   As a best practice, the CERT/CC recommends disabling all services that
   are not explicitly required.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular   vendor   is   not  listed  below  or  in  the  individual
   vulnerability notes, we have not received their comments.

Apple Computer, Inc.

   The vulnerability described in this note is fixed with Security Update
   2002-08-02.

Debian GNU/Linux

   The  Debian  GNU/Linux  distribution was vulnerable with regard to the
   the  XDR  problem  as  stated  above  with the following vulnerability
   matrix:

                       OpenAFS                Kerberos5             GNU libc
                       _______                _________             ________
 Debian 2.2 (potato)   not included           not included          vulnerable
 Debian 3.0 (woody)    vulnerable(DSA 142-1)  vulnerable(DSA 143-1) vulnerable
 Debian unstable (sid) vulnerable(DSA 142-1)  vulnerable(DSA 143-1) vulnerable

   However,  the  following advisories were raised recently which contain
   and announced fixes:

     DSA  142-1  OpenAFS  (safe  version  are: 1.2.3final2-6 (woody) and
     1.2.6-1 (sid))

     DSA  143-1  Kerberos5  (safe version are: 1.2.4-5woody1 (woody) and
     1.2.5-2 (sid))

   The  advisory  for  the  GNU  libc  is  pending, it is currently being
   recompiled. The fixed versions will probably be:

     Debian 2.2 (potato) glibc 2.1.3-23 or later
     Debian 3.0 (woody) glibc 2.2.5-11 or later
     Debian unstable (sid) glibc 2.2.5-12 or later

GNU glibc

   Version   2.2.5  and  earlier  versions  of  the  GNU  C  Library  are
   vulnerable.  For  Version  2.2.5, we suggest the following patch. This
   patch is also available from the GNU C Library CVS repository at:

     http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.
     c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc

     2002-08-02 Jakub Jelinek <jakub@redhat.com>

     * sunrpc/xdr_array.c    (xdr_array):    Check    for   overflow   on
       multiplication. Patch by Solar Designer <solar@openwall.com>.

     [ text of diff available in CVS repository link above --CERT/CC ]

FreeBSD, Inc.

   Please see
   ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc
   .asc

Hewlett-Packard Company

   SOURCE: Hewlett-Packard Company

   RE: Potential RPC XDR buffer overflow

   At  the  time  of  writing this document, Hewlett Packard is currently
   investigating  the  potential impact to HP's released operating System
   software products.

   As further information becomes available HP will provide notice of the
   availability  of  any  necessary  patches  through  standard  security
   bulletin  announcements  and be available from your normal HP Services
   support channel.

Juniper Networks

   The  Juniper Networks SDX-300 Service Deployment System (SSC) does use
   XDR  for  communication with an ERX edge router, but does not make use
   of the Sun RPC libraries. The SDX-300 product is not vulnerable to the
   Sun RPC XDR buffer overflow as outlined in this CERT advisory.

KTH and Heimdal Kerberos

   kth-krb  and  heimdal are not vulnerable to this problem since they do
   not use any Sun RPC at all.

MIT Kerberos Development Team

   Please see
   http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt

   The patch is available directly:
   http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

   The  following  detached  PGP  signature  should be used to verify the
   authenticity and integrity of the patch:

   http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.tx
   t.asc

Microsoft Corporation

   Microsoft  is  currently  conducting  an  investigation  based on this
   report.  We  will  update  this  advisory  with information once it is
   complete.

NetBSD

   Please see
   ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.
   txt.asc

Network Appliance

   NetApp systems are not vulnerable to this problem.

OpenAFS

   OpenAFS    is    an    affected   vendor   for   this   vulnerability.
   http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt  details
   how we have dealt with the issue.

Openwall Project

   The  xdr_array(3) integer overflow was present in the glibc package on
   Openwall  GNU/*/Linux  until  2002/08/01  when  it  was  corrected for
   Owl-current and documented as a security fix in the system-wide change
   log available at:

     http://www.openwall.com/Owl/CHANGES.shtml

   The  same glibc package update also fixes a very similar but different
   calloc(3)  integer overflow possibility that is currently not known to
   allow  for an attack on a particular application, but has been patched
   as  a  proactive  measure. The Sun RPC xdr_array(3) overflow may allow
   for  passive attacks on mount(8) by malicious or spoofed NFSv3 servers
   as  well  as  for  both  passive  and active attacks on RPC clients or
   services  that  one  might  install  on Owl. (There're no RPC services
   included with Owl.)

RedHat Inc.

   Red  Hat  distributes  affected packages glibc and Kerberos in all Red
   Hat  Linux distributions. We are currently working on producing errata
   packages,  when  complete  these  will  be  available  along  with our
   advisory  at  the  URLs  below.  At the same time users of the Red Hat
   Network will be able to update their systems using the 'up2date' tool.

     http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
     http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)

SGI

   SGI is currently looking into the matter, per:

     ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A

Sun Microsystems, Inc.

   Sun  can  confirm  that  there is a type overflow vulnerability in the
   xdr_array(3NSL)  function  which  is  part  of  the  network  services
   library,  libnsl(3LIB),  on Solaris 2.5.1 through 9. Sun has published
   Sun  Alert 46122 which describes the issue, applications affected, and
   workaround  information.  The  Sun  Alert  will  be  updated  as  more
   information or patches become available and is located here:

     http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122

   Sun will be publishing a Sun Security Bulletin for this issue once all
   of the patches are available which will be located at:

     http://sunsolve.sun.com/security
     _________________________________________________________________

Appendix B. - References

    1. Manual entry for xdr_array(3)
    2. VU#192995
    3. RFC1831
    4. RFC1832
    5. Sun Alert 46122
    6. Security Alert MITKRB5-SA-2002-001-xdr
    7. Flaw in calloc and similar routines, Florian Weimer, University of
       Stuttgart, RUS-CERT, 2002-08-05
     _________________________________________________________________

   Thanks  to  Sun Microsystems for working with the CERT/CC to make this
   document    possible.   The   initial   vulnerability   research   and
   demonstration was performed by Internet Security Systems (ISS).
     _________________________________________________________________

   Authors: Jeffrey S. Havrilla and Cory F. Cohen.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-25.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

    Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
August 05, 2002:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPU8KIqCVPMXQI2HJAQFG2QQAumw8DlNwSDbrbGvkqrKX2wXVokgQ1vFU
a8iJhuSab79YLvO5OiWMvOKxiVWln74Jr2DSAP5JVTmtACIWLN4/pOWB71OJSC0L
gBUpjSAn/i+jR6YkmAC0XvLn1P+BuEYoOC2RWkhF/KjI7/f/O3/M9XokkhoXYYnx
MyMRLmOap2Y=
=vtJG
-----END PGP SIGNATURE-----
    

- 漏洞信息

16003
Multiple Vendor SunRPC XDR Primitive xdr_array Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Commercial

- 漏洞描述

SunRPC as used by several operating systems contain a flaw that may allow a remote attacker to gain privileges. The issue is due to the RPC servers using libc, glibc or other code based on SunRPC not properly sanitizing user-supplied input. By passing a large number of arguments to the xdr_array function to RPC services such as rpc.cmsd or dmispd, an attacker can leverage an integer overflow to execute arbitrary code.

- 时间线

2002-07-31 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Sun RPC xdr_array Buffer Overflow Vulnerability
Boundary Condition Error 5356
Yes No
2002-07-30 12:00:00 2007-11-15 12:37:00
Discovered by ISS X-Force.

- 受影响的程序版本

Trustix Secure Linux 1.5
Trustix Secure Linux 1.2
Trustix Secure Linux 1.1
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.8
Sun Solaris 2.7_sparc
Sun Solaris 2.7
Sun Solaris 2.6_x86
Sun Solaris 2.6
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
OpenAFS OpenAFS 1.3.2
OpenAFS OpenAFS 1.3.1
OpenAFS OpenAFS 1.3
OpenAFS OpenAFS 1.2.5
OpenAFS OpenAFS 1.2.4
OpenAFS OpenAFS 1.2.3
OpenAFS OpenAFS 1.2.2 b
OpenAFS OpenAFS 1.2.2 a
OpenAFS OpenAFS 1.2.2
OpenAFS OpenAFS 1.2.1
OpenAFS OpenAFS 1.2
OpenAFS OpenAFS 1.1.1 a
OpenAFS OpenAFS 1.1.1
OpenAFS OpenAFS 1.1
OpenAFS OpenAFS 1.0.4 a
OpenAFS OpenAFS 1.0.4
OpenAFS OpenAFS 1.0.3
OpenAFS OpenAFS 1.0.2
OpenAFS OpenAFS 1.0.1
OpenAFS OpenAFS 1.0
NetBSD NetBSD 1.6 beta
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4
MIT Kerberos 5 1.2.5
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Wirex Immunix OS 7+
MIT Kerberos 5 1.2.4
MIT Kerberos 5 1.2.3
MIT Kerberos 5 1.2.2
MIT Kerberos 5 1.2.1
MIT Kerberos 5 1.2
MIT Kerberos 5 1.1.1
+ Red Hat Linux 6.2
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
MIT Kerberos 5 1.1
MIT Kerberos 5 1.0.6
MIT Kerberos 5 1.0
Microsoft Services for Unix 3.0
KTH Kerberos 5 1.2.2
KTH Kerberos 5 1.2.1
KTH Kerberos 5 1.2
KTH Kerberos 5 1.1
IBM AIX 4.3.3
IBM AIX 5.1
HP Secure OS software for Linux 1.0
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.26
HP HP-UX 10.24
HP HP-UX 10.20 Series 800
HP HP-UX 10.20 Series 700
HP HP-UX 10.20
GNU glibc 2.2.5
GNU glibc 2.2.4
GNU glibc 2.2.3
+ Conectiva Linux 7.0
GNU glibc 2.2.2
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
GNU glibc 2.2.1
GNU glibc 2.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ Wirex Immunix OS 7+
GNU glibc 2.1.3
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ EnGarde Secure Linux 1.0.1
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Openwall Openwall GNU/*/Linux 0.1 -stable
+ Red Hat Linux 6.2
+ RedHat Linux 6.2 sparcv9
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.0 1
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0
diet libc diet libc 0.18
diet libc diet libc 0.17
diet libc diet libc 0.16
+ Gentoo Linux 0.7
+ Gentoo Linux 0.5
+ Gentoo Linux 0.5
diet libc diet libc 0.15
Caldera OpenLinux Workstation 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Server 3.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0
acm acm 5.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
SGI IRIX 6.5.18
OpenAFS OpenAFS 1.2.6
NetBSD NetBSD 1.6
diet libc diet libc 0.19
- Debian Linux 3.0

- 不受影响的程序版本

SGI IRIX 6.5.18
OpenAFS OpenAFS 1.2.6
NetBSD NetBSD 1.6
diet libc diet libc 0.19
- Debian Linux 3.0

- 漏洞讨论

The 'xdr_array()' procedure is used by client/server applications implementing Sun RPC to filter between local C representations of variable length arrays and their machine-independent external data representations (XDR).

A buffer-overflow vulnerability has been reported in the 'xdr_array()' procedure. Remote attackers may exploit this issue through RPC services to execute arbitrary code on target hosts. Since RPC services typically run with root privileges, successful exploits may mean complete compromise.

OpenBSD originally reported that this vulnerability may be exploited by remote attackers to cause a denial of service. If this is a heap-based overflow, the nature of the OpenBSD malloc implementation may allow only a crash. Other platforms that use the same Sun RPC code but a different malloc implementation may allow code execution.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Updates are available. Please see the references for more information.


Sun Solaris 8_sparc

OpenBSD OpenBSD 3.0

IBM AIX 5.1

Sun Solaris 7.0

OpenBSD OpenBSD 3.1

diet libc diet libc 0.16

diet libc diet libc 0.18

OpenAFS OpenAFS 1.0

OpenAFS OpenAFS 1.0.2

OpenAFS OpenAFS 1.0.4 a

OpenAFS OpenAFS 1.0.4

Trustix Secure Linux 1.1

OpenAFS OpenAFS 1.1

MIT Kerberos 5 1.1.1

OpenAFS OpenAFS 1.2

OpenAFS OpenAFS 1.2.2

OpenAFS OpenAFS 1.2.2 a

OpenAFS OpenAFS 1.2.4

MIT Kerberos 5 1.2.5

Trustix Secure Linux 1.5

Apple Mac OS X 10.2

HP HP-UX 10.20

HP HP-UX 10.20 Series 700

HP HP-UX 10.20 Series 800

HP HP-UX 10.24

HP HP-UX 11.0 4

HP HP-UX 11.0

HP HP-UX 11.11

HP HP-UX 11.22

GNU glibc 2.1.3

GNU glibc 2.2.2

GNU glibc 2.2.3

Caldera OpenLinux Server 3.1

Caldera OpenLinux Workstation 3.1

Caldera OpenLinux Server 3.1.1

FreeBSD FreeBSD 4.4 -STABLE

FreeBSD FreeBSD 4.5 -RELEASE

FreeBSD FreeBSD 4.6

acm acm 5.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站