[ISN] EEYE: XDR Integer Overflow

From: InfoSec News (isnat_private)
Date: Thu Mar 20 2003 - 23:04:32 PST

  • Next message: InfoSec News: "[ISN] Windows flaw opens PCs to attack"

    Forwarded from: "Marc Maiffret" <marcat_private>
    
    XDR Integer Overflow
    
    Release Date:
    March 19, 2003
    
    Severity:
    High (Remote Code Execution/Denial of Service)
    
    Systems Affected:
    
    Sun Microsystems Network Services Library (libnsl)
    BSD-derived libraries with XDR/RPC routines (libc)
    GNU C library with sunrpc (glibc)
    
    Description:
    
    XDR is a standard for the description and encoding of data which is used
    heavily in RPC implementations. Several libraries exist that allow a
    developer to incorporate XDR into his or her applications. Vulnerabilities
    were discovered in these libraries during the testing of new Retina auditing
    technologies developed by the eEye research department.
    
    ADAM and EVE are two technologies developed by eEye to remotely and locally
    audit applications for the existence of common vulnerabilities. During an
    ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR
    library. By supplying specific integer values in length fields during an RPC
    transaction, we were able to produce various overflow conditions in UNIX RPC
    services.
    
    Technical Description:
    
    The xdrmem_getbytes() function in the XDR library provided by Sun
    Microsystems contains an integer overflow. Depending on the location and use
    of the vulnerable xdrmem_getbytes() routine, various conditions may be
    presented that can permit an attacker to remotely exploit a service using
    this vulnerable routine.
    
    For the purpose of signature development and further security research a
    sample session is included below that replicates an integer overflow in the
    rpcbind shipped with various versions of the Solaris operating system.
    
    char evil_rpc[] =
    
    "\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
    "\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
    "\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
    "\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
    "\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
    "\xFF\xFF\xFF\xFF" // RPC argument length
    "EEYECLIPSE2003";
    
    Vendor Status:
    
    Sun Microsystems was contacted on November 13, 2002 and CERT was contacted
    shortly afterwards. Vendors believed to be vulnerable were contacted by CERT
    during a grace period of several months. Due to some difficulties
    communicating with vendors, after rescheduling several times a release date
    was set for March 18, 2003.
    
    eEye recommends obtaining the necessary patches or updates from vendors as
    they become available after the release of this and the CERT advisory.
    
    For a list of vendors and their responses, please review the CERT advisory
    at: http://www.cert.org/advisories/CA-2003-10.html
    
    You can find the latest copy of this advisory, along with other eEye
    research at http://www.eeye.com/.
    
    Credit:
    Riley Hassell - Senior Research Associate
    
    Greetings:
    Liver destroyers of the world:
    Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn.
    
    Copyright (c) 1998-2003 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alertat_private for
    permission.
    
    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.
    
    Feedback
    Please send suggestions, updates, and comments to:
    
    eEye Digital Security
    http://www.eEye.com
    infoat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 01:56:03 PST