安全研究

安全漏洞
多家厂商XDR实现远程缓冲区溢出漏洞

发布日期:2003-03-19
更新日期:2003-03-21

受影响系统:
GNU glibc
MIT kadmind server
Multiple Vendor RPC XDR library
    - Debian Linux 3.0
    - FreeBSD 5.0
    - FreeBSD 4.7
    - FreeBSD 4.6
    - HP HP-UX 11.22
    - HP HP-UX 11.20
    - HP HP-UX 11.11
    - IBM AIX 5.1
    - IBM AIX 4.3.3
    - RedHat Linux 8.0
    - RedHat Linux 7.3
    - RedHat Linux 7.2
    - RedHat Linux 7.1
    - RedHat Linux 7.0
    - RedHat Linux 6.2
    - Sun Solaris 9.0
    - Sun Solaris 8.0
    - Sun Solaris 7.0
    - Sun Solaris 2.6
描述:
BUGTRAQ  ID: 7123
CVE(CAN) ID: CVE-2003-0028

XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程。

Sun Microsystems提供的XDR库中包含的xdrmem_getbytes()函数存在一个整数溢出 ,远程攻击者利用这个漏洞对使用XDR库的应用程序进行攻击,可能以应用程序进程权限在系统上执行任意指令。

问题存在于'usr/src/lib/libnsl/rpc/xdr_mem.c'的168行的xdrmem_getbytes()函数:

static bool_t
xdrmem_getbytes(XDR *xdrs, caddr_t addr, int len)
{
        int tmp;


        trace2(TR_xdrmem_getbytes, 0, len);
        if ((tmp = (xdrs->x_handy - len)) < 0) { <--- VULNERABILITY
                syslog(LOG_WARNING,
                                .....
                                .....
                             return (FALSE);
        }
        xdrs->x_handy = tmp;
        (void) memcpy(addr, xdrs->x_private, len); <--- VULNERABILITY
        xdrs->x_private += len;
        trace1(TR_xdrmem_getbytes, 1);
        return (TRUE);
}

上面代码中"len"是有符号整数,因此如果"len"为负数就会导致缓冲区溢出:

if ((tmp = (xdrs->x_handy - len)) < 0) {  -->这个检查会绕过

但是在memcpy(addr, xdrs->x_private, len);处理时就会导致溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdrmem_getbytes()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓冲区溢出。攻击者可能造成远程服务崩溃或者利用memcpy()实现的一些特点来改变内存数据并执行任意代码。

<*来源:Marc Maiffret (marc@eeye.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104810574423662&w=2
        http://marc.theaimsgroup.com/?l=bugtraq&m=104811387401008&w=2
        http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt
        http://www.cert.org/advisories/CA-2003-10.html
        https://www.redhat.com/support/errata/RHSA-2003-089.html
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:05.xdr.asc
*>

建议:
厂商补丁:

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:05)以及相应补丁:
FreeBSD-SA-03:05:remote denial-of-service in XDR encoder/decoder
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:05.xdr.asc

补丁下载:

one of the following:

1) Upgrade your vulnerable system to the FreeBSD 4-STABLE branch; or
to the RELENG_4_7 (4.7-RELEASE-p8), RELENG_4_6 (4.6-RELEASE-p11), or
RELENG_5_0 (5.0-RELEASE-p5) security branch dated after the correction
date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.6, and 4.7
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch.asc

The following patch has been verified to apply to FreeBSD 5.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch.asc

b) 请以root身份执行下列命令:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL:http://www.freebsd.org/doc/handbook/makeworld.html>.

Note that any statically linked applications that are not part of
the base system (i.e. from the Ports Collection or other 3rd-party
sources) must be recompiled.

All affected applications must be restarted for them to use the
corrected library.  Though not required, rebooting may be the easiest
way to accomplish this.

GNU
---
GNU glibc

GNU C库2.3.1版本存在此漏洞,早期版本也受此漏洞影响,下面的补丁已经安装在CVS源代码中,在下一个版本的GNU C库中也应该包含,补丁地址为:

http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=1.13&r2=1.15&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=1.5&r2=1.6&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=1.15&r2=1.16&cvsroot=glibc


2002-12-16  Roland McGrath  

    * sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type.
    * sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
    * sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.

2002-12-13  Paul Eggert  

    * sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg
    is now u_int, not int.
    (struct XDR.x_handy): Now u_int, not int.
    * sunrpc/xdr_mem.c: Include .
    (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
    xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
    x_handy is now unsigned, not signed.
    Do not decrement x_handy if no change is made.
    (xdrmem_setpos): Check for int overflow.
    * sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
    (xdr_sizeof): Remove cast that is now unnecessary, now that
    x_handy is unsigned.

IBM
---
AIX系统4.3.3, 5.1.0和5.2.0存在此漏洞,IBM已经提供如下官方补丁:

APAR number for AIX 4.3.3: IY38524
APAR number for AIX 5.1.0: IY38434
APAR number for AIX 5.2.0: IY39231

请联系供应商获得相关补丁。

MIT
---
MIT Kerberos Development Team

利用这个漏洞可使kadmind server进程崩溃,或读取一些敏感信息,如密钥等。相关补丁下载:

http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:089-00)以及相应补丁:
RHSA-2003:089-00:Updated glibc packages fix vulnerabilities in RPC XDR decoder
链接:https://www.redhat.com/support/errata/RHSA-2003-089.html

补丁下载:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-29.src.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-29.i386.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.9.src.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/glibc-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-common-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/nscd-2.2.4-18.7.0.9.i386.rpm

i686:
ftp://updates.redhat.com/7.0/en/os/i686/glibc-2.2.4-18.7.0.9.i686.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/glibc-2.2.4-32.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/glibc-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/glibc-common-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/glibc-devel-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/glibc-profile-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/nscd-2.2.4-32.i386.rpm

i686:
ftp://updates.redhat.com/7.1/en/os/i686/glibc-2.2.4-32.i686.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/glibc-2.2.4-32.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/glibc-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/glibc-common-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/glibc-devel-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/glibc-profile-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nscd-2.2.4-32.i386.rpm

i686:
ftp://updates.redhat.com/7.2/en/os/i686/glibc-2.2.4-32.i686.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-common-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-devel-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-profile-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nscd-2.2.4-32.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/glibc-2.2.5-43.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/glibc-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-common-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-debug-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-debug-static-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-devel-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-profile-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-utils-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/nscd-2.2.5-43.i386.rpm

i686:
ftp://updates.redhat.com/7.3/en/os/i686/glibc-2.2.5-43.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/glibc-debug-2.2.5-43.i686.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/glibc-2.3.2-4.80.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/glibc-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-common-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-devel-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-debug-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-profile-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-debug-static-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/nscd-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-utils-2.3.2-4.80.i386.rpm

i686:
ftp://updates.redhat.com/8.0/en/os/i686/glibc-2.3.2-4.80.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/glibc-debug-2.3.2-4.80.i686.rpm
可使用下列命令安装补丁:

rpm -Fvh [文件名]

Sun
---
Solaris 2.6, 7, 8和9受此漏洞影响,Sun会在如下地址公布Sun Alert公告并提供补丁信息:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51884

浏览次数:6004
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障