Vulnerability Note VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream

Original Release date: 01 Aug 2002 | Last revised: 15 May 2006

Overview

There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.

Description

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used.

This issue is currently being tracked as VU#192995 by the CERT/CC and as CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE) dictionary.

Impact

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.

Solution

Apply a patch from your vendor

Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries.

System administrators should consider the following process when addressing this issue:

  1. Patch or obtain updated XDR/RPC libraries.
  2. Restart any dynamically linked services that make use of the XDR/RPC libraries.
  3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries.

Note this is an iterative process for each set of patches being applied.

Disable access to vulnerable services or applications

Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdr_array() function. Such applications include, but are not limited to, the following:

  • DMI Service Provider daemon (dmispd)
  • CDE Calendar Manager Service daemon (rpc.cmsd)
  • MIT Kerberos 5 Administration daemon (kadmind)

As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected29 Jul 200220 Sep 2002
Debian LinuxAffected29 Jul 200206 Aug 2002
FreeBSD, Inc.Affected29 Jul 200201 Aug 2002
GNU glibcAffected31 Jul 200206 Aug 2002
Hewlett-Packard CompanyAffected29 Jul 200201 Aug 2002
IBM CorporationAffected29 Jul 200203 Sep 2002
Microsoft CorporationAffected29 Jul 200203 Oct 2002
MIT Kerberos Development TeamAffected02 Aug 200202 Aug 2002
NetBSDAffected29 Jul 200220 Sep 2002
OpenAFSAffected-05 Aug 2002
OpenBSDAffected29 Jul 200231 Jul 2002
Openwall GNU/*/LinuxAffected-06 Aug 2002
Red Hat, Inc.Affected29 Jul 200205 Aug 2002
SGIAffected29 Jul 200219 Aug 2002
Sun Microsystems, Inc.Affected29 Jul 200205 Aug 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CVE-2002-0391
  • CERT Advisory: CA-2002-25
  • Date Public: 31 Jul 2002
  • Date First Published: 01 Aug 2002
  • Date Last Updated: 15 May 2006
  • Severity Metric: 27.29
  • Document Revision: 45

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.