SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   libc Vendors:   GNU [multiple authors]
(FreeBSD Issues Fix) 'libc' Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007380
SecurityTracker URL:  http://securitytracker.com/id/1007380
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2003
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3.2
Description:   A buffer overflow vulnerability was reported in libc. A remote or local user may be able to crash an application, execute arbitrary code, or gain elevated privileges on the target system. The specific impact depends on the applications that use the vulnerable realpath() function in libc.

It is reported that a user can supply a specially crafted pathname that is 1024 characters in length to the realpath() function. If the pathname string contains two or more directory separators, a buffer can be overwritten with a single byte (NULL).

The impact depends on the application that uses the vulnerable function, the underlying operating system, and other factors.

This vulnerability was originally reported in Alert ID #1007353 on July 31, 2003 (CVE: CAN-2003-0466) as a flaw in wu-ftpd. However, according to FreeBSD, the vulnerability resides in the underlying 'libc' realpath() function.

Janusz Niewiadomski <funkysh@isec.pl> and Wojciech Purczynski <cliph@isec.pl> are credited with reporting this flaw.

Impact:   A remote or local user may be able to cause the system to crash or arbitrary code to be executed. The specific impact depends on the application that uses the affected function.
Solution:   FreeBSD has released a fix for libc. FreeBSD also notes that many FreeBSD applications use the affected realpath(3) function. They report that lukemftpd(8) and sftp-server(8) applications are vulnerable.

The vendor advises that you should upgrade to 4.8-STABLE or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches dated after the respective correction dates.

Or, a patch is available. The patch installation instructions are described in the Source Message. [Editor's note: The patch was not yet available at the time of this entry.]

Cause:   Boundary error
Underlying OS:  UNIX (FreeBSD)
Underlying OS Comments:  3, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 5.0

Message History:   This archive entry is a follow-up to the message listed below.
Aug 4 2003 'libc' Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Date:  Sun, 3 Aug 2003 17:04:31 -0700 (PDT)
Subject:  FreeBSD Security Advisory FreeBSD-SA-03:08.realpath


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-03:08.realpath                                   Security Advisory
                                                          The FreeBSD Project

Topic:          Single byte buffer overflow in realpath(3)

Category:       core
Module:         libc
Announced:      2003-08-03
Credits:        Janusz Niewiadomski <funkysh@isec.pl>,
                Wojciech Purczynski <cliph@isec.pl>,
                CERT/CC
Affects:        All releases of FreeBSD up to and including 4.8-RELEASE
                and 5.0-RELEASE
                FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
Corrected:      2003-08-03 23:46:24 UTC (RELENG_5_0)
                2003-08-03 23:43:43 UTC (RELENG_4_8)
                2003-08-03 23:44:12 UTC (RELENG_4_7)
                2003-08-03 23:44:36 UTC (RELENG_4_6)
                2003-08-03 23:44:56 UTC (RELENG_4_5)
                2003-08-03 23:45:41 UTC (RELENG_4_4)
                2003-08-03 23:46:03 UTC (RELENG_4_3)
                2003-08-03 23:47:39 UTC (RELENG_3)
FreeBSD only:   NO

I.   Background

The realpath(3) function is used to determine the canonical,
absolute pathname from a given pathname which may contain extra
``/'' characters, references to ``/./'' or ``/../'', or references
to symbolic links.  The realpath(3) function is part of the FreeBSD
Standard C Library.

II.  Problem Description

An off-by-one error exists in a portion of realpath(3) that computes
the length of the resolved pathname.  As a result, if the resolved
path name is exactly 1024 characters long and contains at least
two directory separators, the buffer passed to realpath(3) will be
overwritten by a single NUL byte.

III. Impact

Applications using realpath(3) MAY be vulnerable to denial of service
attacks, remote code execution, and/or privilege escalation.  The
impact on an individual application is highly dependent upon the
source of the pathname passed to realpath, the position of the output
buffer on the stack, the architecture on which the application is
running, and other factors.

Within the FreeBSD base system, several applications use realpath(3).
Two applications which are negatively impacted are:

(1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
    process the MLST and MLSD commands.  [lukemftpd(8) is not built or
    installed by default.]

(2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
    chdir commands.

In both of the cases above, the realpath(3) vulnerability may be
exploitable, leading to arbitrary code execution with the privileges
of the authenticated user.  This is probably only of concern on
otherwise `closed' servers, e.g. servers without shell access.

At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
the following applications which appear to use realpath(3).  These
applications have not been audited, and may or may not be vulnerable.
There may be additional applications in the FreeBSD Ports Collection
that use realpath(3), particularly statically-linked applications and
applications added since 4.8-RELEASE.

BitchX-1.0c19_1
Mowitz-0.2.1_1
XFree86-clients-4.3.0_1
abcache-0.14
aim-1.5.234
analog-5.24,1
anjuta-1.0.1_1
aolserver-3.4.2
argus-2.0.5
arm-rtems-gdb-5.2_1
avr-gdb-5.2.1
ccache-2.1.1
cdparanoia-3.9.8_4
cfengine-1.6.3_4
cfengine2-2.0.3
cmake-1.4.7
comserv-1.4.3
criticalmass-0.97
dedit-0.6.2.3_1
drweb_postfix-4.29.10a
drweb-4.29.2
drweb_sendmail-4.29.10a
edonkey-gui-gtk-0.5.0
enca-0.10.7
epic4-1.0.1_2
evolution-1.2.2_1
exim-3.36_1
exim-4.12_5
exim-ldap-4.12_5
exim-ldap2-4.12_5
exim-mysql-4.12_5
exim-postgresql-4.12_5
fam-2.6.9_2
fastdep-0.15
feh-1.2.4_1
ferite-0.99.6
fileutils-4.1_1
finfo-0.1
firebird-1.0.2
firebird-1.0.r2
frontpage-5.0.2.2623_1
galeon-1.2.8
galeon2-1.3.2_1
gdb-5.3_20030311
gdb-5.2.1_1
gdm2-2.4.1.3
gecc-20021119
gentoo-0.11.34
gkrellmvolume-2.1.7
gltron-0.61
global-4.5.1
gnat-3.15p
gnomelibs-1.4.2_1
gprolog-1.2.16
gracula-3.0
gringotts-1.2.3
gtranslator-0.43_1
gvd-1.2.5
hercules-2.16.5
hte-0.7.0
hugs98-200211
i386-rtems-gdb-5.2_1
i960-rtems-gdb-5.2_1
installwatch-0.5.6
ivtools-1.0.6
ja-epic4-1.0.1_2
ja-gnomelibs-1.4.2_1
ja-msdosfs-20001027
ja-samba-2.2.7a.j1.1_1
kdebase-3.1_1
kdelibs-3.1
kermit-8.0.206
ko-BitchX-1.0c16_3
ko-msdosfs-20001027
leocad-0.73
libfpx-1.2.0.4_1
libgnomeui-2.2.0.1
libpdel-0.3.4
librep-0.16.1_1
linux-beonex-0.8.1
linux-divxplayer-0.2.0
linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
linux-gnomelibs-1.2.8_2
linux-mozilla-1.2
linux-netscape-communicator-4.8
linux-netscape-navigator-4.8
linux-phoenix-0.3
linux_base-6.1_4
linux_base-7.1_2
lsh-1.5.1
lukemftpd-1.1_1
m68k-rtems-gdb-5.2_1
mips-rtems-gdb-5.2_1
mod_php4-4.3.1
moscow_ml-2.00_1
mozilla-1.0.2_1
mozilla-1.2.1_1,2
mozilla-1.2.1_2
mozilla-1.3b,1
mozilla-1.3b
mozilla-embedded-1.0.2_1
mozilla-embedded-1.2.1_1,2
mozilla-embedded-1.3b,1
msyslog-1.08f_1
netraider-0.0.2
openag-1.1.1_1
openssh-portable-3.5p1_1
openssh-3.5
p5-PPerl-0.23
paragui-1.0.2_2
powerpc-rtems-gdb-5.2_1
psim-freebsd-5.2.1
ptypes-1.7.4
pure-ftpd-1.0.14
qiv-1.8
readlink-20010616
reed-5.4
rox-1.3.6_1
rox-session-0.1.18_1
rpl-1.4.0
rpm-3.0.6_6
samba-2.2.8
samba-3.0a20
scrollkeeper-0.3.11_8,1
sh-rtems-gdb-5.2_1
sharity-light-1.2_1
siag-3.4.10
skipstone-0.8.3
sparc-rtems-gdb-5.2_1
squeak-2.7
squeak-3.2
swarm-2.1.1
tcl-8.2.3_2
tcl-8.3.5
tcl-8.4.1,1
tcl-thread-8.1.b1
teTeX-2.0.2_1
wine-2003.02.19
wml-2.0.8
worker-2.7.0
xbubble-0.2
xerces-c2-2.1.0_1
xerces_c-1.7.0
xnview-1.50
xscreensaver-gnome-4.08
xscreensaver-4.08
xworld-2.0
yencode-0.46_1
zh-cle_base-0.9p1
zh-tcl-8.3.0
zh-tw-BitchX-1.0c19_3
zh-ve-1.0
zh-xemacs-20.4_1

IV.  Workaround

There is no generally applicable workaround.

OpenSSH's sftp-server(8) may be disabled by editing
/etc/ssh/sshd_config and commenting out the following line by
inserting a `#' as the first character:

  Subsystem       sftp    /usr/libexec/sftp-server

lukemftpd(8) may be replaced by the default ftpd(8).

V.   Solution

1) Upgrade your vulnerable system to 4.8-STABLE
or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
dated after the respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.  The following patch
has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
5.0-RELEASE.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your operating system as described in
<URL:http://www.freebsd.org/doc/handbook/makeworld.html>.

NOTE WELL:  Any statically linked applications that are not part of
the base system (i.e. from the Ports Collection or other 3rd-party
sources) must be recompiled.

All affected applications must be restarted for them to use the
corrected library.  Though not required, rebooting may be the easiest
way to accomplish this.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_3
  src/lib/libc/stdlib/realpath.c                                  1.6.2.1
RELENG_4_3
  src/UPDATING                                             1.73.2.28.2.32
  src/lib/libc/stdlib/realpath.c                                  1.9.4.1
  src/sys/conf/newvers.sh                                  1.44.2.14.2.22
RELENG_4_4
  src/UPDATING                                             1.73.2.43.2.45
  src/lib/libc/stdlib/realpath.c                                  1.9.6.1
  src/sys/conf/newvers.sh                                  1.44.2.17.2.36
RELENG_4_5
  src/UPDATING                                             1.73.2.50.2.44
  src/lib/libc/stdlib/realpath.c                                  1.9.8.1
  src/sys/conf/newvers.sh                                  1.44.2.20.2.28
RELENG_4_6
  src/UPDATING                                             1.73.2.68.2.42
  src/lib/libc/stdlib/realpath.c                                 1.9.10.1
  src/sys/conf/newvers.sh                                  1.44.2.23.2.31
RELENG_4_7
  src/UPDATING                                             1.73.2.74.2.14
  src/lib/libc/stdlib/realpath.c                                 1.9.12.1
  src/sys/conf/newvers.sh                                  1.44.2.26.2.13
RELENG_4_8
  src/UPDATING                                              1.73.2.80.2.3
  src/lib/libc/stdlib/realpath.c                                 1.9.14.1
  src/sys/conf/newvers.sh                                   1.44.2.29.2.2
RELENG_5_0
  src/UPDATING                                                 1.229.2.14
  src/lib/libc/stdlib/realpath.c                                 1.11.2.1
  src/sys/conf/newvers.sh                                        1.48.2.9
- -------------------------------------------------------------------------

VII.  References

<URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>
<URL:http://www.kb.cert.org/vuls/id/743092>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/LaFvFdaIBMps37IRAoO6AJ4zTutkdp69fekZGR1AcZTr4/HdVgCeK6v3
u9B/doXT8ns+tkXTCb7DX7M=
=oS/F
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC