CERT
 
Publications Catalog Historical Documents Authorized Users of "CERT" US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy Courses Link to US-CERT cylab
 

CERT® Advisory CA-1999-12 Buffer Overflow in amd

Original release date: September 16, 1999
Last revised: --
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

  • Systems running amd, the Berkeley Automounter Daemon

I. Description

There is a buffer overflow vulnerability in the logging facility of the amd daemon.

This daemon automatically mounts file systems in response to attempts to access files that reside on those file systems. Similar functionality on some systems is provided by a daemon named automountd.

Systems that include automounter daemons based on BSD 4.x source code may also be vulnerable. A vulnerable implementation of amd is included in the am-utils package, provided with many Linux distributions.

II. Impact

Remote intruders can execute arbitrary code as the user running the amd daemon (usually root).

III. Solution

Install a patch from your vendor

Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision.

Disable amd

If you are unable to apply a patch for this problem, you can disable the amd daemon to prevent this vulnerability from being exploited. Disabling amd may prevent your system from operating normally.

Appendix A. Vendor Information

BSDI

BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has been configured. The amd daemon is not started if it has not been configured locally. Mods (M410-017 for 4.0.1 and M310-057) are available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web site at http://www.bsdi.com/support/patches

Compaq Computer Corporation

Not vulnerable

Data General

DG/UX is not vulnerable to this problem.

Erez Zadok (am-utils maintainer)

The latest stable version of am-utils includes several important security fixes. To retrieve it, use anonymous ftp for the following URL
ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/

The MD5 checksum of the am-utils-6.0.1.tar.gz archive is

MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999

The simplest instructions to build, install, and run am-utils are as follows:

  1. Retrieve the package via FTP.

  2. Unpack it:

    $ gunzip am-utils-6.0.1.tar.gz
    $ tar xf am-utils-6.0.1.tar

    If you have GNU tar and gunzip, you can issue a single command:

    $ tar xzf am-utils-6.0.1.tar.gz

  3. Build it:

    $ cd am-utils-6.0.1
    $ ./buildall

    This would configure and build am-utils for installation in /usr/local. If you built am-utils in the past using a different procedure, you may repeat that procedure instead. For example, to build am-utils using shared libraries and to enable debugging, use either:

    $ ./buildall -Ds -b
    or
    $ ./configure --enable-debug=yes --enable-shared --disable-static

    You may run "./configure --help" to get a full list of available options. You may run "./buildall -H" to get a full list of options it offers. The buildall script is a simple wrapper script that configures and builds am-utils for the most common desired configurations.

  4. Install it:

    $ make install

    This would install the programs, scripts, libraries, manual pages, and info pages in /usr/local/{sbin,bin,lib,man,info}, etc.

  5. Run it.

    Assuming you have an Amd configuration file in /etc/amd.conf, you can simply run:

    $ /usr/local/sbin/ctl-amd restart

    That will stop the older running Amd, and start a new one. If you use a different Amd start-up script, you may use it instead.

FreeBSD

Please see the FreeBSD advisory at

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd.asc
for information on patches for this problem.

Fujitsu

This vulnerability is still under investigation by Fujitsu.

Hewlett-Packard Company

HP is not vulnerable.

IBM Corporation

AIX is not vulnerable. It does not ship the am-utils package.

OpenBSD

OpenBSD is not vulnerable.

RedHat Inc.

RedHat has released a security advisory on this topic. It is available from our ftp server at:

http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html

SCO Unix

No SCO products are vulnerable.

SGI

SGI does not distribute am-utils in either IRIX or UNICOS operating systems.

Sun Microsystems, Inc.

SunOS - All versions are not vulnerable.

Solaris - All versions are not vulnerable.

The CERT Coordination Center would like to thank Erez Zadok, the maintainer of the am-utils package, for his assistance in preparing this advisory.

This document is available from: http://www.cert.org/advisories/CA-1999-12.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1999 Carnegie Mellon University.

Revision History 
Sep 16, 1999:  Initial release