|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#192995
Integer overflow in xdr_array() function when deserializing the XDR stream
OverviewThere is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.
I. DescriptionThe XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used.
This issue is currently being tracked as VU#192995 by the CERT/CC and as CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE) dictionary.
II. ImpactBecause SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.
III. SolutionApply a patch from your vendor
Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.
Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries.
System administrators should consider the following process when addressing this issue:
- Patch or obtain updated XDR/RPC libraries.
- Restart any dynamically linked services that make use of the XDR/RPC libraries.
- Recompile any statically linked applications using the patched or updated XDR/RPC libraries.
Note this is an iterative process for each set of patches being applied.
Disable access to vulnerable services or applications
Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdr_array() function. Such applications include, but are not limited to, the following:
- DMI Service Provider daemon (dmispd)
- CDE Calendar Manager Service daemon (rpc.cmsd)
- MIT Kerberos 5 Administration daemon (kadmind)
As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| Alcatel | Unknown | 31-Jul-2002 |
| Apple Computer, Inc. | Vulnerable | 20-Sep-2002 |
| AT&T | Unknown | 31-Jul-2002 |
| Cisco Systems, Inc. | Unknown | 31-Jul-2002 |
| Computer Associates | Unknown | 31-Jul-2002 |
| Cray Inc. | Unknown | 1-Aug-2002 |
| Data General | Unknown | 31-Jul-2002 |
| Debian Linux | Vulnerable | 6-Aug-2002 |
| e-Security Inc. | Not Vulnerable | 6-Aug-2002 |
| F5 Networks, Inc. | Unknown | 31-Jul-2002 |
| FreeBSD, Inc. | Vulnerable | 1-Aug-2002 |
| Fujitsu | Unknown | 31-Jul-2002 |
| GNU glibc | Vulnerable | 6-Aug-2002 |
| Guardian Digital Inc. | Unknown | 31-Jul-2002 |
| Hewlett-Packard Company | Vulnerable | 1-Aug-2002 |
| IBM Corporation | Vulnerable | 3-Sep-2002 |
| Intel | Unknown | 31-Jul-2002 |
| Juniper Networks, Inc. | Not Vulnerable | 1-Aug-2002 |
| KTH Kerberos | Not Vulnerable | 5-Aug-2002 |
| Lucent Technologies | Unknown | 31-Jul-2002 |
| Mandriva, Inc. | Unknown | 31-Jul-2002 |
| Microsoft Corporation | Vulnerable | 3-Oct-2002 |
| MIT Kerberos Development Team | Vulnerable | 2-Aug-2002 |
| NEC Corporation | Unknown | 31-Jul-2002 |
| NetBSD | Vulnerable | 20-Sep-2002 |
| Network Appliance | Not Vulnerable | 2-Aug-2002 |
| NeXT | Unknown | 31-Jul-2002 |
| Nortel Networks, Inc. | Unknown | 31-Jul-2002 |
| OpenAFS | Vulnerable | 5-Aug-2002 |
| OpenBSD | Vulnerable | 31-Jul-2002 |
| Openwall GNU/*/Linux | Vulnerable | 6-Aug-2002 |
| Red Hat, Inc. | Vulnerable | 5-Aug-2002 |
| Sequent Computer Systems, Inc. | Unknown | 31-Jul-2002 |
| SGI | Vulnerable | 19-Aug-2002 |
| Sony Corporation | Unknown | 31-Jul-2002 |
| Sun Microsystems, Inc. | Vulnerable | 5-Aug-2002 |
| SUSE Linux | Unknown | 31-Jul-2002 |
| The Open Group | Unknown | 31-Jul-2002 |
| The SCO Group (SCO Linux) | Unknown | 31-Jul-2002 |
| The SCO Group (SCO Unix) | Unknown | 31-Jul-2002 |
| Unisphere Networks | Unknown | 1-Aug-2002 |
| Unisys | Unknown | 31-Jul-2002 |
| Wind River Systems, Inc. | Unknown | 31-Jul-2002 |
| Xerox Corporation | Vulnerable | 29-May-2003 |
| Xi Graphics | Unknown | 31-Jul-2002 |
References
http://www.cert.org/advisories/CA-2002-25.html
http://www.FreeBSD.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html
ftp://ftp.isi.edu/in-notes/rfc4506.txt
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt
http://CERT.Uni-Stuttgart.DE/advisories/calloc.php
http://online.securityfocus.com/bid/5356
http://www.iss.net/security_center/static/9170.php
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Credit
Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).
This document was written by Jeffrey S. Havrilla.
Other Information
| Date Public | 07/31/2002 |
| Date First Published | 08/01/2002 11:18:42 AM |
| Date Last Updated | 05/15/2006 |
| CERT Advisory | CA-2002-25 |
| CVE Name | CVE-2002-0391 |
| US-CERT Technical Alerts | |
| Metric | 27.29 |
| Document Revision | 45 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader