AUSCERT External Security Bulletin Redistribution

                 ESB-2002.394 -- CERT Advisory CA-2002-25
                      Integer Overflow In XDR Library
                               6 August 2002


        AusCERT Security Bulletin Summary

Product:                XDR Library
                        Sun Microsystems network services library (libnsl)
                        BSD-derived libraries with XDR/RPC routines (libc)
                        GNU C library with sunrpc (glibc)
Vendor:                 CERT/CC
Impact:                 Denial of Service
                        Root Compromise
                        Execute Arbitrary Code/Commands
                        Access Privileged Data
Access Required:        Remote

Ref:                    AL-2002.09

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2002-25 Integer Overflow In XDR Library

   Original release date: August 05, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Applications  using  vulnerable  implementations of SunRPC-derived XDR
   libraries, which include, but are not limited to:

     * Sun Microsystems network services library (libnsl)
     * BSD-derived libraries with XDR/RPC routines (libc)
     * GNU C library with sunrpc (glibc)


   There  is  an  integer  overflow  present  in the xdr_array() function
   distributed as part of the Sun Microsystems XDR library. This overflow
   has  been  shown  to  lead to remotely exploitable buffer overflows in
   multiple  applications,  leading  to  the execution of arbitrary code.
   Although  the  library was originally distributed by Sun Microsystems,
   multiple  vendors  have  included  the  vulnerable  code  in their own

I. Description

   The  XDR  (external data representation) libraries are used to provide
   platform-independent  methods for sending data from one system process
   to  another,  typically  over  a network connection. Such routines are
   commonly  used  in  remote  procedure  call  (RPC)  implementations to
   provide transparency to application programmers who need to use common
   interfaces  to  interact  with  many  different  types of systems. The
   xdr_array()  function  in the XDR library provided by Sun Microsystems
   contains an integer overflow that can lead to improperly sized dynamic
   memory  allocation.  Subsequent  problems  like  buffer  overflows may
   result, depending on how and where the vulnerable xdr_array() function
   is used.

   This  issue is currently being tracked as VU#192995 by the CERT/CC and
   CAN-2002-0391  in  the  Common  Vulnerabilities  and  Exposures  (CVE)

II. Impact

   Because  SunRPC-derived XDR libraries are used by a variety of vendors
   in  a  variety  of  applications,  this defect may lead to a number of
   differing  security  problems. Exploiting this vulnerability will lead
   to  denial  of service, execution of arbitrary code, or the disclosure
   of sensitive information.

   Specific  impacts  reported  include  the ability to execute arbitrary
   code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind,
   for  example).  In addition, intruders who exploit the XDR overflow in
   MIT  KRB5  kadmind  may  be able to gain control of a Key Distribution
   Center  (KDC)  and  improperly authenticate to other services within a
   trusted Kerberos realm.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   As  vendors report new information to the CERT/CC, we will update this
   section  and note the changes in our revision history. If a particular
   vendor  is  not listed below or in the vulnerability note, we have not
   received their comments. Please contact your vendor directly.

   Note  that  XDR libraries can be used by multiple applications on most
   systems.  It may be necessary to upgrade or apply multiple patches and
   then recompile statically linked applications.

   Applications  that  are  statically  linked  must  be recompiled using
   patched  libraries.  Applications  that  are dynamically linked do not
   need  to be recompiled; however, running services need to be restarted
   in order to use the patched libraries.

   System  administrators  should  consider  the  following  process when
   addressing this issue:

    1. Patch or obtain updated XDR/RPC libraries.
    2. Restart  any  dynamically  linked  services  that  make use of the
       XDR/RPC libraries.
    3. Recompile  any statically linked applications using the patched or
       updated XDR/RPC libraries.

Disable access to vulnerable services or applications

   Until  patches  are  available  and  can  be  applied, you may wish to
   disable   access   to  services  or  applications  compiled  with  the
   vulnerable  xdr_array()  function.  Such applications include, but are
   not limited to, the following:

     * DMI Service Provider daemon (dmispd)
     * CDE Calendar Manager Service daemon (rpc.cmsd)
     * MIT Kerberos 5 Administration daemon (kadmind)

   As a best practice, the CERT/CC recommends disabling all services that
   are not explicitly required.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular   vendor   is   not  listed  below  or  in  the  individual
   vulnerability notes, we have not received their comments.

Apple Computer, Inc.

   The vulnerability described in this note is fixed with Security Update

Debian GNU/Linux

   The  Debian  GNU/Linux  distribution was vulnerable with regard to the
   the  XDR  problem  as  stated  above  with the following vulnerability

                       OpenAFS                Kerberos5             GNU libc
                       _______                _________             ________
 Debian 2.2 (potato)   not included           not included          vulnerable
 Debian 3.0 (woody)    vulnerable(DSA 142-1)  vulnerable(DSA 143-1) vulnerable
 Debian unstable (sid) vulnerable(DSA 142-1)  vulnerable(DSA 143-1) vulnerable

   However,  the  following advisories were raised recently which contain
   and announced fixes:

     DSA  142-1  OpenAFS  (safe  version  are: 1.2.3final2-6 (woody) and
     1.2.6-1 (sid))

     DSA  143-1  Kerberos5  (safe version are: 1.2.4-5woody1 (woody) and
     1.2.5-2 (sid))

   The  advisory  for  the  GNU  libc  is  pending, it is currently being
   recompiled. The fixed versions will probably be:

     Debian 2.2 (potato) glibc 2.1.3-23 or later
     Debian 3.0 (woody) glibc 2.2.5-11 or later
     Debian unstable (sid) glibc 2.2.5-12 or later

GNU glibc

   Version   2.2.5  and  earlier  versions  of  the  GNU  C  Library  are
   vulnerable.  For  Version  2.2.5, we suggest the following patch. This
   patch is also available from the GNU C Library CVS repository at:


     2002-08-02 Jakub Jelinek <jakub@redhat.com>

     * sunrpc/xdr_array.c    (xdr_array):    Check    for   overflow   on
       multiplication. Patch by Solar Designer <solar@openwall.com>.

     [ text of diff available in CVS repository link above --CERT/CC ]

FreeBSD, Inc.

   Please see

Hewlett-Packard Company

   SOURCE: Hewlett-Packard Company

   RE: Potential RPC XDR buffer overflow

   At  the  time  of  writing this document, Hewlett Packard is currently
   investigating  the  potential impact to HP's released operating System
   software products.

   As further information becomes available HP will provide notice of the
   availability  of  any  necessary  patches  through  standard  security
   bulletin  announcements  and be available from your normal HP Services
   support channel.

Juniper Networks

   The  Juniper Networks SDX-300 Service Deployment System (SSC) does use
   XDR  for  communication with an ERX edge router, but does not make use
   of the Sun RPC libraries. The SDX-300 product is not vulnerable to the
   Sun RPC XDR buffer overflow as outlined in this CERT advisory.

KTH and Heimdal Kerberos

   kth-krb  and  heimdal are not vulnerable to this problem since they do
   not use any Sun RPC at all.

MIT Kerberos Development Team

   Please see

   The patch is available directly:

   The  following  detached  PGP  signature  should be used to verify the
   authenticity and integrity of the patch:


Microsoft Corporation

   Microsoft  is  currently  conducting  an  investigation  based on this
   report.  We  will  update  this  advisory  with information once it is


   Please see

Network Appliance

   NetApp systems are not vulnerable to this problem.


   OpenAFS    is    an    affected   vendor   for   this   vulnerability.
   http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt  details
   how we have dealt with the issue.

Openwall Project

   The  xdr_array(3) integer overflow was present in the glibc package on
   Openwall  GNU/*/Linux  until  2002/08/01  when  it  was  corrected for
   Owl-current and documented as a security fix in the system-wide change
   log available at:


   The  same glibc package update also fixes a very similar but different
   calloc(3)  integer overflow possibility that is currently not known to
   allow  for an attack on a particular application, but has been patched
   as  a  proactive  measure. The Sun RPC xdr_array(3) overflow may allow
   for  passive attacks on mount(8) by malicious or spoofed NFSv3 servers
   as  well  as  for  both  passive  and active attacks on RPC clients or
   services  that  one  might  install  on Owl. (There're no RPC services
   included with Owl.)

RedHat Inc.

   Red  Hat  distributes  affected packages glibc and Kerberos in all Red
   Hat  Linux distributions. We are currently working on producing errata
   packages,  when  complete  these  will  be  available  along  with our
   advisory  at  the  URLs  below.  At the same time users of the Red Hat
   Network will be able to update their systems using the 'up2date' tool.

     http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
     http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)


   SGI is currently looking into the matter, per:


Sun Microsystems, Inc.

   Sun  can  confirm  that  there is a type overflow vulnerability in the
   xdr_array(3NSL)  function  which  is  part  of  the  network  services
   library,  libnsl(3LIB),  on Solaris 2.5.1 through 9. Sun has published
   Sun  Alert 46122 which describes the issue, applications affected, and
   workaround  information.  The  Sun  Alert  will  be  updated  as  more
   information or patches become available and is located here:


   Sun will be publishing a Sun Security Bulletin for this issue once all
   of the patches are available which will be located at:


Appendix B. - References

    1. Manual entry for xdr_array(3)
    2. VU#192995
    3. RFC1831
    4. RFC1832
    5. Sun Alert 46122
    6. Security Alert MITKRB5-SA-2002-001-xdr
    7. Flaw in calloc and similar routines, Florian Weimer, University of
       Stuttgart, RUS-CERT, 2002-08-05

   Thanks  to  Sun Microsystems for working with the CERT/CC to make this
   document    possible.   The   initial   vulnerability   research   and
   demonstration was performed by Internet Security Systems (ISS).

   Authors: Jeffrey S. Havrilla and Cory F. Cohen.

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
August 05, 2002:  Initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key