CERT-SEI

Integer Overflow In XDR Library

Original release date: August 05, 2002
Last revised: October 03, 2002
Source: CERT/CC

A complete revision history can be found at the end of this file.


Systems Affected

Applications using vulnerable implementations of SunRPC-derived XDR libraries, which include, but are not limited to:
  • Sun Microsystems network services library (libnsl)
  • BSD-derived libraries with XDR/RPC routines (libc)
  • GNU C library with sunrpc (glibc)

Overview

There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.

I. Description

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used.

This issue is currently being tracked as VU#192995 by the CERT/CC and CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE) dictionary.

II. Impact

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the vulnerability note, we have not received their comments. Please contact your vendor directly.

Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries.

System administrators should consider the following process when addressing this issue:

  1. Patch or obtain updated XDR/RPC libraries.
  2. Restart any dynamically linked services that make use of the XDR/RPC libraries.
  3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries.


Disable access to vulnerable services or applications

Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdr_array() function. Such applications include, but are not limited to, the following:

  • DMI Service Provider daemon (dmispd)
  • CDE Calendar Manager Service daemon (rpc.cmsd)
  • MIT Kerberos 5 Administration daemon (kadmind)

As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments.

Apple Computer, Inc.

The vulnerability described in this note is fixed with Security Update 2002-08-02.

Debian GNU/Linux

The Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix:

OpenAFS Kerberos5 GNU libc
Debian 2.2 (potato) not included not included vulnerable
Debian 3.0 (woody) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable
Debian unstable (sid) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable


However, the following advisories were raised recently which contain and announced fixes:

DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))
DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))


The advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be:

Debian 2.2 (potato) glibc 2.1.3-23 or later
Debian 3.0 (woody) glibc 2.2.5-11.1 or later
Debian unstable (sid) glibc 2.2.5-12 or later


GNU glibc

Version 2.2.5 and earlier versions of the GNU C Library are vulnerable. For Version 2.2.5, we suggest the following patch. This patch is also available from the GNU C Library CVS repository at:

http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc


2002-08-02 Jakub Jelinek <jakub@redhat.com>

  • sunrpc/xdr_array.c (xdr_array): Check for overflow on multiplication. Patch by Solar Designer <solar@openwall.com>.

[ text of diff available in CVS repository link above --CERT/CC ]


FreeBSD, Inc.

Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc

Hewlett-Packard Company

SOURCE: Hewlett-Packard Company

RE: Potential RPC XDR buffer overflow

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released operating System software products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.

IBM Corporation

IBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is currently available through an efix pacakge. Efixes are available from

ftp.software.ibm.com/aix/efixes/security/
See the README file in this directory for additional information on the efixes.

The following APARs will be available in the near future:

AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 )
AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 )


Juniper Networks

The Juniper Networks SDX-300 Service Deployment System (SSC) does use XDR for communication with an ERX edge router, but does not make use of the Sun RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC XDR buffer overflow as outlined in this CERT advisory.

KTH and Heimdal Kerberos

kth-krb and heimdal are not vulnerable to this problem since they do not use any Sun RPC at all.

MIT Kerberos Development Team

Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt

The patch is available directly:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

The following detached PGP signature should be used to verify the authenticity and integrity of the patch:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

Microsoft Corporation

Microsoft is currently conducting an investigation based on this report. We will update this advisory with information once it is complete.

NetBSD

Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc

Network Appliance

NetApp systems are not vulnerable to this problem.

OpenAFS

OpenAFS is an affected vendor for this vulnerability. http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt details how we have dealt with the issue.

Openwall Project

The xdr_array(3) integer overflow was present in the glibc package on Openwall GNU/*/Linux until 2002/08/01 when it was corrected for Owl-current and documented as a security fix in the system-wide change log available at:

http://www.openwall.com/Owl/CHANGES.shtml


The same glibc package update also fixes a very similar but different calloc(3) integer overflow possibility that is currently not known to allow for an attack on a particular application, but has been patched as a proactive measure. The Sun RPC xdr_array(3) overflow may allow for passive attacks on mount(8) by malicious or spoofed NFSv3 servers as well as for both passive and active attacks on RPC clients or services that one might install on Owl. (There're no RPC services included with Owl.)

RedHat Inc.

Red Hat distributes affected packages glibc and Kerberos in all Red Hat Linux distributions. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URLs below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.

http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)


SGI

SGI now has patches available to fix this problem, per 20020801-01-P:

ftp://patches.sgi.com/support/free/security/advisories/20020801-01-P


Sun Microsystems, Inc.

Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122

Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:

http://sunsolve.sun.com/security



Appendix B. - References

  1. Manual entry for xdr_array(3)
  2. VU#192995
  3. RFC1831
  4. RFC1832
  5. Sun Alert 46122
  6. Security Alert MITKRB5-SA-2002-001-xdr
  7. Flaw in calloc and similar routines, Florian Weimer, University of Stuttgart, RUS-CERT, 2002-08-05
  8. MS02-057: Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209)

Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).


Authors: Jeffrey S. Havrilla and Cory F. Cohen.

Copyright 2002 Carnegie Mellon University.

Revision History

Aug 05, 2002:  Initial release
Aug 06, 2002:  Minor update to Debian statement, corrected glibc for Debian 3.0 (woody) will be 2.2.5-11.1 or later
Aug 06, 2002:  Added IBM statement
Aug 19, 2002:  Updated SGI statement
Sep 03, 2002:  Updated IBM statement
Oct 03, 2002:  Added Microsoft Bulletin MS02-057 to list of references