OpenAFS Security Advisory 2002-001: Remote root vulnerability in OpenAFS servers

From: Derrick J Brashear (shadowat_private)
Date: Sat Aug 03 2002 - 16:52:33 PDT
Next message: Stan Bubrouski: "Advisory: ArGoSoft Mail Server Pro 1.8.1.7 DoS"
Previous message: Steven M. Christey: "Re: [Full-Disclosure] Re: Clarification on Xitami DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----

		  OpenAFS Security Advisory 2002-001

Topic: Remote root vulnerability in OpenAFS servers

Issued:      03-Aug-2002
Last Update: 03-Aug-2002
Severity:    High
Affected:    OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2

A remote user may be able to gain root access to an OpenAFS database
server or fileserver host.  In addition, certain administrative clients
may be attacked if they make requests to a rogue server.

SUMMARY
=======

There is an integer overflow bug in the SUNRPC-derived RPC library
used by OpenAFS that could be exploited to crash certain OpenAFS
servers (volserver, vlserver, ptserver, buserver) or to obtain
unauthorized root access to a host running one of these processes.

In addition, it is possible for a rogue server to attack certain
administrative clients (vos, pts, backup, butc, rxstat), but only
if certain RPC requests are made to the rogue server.

The OpenAFS fileserver and cache manager (client) are not vulnerable
to these attacks.  No exploits are presently known to be available
for this vulnerability.

IMPACT
======

A remote attacker can potentially execute arbitrary code on an OpenAFS
server host with the privileges of the user running the OpenAFS server
processes (usually root).  This can lead to compromise of the OpenAFS
administrative databases, data stored on a compromised server, or
possible root access on a server host.  Once a server host has been
compromised, the attacker is able to obtain access to any other OpenAFS
servers in the same cell.

AFFECTED SOFTWARE
=================

All releases of OpenAFS 1.0.x and 1.1.x.
All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.5.
All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.

FIXES
=====

The OpenAFS project recommends that all users upgrade to OpenAFS
1.2.6 or newer.  The latest stable OpenAFS release is always available
from http://www.openafs.org/release/latest.html.

No update is presently available for the OpenAFS-unstable series.

For those who are unable to upgrade, apply the following patch to
correct the XDR vulnerability, and rebuild your tree.

===================================================================
RCS file: /cvs/openafs/src/rx/Makefile.in,v
retrieving revision 1.4.2.1
retrieving revision 1.4.2.2
diff -u -r1.4.2.1 -r1.4.2.2
- --- openafs/src/rx/Makefile.in	2002/01/20 08:38:38	1.4.2.1
+++ openafs/src/rx/Makefile.in	2002/08/02 02:45:14	1.4.2.2
@@ -38,7 +38,7 @@
 # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx).
 # Really the xdr stuff should be in its own directory.
 #
- -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
+XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
 
 RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
 	rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o  rx_trace.o rx_conncache.o \
===================================================================
RCS file: /cvs/openafs/src/rx/xdr.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- --- openafs/src/rx/xdr.c	2002/06/08 04:43:38	1.4
+++ openafs/src/rx/xdr.c	2002/07/31 23:13:09	1.5
@@ -558,6 +558,8 @@
 	u_int size;
 	u_int nodesize;
 
+        if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1;
+
 	/*
 	 * first deal with the length since xdr strings are counted-strings
 	 */
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_array.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- --- openafs/src/rx/xdr_array.c	2001/08/08 00:03:57	1.4
+++ openafs/src/rx/xdr_array.c	2002/07/31 23:13:09	1.5
@@ -84,7 +84,10 @@
 	register caddr_t target = *addrp;
 	register u_int c;  /* the actual element count */
 	register bool_t stat = TRUE;
- -	register int nodesize;
+	register u_int nodesize;
+
+        i = ((~0) >> 1) / elsize;
+        if (maxsize > i) maxsize = i;
 
 	/* like strings, arrays are really counted arrays */
 	if (! xdr_u_int(xdrs, sizep)) {
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- --- openafs/src/rx/xdr_arrayn.c	2001/08/08 00:03:57	1.4
+++ openafs/src/rx/xdr_arrayn.c	2002/07/31 23:13:09	1.5
@@ -89,7 +89,10 @@
 	register caddr_t target = *addrp;
 	register u_int c;  /* the actual element count */
 	register bool_t stat = TRUE;
- -	register int nodesize;
+	register u_int nodesize;
+
+        i = ((~0) >> 1) / elsize;
+        if (maxsize > i) maxsize = i;
 
 	/* like strings, arrays are really counted arrays */
 	if (! xdr_u_int(xdrs, sizep)) {
===================================================================

This patch may also be found at:

    http://www.openafs.org/security/xdr-updates-20020731.delta

The associated detached PGP signature is at

    http://www.openafs.org/security/xdr-updates-20020731.delta.asc

It was generated against OpenAFS 1.2.5, but should apply to earlier
releases, possibly with some offset.

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

    http://www.openafs.org/security/

The main OpenAFS web page is at:

    http://www.openafs.org/

ACKNOWLEDGMENTS
===============

Thanks to ISS for discovery of the vulnerability.

Thanks to Nickolai Zeldovich for assistance in discovering the
particulars of this bug and developing a fix.

Thanks also to Tom Yu and the MIT Kerberos Development Team for their
advisory MITKRB5-SA-2002-001, the form and much of the text of which
was shamelessly stolen to produce this alert.

DETAIL
======

The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow.  An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.

Several uses of xdr_array() in various AFS protocols are unsafe in an
environment where this bug exists.  In particular, any use of a
counted array with unbounded size (represented in the Rx protocol
description with an empty pair of angle brackets '<>') is unsafe.  Such
uses appear in input arguments to procedures in the PTS, VLDB, volserver,
and backup database protocols, and output arguments from procedures in all
of these protocols and in the Rx statistics interface implemented by most
OpenAFS servers.

A remote user may be able to use the buffer overflow to execute arbitrary
code on the server under attack, possibly leading to unauthorized root
access.  Similarly a rogue server may be able to use the buffer overflow
to attack a client which makes one of the RPC's with unsafe output
arguments.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQBVAwUBPUxo8bD+655x7JNnAQGOYAH/ZzSzw5FyLI8YTmgJH4qSO7rKQVpy8F+L
aIU3Xy4HngBpYALsOrJLkCI7h966Li00YhyXgsm4UW9NzbCORc80Kw==
=iILR
-----END PGP SIGNATURE-----
Next message: Stan Bubrouski: "Advisory: ArGoSoft Mail Server Pro 1.8.1.7 DoS"
Previous message: Steven M. Christey: "Re: [Full-Disclosure] Re: Clarification on Xitami DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 12:33:25 PDT