[ISN] RSI.0005.05-14-98.SUN.LIBNSL

From: mea culpa (jerichot_private)
Date: Wed Jul 01 1998 - 20:51:33 PDT

  • Next message: mea culpa: "Re: [ISN] 'Back door' doesn't get very far"

    Forwarded From: RSI Advise <adviset_private>
    
    
    RSI.0005.05-14-98.SUN.LIBNSL
    
    
    
               |:::.  |::::: |::::.        |::::: |::::: |::::.
               ..  :: ..     ..  ::        ..     ..     ..  ::
               |::::  |::::  |::::  :::::: |::::: |::::  |:
               |:  :: |:     |:               |:: |:     |:  ::
               |:  :: |::::: |:            |::::: |::::: |:::::
    
    
                       Repent Security Incorporated, RSI
                           [ http://www.repsec.com ]
    
    
    		       *** RSI ALERT ADVISORY ***
    
    
    --- [CREDIT] --------------------------------------------------------------
    
    Matt Conover: Discovered the vulnerabilities
    Mark Zielinski: Author of advisory
    
    
    --- [SUMMARY] -------------------------------------------------------------
    
    Announced:     May 14, 1998
    Report code:   RSI.0005.05-14-98.SUN.LIBNSL
    Report title:  Sun Microsystem's libnsl
    Vulnerability: Insufficient bounds checking
    Vendor status: Contacted, patch under development
    Patch status:  No patch available
    Platforms:     Solaris 2.2, 2.3, 2.4, 2.5, 2.5.1
    Vulnerable:    Several library functions in libnsl have buffer overflows
    Reference:     http://www.repsec.com/advisories.html
    Impact:	       If exploited, an attacker could potentially compromise
                   both local and remote root access on your server
    
    
    --- [DETAILS] -------------------------------------------------------------
    
    Problem:       Several buffer overflows exist in Sun Microsystem's libnsl
                   networking library.
    
                   While overwriting the buffer, the attacker can manipulate
                   the stack and execute their own commands, possibly gaining
                   root access on your server.
    
    	       Functions we have found vulnerable:
    
    	       Vulnerable key functions:	  
    	       ---------------------------------------------------
    
    	       extract_secret ()       : Buffer overflows while copying
    					 data into a local buffer
    	       getkeys_nis () 	       : Buffer overflows if key value
                                             is larger then the buffer	
    	       getpublickey ()	       : Calls getkeys_nis ()
    	       getsecretkey ()         : Calls getkeys_nis ()
    
    
    	       Vulnerable RPC functions:
    	       ----------------------------------------------------
    
                   authdes_seccreate ()    : Calls getpublickey ()
                   rpc_broadcast_exp ()    : Buffer overflow if allowed to
    				         specify network protocol type
    	       rpc_broadcast ()        : Calls rpc_broadcast_exp ()
    	       clnt_create_timed ()    : Buffer overflow if allowed to
    				         specify network protocol type
    	       host2netname ()	       : Buffer overflow while specifying
    				         hostname.
    	       getnetname ()	       : Calls host2netname ()
    	       clnt_create ()	       : Calls clnt_create_timed ()
                   rpc_call ()	       : Buffer overflow if allowed to
    				         specify network protocol type
    	       authdes_pk_seccreate () : Calls getnetname ()
    
    
                   Vulnerable NIS functions:
    	       ----------------------------------------------------
    
                   __nis_init_callback ()  : Calls getpublickey ()
                   __nis_core_lookup ()    : Buffer overflow while copying
    					 paramaters into a local buffer
                   nis_make_rpchandle ()   : Calls host2netname ()
                   nis_dump_r ()           : Calls nis_make_rpchandle ()
                   nis_dump ()             : Calls nis_dump_r ()
                   __nis_auth2princ ()     : Buffer overflow while specifying
    					 machine name
                   __nis_host2nis_server (): Buffer overflow while specifying
    					 hostname
                   nis_name_of_r ()        : Buffer overflow while copying
    					 paramaters into a local buffer
    	       nis_old_data_r ()       : Buffer overflow while copying 
    				         paramaters into a local buffer
                   nis_list ()	       : Calls __nis_core_lookup ()
                   nis_add ()	       : Calls nis_nameops ()
                   nis_remove ()           : Calls nis_nameops ()
                   nis_modify ()	       : Calls nis_nameops ()
                   nis_mkdir ()	       : Calls nis_make_rpchandle ()
                   nis_rmdir ()	       : Calls nis_make_rpchandle ()
    
    
                   Potentially vulnerable programs:
    	       ----------------------------------------------------
    
                   Calls vulnerable RPC functions:
    
    	         1. nfs mount
    	         2. nfs share
                     3. rpc.rexd
                     4. autofs
        
                   Calls vulnerable key functions:
     	        
                     1. chkey
                     2. keylogin
                     3. setkey
                     4. newkey
                     5. keyserv
                     6. libscheme
    
                   Calls vulnerable NIS functions:
              
                     1. rpc.nisd
                     2. rpc.nisdpasswdd
                     3. nisping
                     4. nisaddent
                     5. nisupdkeys
                     6. nisaddcred
                     7. sendmail
                     8. volcheck
                     9. vold
    
                   Calls vulnerable YP functions:
    
                     1. vacation
                     2. ypwhich
                     3. yppush
    
    
    	       These vulnerabilities are present in Sun Microsystem's 
                   Solaris 2.2, 2.3, 2.4, 2.5, and 2.5.1. 
    
    	       For more information on this type of attack, point your
    	       web browsers to http://www.repsec.com/bofs.html.
    
    
    --- [FIX] -----------------------------------------------------------------
    
    Solution:      No fix available.
    
    
    --- [PATCH] ---------------------------------------------------------------
    
    Solution:      Sun Microsystem's has not released an official patch.
    
    
    ---------------------------------------------------------------------------
    
    Repent Security Incorporated (RSI)
    adviset_private
    13610 N. Scottsdale Rd.
    Suite #10-326
    Scottsdale, AZ
    85254
    
    [ http://www.repsec.com ]
    
    ---------------------------------------------------------------------------
    
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: 2.6.2
    
    mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75
    dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP
    nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT
    tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg==
    =ro8H
    -----END PGP PUBLIC KEY BLOCK-----
    
    Copyright May 1998  RepSec, Inc.
    
    The information in this document is provided as a service to customers
    of RepSec, Inc.  Neither RepSec, Inc., nor any of it's employees, makes
    any warranty, express or implied, or assumes any legal liability or
    responsibility for the accuracy, completeness, or usefulness of any
    information, apparatus, product, or process contained herein, or
    represents that its use would not infringe any privately owned rights.
    Reference herein to any specific commercial products, process, or
    services by trade name, trademark, manufacturer, or otherwise, does not
    necessarily constitute or imply its endorsement, recommendation or
    favoring by RepSec, Inc.  The views and opinions of authors express
    herein do no necessarily state or reflect those of RepSec, Inc., and may
    not be used for advertising or product endorsement purposes.
    
    The material in this alert advisory may be reproduced and distributed,
    without permission, in whole or in part, by other security incident
    response teams (both commercial and non-commercial), provided the above
    copyright is kept intact and due credit is given to RepSec, Inc.
    
    This alert advisory may be reproduced and distributed, without
    permission, in its entirety only, by any person provided such
    reproduction and/or distribution is performed for non-commercial
    purposes and with the intent of increasing the awareness of the Internet
    community.
    
    ---------------------------------------------------------------------------
    
    RepSec, Inc. are trademarks of RepSec, Inc.  All other trademarks are
    property of their respective holders. 
    
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:36 PDT