Sun Microsystems, Inc. Information for VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream

Status

Affected

Vendor Statement

Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:


Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:
    http://sunsolve.sun.com/security

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References

    None

    Addendum

    [text downloaded at Thu Aug 1 2002 11:30:51 (-0400)]



Sun(sm) Alert Notification

* Sun Alert ID: 46122
* Synopsis: Security Vulnerability in the Network Services
Library, libnsl(3LIB)
* Category: Security
* Product: Solaris
* BugIDs: 4691127
* Avoidance: none
* State: Committed
* Date Released: 31-Jul-2002
* Date Closed:
* Date Modified:

1. Impact

A local or remote user may be able to gain unauthorized root
privileges due to a type overflow vulnerability in the
xdr_array(3NSL) function which is part of the network services
library, libnsl(3LIB), on Solaris.

2. Contributing Factors

This issue can occur in the following releases:

SPARC
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Solaris 9

Intel
* Solaris 2.5.1
* Solaris 2.6
* Solaris 7
* Solaris 8
* Solaris 9

3. Symptoms

There are no symptoms that would show the described issue has been
exploited to gain unauthorized root access to a host.

If an attempt to exploit this vulnerability fails, the affected
daemon may dump core in the root directory, '/'. A root user may run
file(1) on the core file to determine the original program, for
example:
# file /core
/core: ELF 32-bit MSB core file SPARC Version 1, from 'dmisp
d'

A typical stack trace from a failed exploit attempt against 'dmispd'
may look like:
[1] t_delete(), at 0xff0c629c
[2] realfree(), at 0xff0c5ed0
[3] _malloc_unlocked(), at 0xff0c5a68
[4] malloc(), at 0xff0c5808
[5] xdr_array(), at 0xff21ffe4
[6] xdr_DmiAttributeIds(), at 0xff34a208
...
[23] svc_run(), at 0xff24cda4
[24] server_svc(), at 0xff35baac
[25] InitDmiInfo(), at 0xff34da7c
=>[26] main(argc = ???, argv = ???) (optimized), at 0x1561c in "dmisp
d.cc"

Other affected applications should have a similar stack trace for
frames one through five.

Solution Summary [1]Top

4. Relief/Workaround

There is no workaround for this issue, but one may wish to block
access to the vulnerable services as described below. Note that this
Sun Alert will be updated as and when more information or patches
become available.

Multiple applications run as root privileged daemons and are linked
with libnsl(3LIB) and call the xdr_array(3NSL) function directly,
such as:

dmispd(1M) - Sun Solstice Enterprise DMI Service Provider
rpc.cmsd(1m) - CDE calendar manager service daemon

If SEAM(5) is installed, multiple Kerberos applications which run
with root privileges are affected, such as:

krb5kdc(1M) - daemon that runs on the master and slave KDCs to process
the Kerberos tickets
kadmind(1M) - Kerberos administration daemon

Additional SEAM(5) unbundled applications such as the Kerberos
versions of rlogind, telnetd, ftpd, and rshd are affected as well.

Although Sun is not aware of any other applications or services that
may be vulnerable to this issue, Sun is continuing to investigate
and will update this Sun Alert as needed.

Some third-party applications may have been created and installed
which are statically linked with the static version of the name
services library, libnsl.a. If this is the case, then it will be
necessary to obtain an application upgrade or patch from the
application vendor once patches for this issue are available.

The following text is based on the wording CERT use in their
advisories:

Until patches are available and can be applied, you may wish to
block access to the affected services listed above from untrusted
networks such as the Internet or disable the daemons where possible.
Use a firewall or other packet-filtering technology to block the
appropriate network ports. Consult your vendor or your firewall
documentation for detailed instructions on how to configure the
ports.

The rpcinfo(1M) command will report the network port(s) in use by
each of the above RPC based daemons. The RPC portmapper service,
rpcbind(1M), typically runs on ports 111/tcp and 111/udp. The RPC
program numbers for dmispd(1M) and rpc.cmsd(1m) are 300598 and
100068 respectively. An example to list the network port(s) in use
by the above RPC based daemons via their RPC program numbers:

$ rpcinfo -p <hostname> | egrep '300598|100068'

The SEAM(5) krb5kdc(1M) daemon uses a default port number of 88 and
the kadmind(1M) daemon uses a default port number of 749. Different
port numbers for both daemons can be specified in /etc/krb5/kdc.conf
or via the command line.

Keep in mind that blocking ports at a network perimeter does not
protect the vulnerable service from attacks that originate from the
internal network.

Before deciding to block or restrict access to the above services,
carefully consider your network configuration and service
requirements.

Sun would also like to direct customers to the Sun BluePrints
Program:

* [2]http://www.sun.com/security/blueprints/

which contain in-depth technical information on security best
practices on Sun systems.

5. Resolution

A final solution is pending completion.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided
by third parties. The issues described in this Sun Alert
notification may or may not impact your system(s). Sun makes no
representations, warranties, or guarantees as to the information
contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN
SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR
FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert
notification contains Sun proprietary and confidential information.
It is being provided to you pursuant to the provisions of your
agreement to purchase services from Sun, or, if you do not have such
an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.

Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road,
Palo Alto, CA 94303 U.S.A. All rights reserved.
_______________________________________________________________
_______________________________________________________________

Applies To (none)
Attachments (none)

[3]Company Info | [4]Contact | [5]Terms of Use |
[6]Privacy | Copyright 1994-2002 Sun Microsystems

References

1. http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity#top
2. http://www.sun.com/security/blueprints/
3. http://www.sun.com/company/
4. http://www.sun.com/contact/
5. http://www.sun.com/share/text/termsofuse.html
6. http://www.sun.com/privacy/

If you have feedback, comments, or additional information about this vulnerability, please send us email.