NetBSD Security Advisory 2002-006: buffer overrun in libc/libresolv DNS resolver

From: NetBSD Security Officer (security-officerat_private)
Date: Mon Sep 16 2002 - 18:50:12 PDT

  • Next message: David Endler: "iDEFENSE Security Advisory 09.16.2002: FreeBSD Ports libkvm Security Vulnerabilities" 

    -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-006
		 =================================
		 (updated 2002/9/16)

Topic:		buffer overrun in libc/libresolv DNS resolver

Version:	NetBSD-current:	source prior to June 28, 2002
		NetBSD-1.6 beta:source prior to June 28, 2002
		NetBSD-1.5.3:   NOT affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.

		pkgsrc:		net/bind4, prior to bind-4.9.9 are affected
				net/bind8, prior to bind-8.3.3 are affected
				net/bind9, bind-9.2.1 includes vulnerable code
					(not compiled for normal use)
				emulators/compat14 prior to 1.4.3.2
				emulators/compat14-crypto prior to 1.4.3.2
				emulators/netbsd32_compat14 prior to 1.4.3.2
				emulators/compat15 prior to 1.5.3.1
					if ships with libc/libresolv shlib
				emulators/netbsd32_compat15 prior to 1.5.3.1
				emulators/* for other operating systems,
					if ships with libc/libresolv shlib
				any statically linked pkgsrc binaries
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 28, 2002
		NetBSD-1.6 branch:	June 28, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	July 2, 2002 (1.5.3 includes the fix)
		NetBSD-1.4 branch:	(not yet)
		pkgsrc:			net/bind4, bind-4.9.8nb1
					net/bind8, bind-8.3.3
					net/bind9, (ISC is not planning
						a release, as vulnerable
						files are not used in the
						main server or utilites by
						default.)
					emulators/compat14 1.4.3.2
					emulators/compat14-crypto 1.4.3.2
					emulators/netbsd32_compat14 1.4.3.2
					emulators/compat15 1.5.3.1
					emulators/netbsd32_compat15 1.5.3.1
					emulators/* for other operating systems
						- not yet

	NOTE: previous revisions of the advisory noted that fixed date
	was June 26.  Since BIND8 was later found to also be
	vulnerable, the fixed date for NetBSD-current was moved to Jun
	28, and branches for which pullups have not yet been completed
	or updated to distribution sites have been changed to (not
	yet).  If you have upgraded your system on June 26, you will
	need to upgrade again. Thank you for your patience with this
	complex issue.

	NOTE: previous revisions of the advisory noted that the use of
	BIND9 as caching resolver would work around the problem.
	However, it was later found to be insufficient (CERT advisory
	CA-2002-19 got updated on 2002/8/28 for this).  Therefore,
	the only fix to this problem is to upgrade your resolver
	library and any static binaries.


Abstract
========

There was a buffer-length computation bug in BIND-based DNS resolver
code.  A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.

NetBSD uses BIND4-based DNS resolver code in libc/libresolv, and is
found to be vulnerable.  We also use BIND8-based DNS resolver code in
named related tools like /usr/bin/dig, and these are vulnerable (source
located in dist/bind and usr.sbin/bind).


Technical Details
=================

In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.

The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer.  This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root.  No exploit
script to take advantage of this vulnerability is known at time of
writing.

It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.

Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.

This issue was brought to the attention of the NetBSD security-officer
with short notice, and this advisory has since been updated with
additional information.

See also:
http://www.pine.nl/advisories/pine-cert-20020601.html
http://www.kb.cert.org/vuls/id/803539
http://www.cert.org/advisories/CA-2002-19.html (revised 2002/8/28)


Solutions and Workarounds
=========================

The recent NetBSD 1.5.3 release is not vulnerable to this issue,
however very shortly after its release other vulnerabilities were
found.  Please ensure you check all relevant Security Advisories.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

If you have NetBSD systems that have been upgraded from earlier releases
from before 1997, you may have libc and/or libresolv shared libraries
with older shared library major numbers.  Check for the presence of
/usr/lib/libc.so.X.Y where X < 12 (the current major number).  These old
libraries contain vulnerable resolver code, and will not be updated even
if you rebuild the system.  Therefore, we suggest you to remove those
old shared libraries.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-06-25
	should be upgraded to NetBSD-current dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net
		usr.sbin/bind
		dist/bind
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-06-26 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net
		usr.sbin/bind
		dist/bind
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net \
			usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net
		usr.sbin/bind
		dist/bind
	Also note that the include files needs to be in sync with
	code in lib/libc/net.

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net \
			usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	Systems running NetBSD 1.4.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-4 CVS branch:
		lib/libc/net
		usr.sbin/bind
		dist/bind

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-4 lib/libc/net \
			usr.sbin/bind dist/bind

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../../lib/libresolv
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* pkgsrc:

	bind-4.9.8 (pkgsrc/net/bind4) and prior are vulnerable.  Upgrade to
	bind-4.9.8nb1 or bind-4.9.9.  Note that BIND4 nameserver
	is considered obsolete by the vendor (ISC), and it is recommended to
	use BIND9, or BIND8.

	pkgsrc prior to bind-8.3.3 are vulnerable.  Upgrade to bind-8.3.3.

	bind-9.2.1 includes vulnerable code, however, the code will not be
	compiled by default.

	Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
	are vulnerable.  There is no fix supplied at this moment.

	If you have statically linked binaries in pkgsrc, they have to be
	rebuilt.  Statically linked binaries can be identified by the
	following command (note: be sure to include the directory you install
	pkgsrc binaries to, if you've changed LOCALBASE from the default of
	/usr/pkg)

		file /usr/pkg/{bin,sbin,libexec} | grep static

	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and may be
	vulnerable as noted above if installed.

Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.

Michael Graff for bind9 information

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-06-26	Initial release
	2002-06-27	Updated with further information on pkgsrc, and
			affected BIND releases.
	2002-06-28	Add note from Michael Graff regarding BIND9
	2002-06-28	BIND8 resolver (dist/bind) was found to be vulnerable.
			Fixed date changed from Jun 26 to Jun 28.
	2002-08-28	Remove note regarding BIND9, as it was found to be
			insufficient.
	2002-09-05	Updated information regarding recent 1.5.3 release
			and emulation pkgsrc.
	2002-09-16	Re-release with updated information


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-006.txt,v 1.40 2002/09/16 05:17:55 dan Exp $



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVpoD5Ru2/4N2IFAQGFOgP/UTJeXuOgFiB81myMTeTgeRc1H7u41W+q
nW/TJGltzApfFQJjZYDDj3TC7AfTLBFWwfrJynC4jsLFUMIcs5NMZOvWE2eiCTgz
S7QJi15B07nMfipYe3s9dJ3QQZB9YIZng1lNVa7V7Ee1fPrYt5oXHkrZfCZTOLKL
zd3yMAAQRpg=
=8/IS
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 19:28:48 PDT