SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libc Vendors:   NetBSD
(NetBSD Issues Fix) Re: Libc Buffer Overflow in gethostnamadr() and getnetnamadr() Functions May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1004660
SecurityTracker URL:  http://securitytracker.com/id/1004660
CVE Reference:   CVE-2002-0684   (Links to External Site)
Updated:  Nov 16 2003
Original Entry Date:  Jun 30 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A buffer overflow vulnerability was reported in 'libc'. A remote user with control over a DNS server could cause arbitrary code to be executed on the system when the system resolves an address.

Pine Internet released a security advisory for 'libc' warning of a buffer overflow in the resolver code of libc.

A remote user with control over a DNS server can send a specially crafted reply to the target host when the target host makes a certain DNS query.

The flaw appears to reside in the gethostnamadr() and getnetnamadr() functions.

Impact:   A remote user could cause arbitrary code to be run on the system in certain situations. The privileges that the code would run with depend on the privileges of the calling routine that uses the affected libc components.
Solution:   NetBSD has issued a fix.

Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. Users of versions older than NetBSD 1.5.3 are advised by the vendor to upgrade.

Statically-linked binaries that makes any DNS queries are vulnerable and cannot be fixed by replacing a shared library. Therefore, updating the entire system is suggested by the vendor.

NetBSD systems ship with BIND8-based nameserver and utilities, and they use separate resolver library codebase in dist/bind (not lib/libc/net). NetBSD states that they are still not certain if BIND8 is safe, and that users will need to update the following directories as well before the build if BIND8 is found to be vulnerable:

usr.sbin/bind
dist/bind


For NetBSD-current:

Systems running NetBSD-current dated from before 2002-06-25 should be upgraded to NetBSD-current dated 2002-06-26 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):

lib/libc/net

To update from CVS, re-build, and re-install libc and statically linked binaries:

# cd src
# cvs update -d -P lib/libc/net

# cd lib/libc
# make cleandir dependall
# make install

# cd ../..
# make dependall
# make install


For NetBSD 1.6 betas:

Systems running NetBSD 1.6 betas dated from before 2002-06-25 should be upgraded to NetBSD 1.6 tree dated 2002-06-26 or later.

The following directories need to be updated from the netbsd-1-6 CVS branch:

lib/libc/net

To update from CVS, re-build, and re-install libc and statically linked binaries:

# cd src
# cvs update -d -P -r netbsd-1-6 lib/libc/net

# cd lib/libc
# make cleandir dependall
# make install

# cd ../..
# make dependall
# make install


For NetBSD 1.5.x:

Systems running NetBSD 1.5.x dated from before 2002-06-25 should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

The following directories need to be updated from the netbsd-1-5 CVS branch:


lib/libc/net

To update from CVS, re-build, and re-install libc and statically linked binaries:

# cd src
# cvs update -d -P -r netbsd-1-5 lib/libc/net

# cd lib/libc
# make cleandir dependall
# make install

# cd ../..
# make dependall
# make install


For NetBSD 1.4.x:

Systems running NetBSD 1.4.x dated from before 2002-06-25 should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

The following directories need to be updated from the netbsd-1-4 CVS branch:

lib/libc/net

To update from CVS, re-build, and re-install libc and statically linked binaries:

# cd src
# cvs update -d -P -r netbsd-1-5 lib/libc/net

# cd lib/libc
# make cleandir dependall
# make install

# cd ../..
# make dependall
# make install


For pkgsrc:

bind-4.9.8 (pkgsrc/net/bind4) is vulnerable. Upgrade to bind-4.9.8nb1 is recommended. Note that BIND4 nameserver is considered obsolete by the vendor (ISC), and it is recommended to use BIND9, or BIND8.

According to the report, it is still unclear if bind-[89] is vulnerable or not, therefore, NetBSD advises to keep yourself informed.

Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234]) are vulnerable. There is no fix supplied at this moment.

Shared libraries for binary compatibility are available through pkgsrc for some operating systems, and may be vulnerable as noted above if installed.

Vendor URL:  www.netbsd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.5.2 and prior; 1.6 beta and current source prior to June 26, 2002

Message History:   This archive entry is a follow-up to the message listed below.
Jun 26 2002 Libc Buffer Overflow in gethostnamadr() and getnetnamadr() Functions May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2002-006: buffer overrun in libc DNS resolver



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-006
		 =================================

Topic:		buffer overrun in libc DNS resolver

Version:	NetBSD-current:	source prior to June 26, 2002
		NetBSD-1.6 beta:source prior to June 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.
		pkgsrc:		net/bind4, bind-4.9.8 and before affected
				net/bind[89] may be vulnerable
				emulators/compat1[234]
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 26, 2002
		NetBSD-1.6 branch:	June 26, 2002 (1.6 will include the fix)
		NetBSD-1.5 branch:	June 26, 2002 (1.5.3 will include the fix)
		NetBSD-1.4 branch:	June 26, 2002 (1.4.4 will include the fix)
		pkgsrc:			net/bind4, bind-4.9.8nb1


Abstract
========

There was a buffer-length computation bug in BIND-based DNS resolver
code.  A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.

NetBSD uses BIND4-based DNS resolver code in libc, and is found to be
vulnerable.  As there is no version number identification in the pine.nl
advisory, it is uncertain if BIND8/9 resolver code (used in named related
tools like /usr/bin/dig) is totally safe either.


Technical Details
=================

In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.

The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer.  This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root.  No exploit
script to take advantage of this vulnerability is known at time of
writing.

It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.

Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.

As a workaround, it is highly worthwhile considering pointing your
client systems at a patched nameserver that does recusive resolution,
and blocking all direct query/responses at a gateway or firewall system.
This will allow central control over your network environment, and
protection while updates are being made to individual clients.


This issue was brought to the attention of the NetBSD security-officer
very recently. Unfortunately, coordination to deliver a full set of
updated binary releases was not possible, and given the severity of this
issue, this Advisory is being released immediately.

Updates will be made to this advisory providing additional pointers to
upgrade resources as available.

See also:
http://www.pine.nl/advisories/pine-cert-20020601.html


Solutions and Workarounds
=========================

Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.5.3.  Many security-related improvements
have been made.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

NetBSD systems ship with BIND8-based nameserver and utilities, and
they use separate resolver library codebase in dist/bind (not lib/libc/net).
Since we are still not certain if BIND8 is safe, you will need to
update the following directories as well before the build if BIND8
is found to be vulnerable:
	usr.sbin/bind
	dist/bind


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-06-25
	should be upgraded to NetBSD-current dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 betas dated from before 2002-06-25
	should be upgraded to NetBSD 1.6 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	Systems running NetBSD 1.4.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-4 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* pkgsrc:

	bind-4.9.8 (pkgsrc/net/bind4) is vulnerable.  Upgrade to bind-4.9.8nb1
	is recommended.  Note that BIND4 nameserver is considered obsolete
	by the vendor (ISC), and it is recommended to use BIND9, or BIND8.

	It is still unclear if bind-[89] is vulnerable or not, therefore,
	keep yourself informed.

	Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
	are vulnerable.  There is no fix supplied at this moment.

	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and may be
	vulnerable as noted above if installed.

Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.


Revision History
================

	2002-06-26	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-006.txt,v 1.19 2002/06/27 14:30:30 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPRrmJj5Ru2/4N2IFAQHAJQP/VP7uoErXvLTjHnChbw0ucCtKaWen/Gw2
DjejlLgIwhUw8GFgGEjfaqXxtr4CVCgH6vQSd0CrXUJ9gkRbZSiocuGFlXWyGmD6
NinhLq3EdkidyPTs8IEdkOIn04LqAWdIBxbMCU9ZBDtPtO9tudMDS7rNT/r/j6mA
Ec/pxiuZlzU=
=pXfG
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC