Sun Microsystems, Inc. Information for VU#192995
Integer overflow in xdr_array() function when deserializing the XDR stream
- Vendor Information Help Date Notified: 29 Jul 2002
- Statement Date:
- Date Updated: 05 Aug 2002
Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:
Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:
The vendor has not provided us with any further information regarding this vulnerability.
[text downloaded at Thu Aug 1 2002 11:30:51 (-0400)]
Sun(sm) Alert Notification
* Sun Alert ID: 46122
* Synopsis: Security Vulnerability in the Network Services
* Category: Security
* Product: Solaris
* BugIDs: 4691127
* Avoidance: none
* State: Committed
* Date Released: 31-Jul-2002
* Date Closed:
* Date Modified:
A local or remote user may be able to gain unauthorized root
privileges due to a type overflow vulnerability in the
xdr_array(3NSL) function which is part of the network services
library, libnsl(3LIB), on Solaris.
2. Contributing Factors
This issue can occur in the following releases:
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Solaris 9
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Solaris 9
There are no symptoms that would show the described issue has been
exploited to gain unauthorized root access to a host.
If an attempt to exploit this vulnerability fails, the affected
daemon may dump core in the root directory, '/'. A root user may run
file(1) on the core file to determine the original program, for
# file /core
/core: ELF 32-bit MSB core file SPARC Version 1, from 'dmisp
A typical stack trace from a failed exploit attempt against 'dmispd'
may look like:
 t_delete(), at 0xff0c629c
 realfree(), at 0xff0c5ed0
 _malloc_unlocked(), at 0xff0c5a68
 malloc(), at 0xff0c5808
 xdr_array(), at 0xff21ffe4
 xdr_DmiAttributeIds(), at 0xff34a208
 svc_run(), at 0xff24cda4
 server_svc(), at 0xff35baac
 InitDmiInfo(), at 0xff34da7c
=> main(argc = ???, argv = ???) (optimized), at 0x1561c in "dmisp
Other affected applications should have a similar stack trace for
frames one through five.
Solution Summary Top
There is no workaround for this issue, but one may wish to block
access to the vulnerable services as described below. Note that this
Sun Alert will be updated as and when more information or patches
Multiple applications run as root privileged daemons and are linked
with libnsl(3LIB) and call the xdr_array(3NSL) function directly,
dmispd(1M) - Sun Solstice Enterprise DMI Service Provider
rpc.cmsd(1m) - CDE calendar manager service daemon
If SEAM(5) is installed, multiple Kerberos applications which run
with root privileges are affected, such as:
krb5kdc(1M) - daemon that runs on the master and slave KDCs to process
the Kerberos tickets
kadmind(1M) - Kerberos administration daemon
Additional SEAM(5) unbundled applications such as the Kerberos
versions of rlogind, telnetd, ftpd, and rshd are affected as well.
Although Sun is not aware of any other applications or services that
may be vulnerable to this issue, Sun is continuing to investigate
and will update this Sun Alert as needed.
Some third-party applications may have been created and installed
which are statically linked with the static version of the name
services library, libnsl.a. If this is the case, then it will be
necessary to obtain an application upgrade or patch from the
application vendor once patches for this issue are available.
The following text is based on the wording CERT use in their
Until patches are available and can be applied, you may wish to
block access to the affected services listed above from untrusted
networks such as the Internet or disable the daemons where possible.
Use a firewall or other packet-filtering technology to block the
appropriate network ports. Consult your vendor or your firewall
documentation for detailed instructions on how to configure the
The rpcinfo(1M) command will report the network port(s) in use by
each of the above RPC based daemons. The RPC portmapper service,
rpcbind(1M), typically runs on ports 111/tcp and 111/udp. The RPC
program numbers for dmispd(1M) and rpc.cmsd(1m) are 300598 and
100068 respectively. An example to list the network port(s) in use
by the above RPC based daemons via their RPC program numbers:
$ rpcinfo -p <hostname> | egrep '300598|100068'
The SEAM(5) krb5kdc(1M) daemon uses a default port number of 88 and
the kadmind(1M) daemon uses a default port number of 749. Different
port numbers for both daemons can be specified in /etc/krb5/kdc.conf
or via the command line.
Keep in mind that blocking ports at a network perimeter does not
protect the vulnerable service from attacks that originate from the
Before deciding to block or restrict access to the above services,
carefully consider your network configuration and service
Sun would also like to direct customers to the Sun BluePrints
which contain in-depth technical information on security best
practices on Sun systems.
A final solution is pending completion.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided
by third parties. The issues described in this Sun Alert
notification may or may not impact your system(s). Sun makes no
representations, warranties, or guarantees as to the information
contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN
SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR
FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert
notification contains Sun proprietary and confidential information.
It is being provided to you pursuant to the provisions of your
agreement to purchase services from Sun, or, if you do not have such
may only be used for the purposes contemplated by these agreements.
Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road,
Palo Alto, CA 94303 U.S.A. All rights reserved.
Applies To (none)
Privacy | Copyright 1994-2002 Sun Microsystems
If you have feedback, comments, or additional information about this vulnerability, please send us email.