SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Mbone Vendors:   NetBSD
NetBSD 'mrinfo' and 'mtrace' Mbone Tools Have a Buffer Overflow That Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1005234
SecurityTracker URL:  http://securitytracker.com/id/1005234
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A buffer overflow vulnerability was reported in the mrinfo(1) and mtrace(1) IPv4 Mbone multicast tools on NetBSD. A local user can execute arbitrary code to gain root privileges on the system.

It is reported that a local user can fill file descriptor tables before exec'ing them to trigger a buffer overflow. The mrinfo and mtrace tools are reportedly configured with set user id (suid) root user privileges.

According to NetBSD, these tools use the select(2) function, which uses fd_set bitmap, supporting up to FD_SETSIZE (256) file descriptors. However, the tools fail to perform the necessary boundary checks when performing FD_SET() operations. A local user can cause the the file descriptor used for select(2) to equal to or exceed FD_SETSIZE to trigger a buffer overrun.

Any arbitrary code executed would run with root level privileges.

NetBSD credits xs at kittenz.org with reporting this bug.

Impact:   A local user may be able to cause arbitrary code to be executed with root privileges, giving the local user root level access on the system.
Solution:   The vendor has issued a fix and recommends upgrading to NetBSD 1.6.

Otherwise, the following instructions describe how to upgrade your binaries by updating your source tree and rebuilding and installing a new version.

[Editor's note: This fix also includes a fix for 'pppd' which reportedly contains the same flaw.]

* NetBSD-current:

Systems running NetBSD-current dated from before 2002-08-10 should be upgraded to NetBSD-current dated 2002-08-10 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):

usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd

To update from CVS, re-build, and re-install mrinfo and mtrace:

# cd src
# cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

# cd usr.sbin/mrinfo
# make cleandir dependall
# make install

# cd usr.sbin/mtrace
# make cleandir dependall
# make install

# cd usr.sbin/pppd
# make cleandir dependall
# make install


* NetBSD 1.6 beta:

Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release.

If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-11 or later should be used.

The following directories need to be updated from the netbsd-1-6 CVS branch:

usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd

To update from CVS, re-build, and re-install mrinfo and mtrace:

# cd src
# cvs update -d -P -r netbsd-1-6 \
usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

# cd usr.sbin/mrinfo
# make cleandir dependall
# make install

# cd usr.sbin/mtrace
# make cleandir dependall
# make install

# cd usr.sbin/pppd
# make cleandir dependall
# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

Systems running NetBSD-1.5 branch dated from before 2002-09-05 should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.

The following directories need to be updated from the netbsd-1-5 CVS branch:

usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd

To update from CVS, re-build, and re-install mrinfo and mtrace:

# cd src
# cvs update -d -P -r netbsd-1-5 \
usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

# cd usr.sbin/mrinfo
# make cleandir dependall
# make install

# cd usr.sbin/mtrace
# make cleandir dependall
# make install

# cd usr.sbin/pppd
# make cleandir dependall
# make install


A fix for NetBSD 1.4, 1.4.1, 1.4.2, and 1.4.3 has not yet been released.

Vendor URL:  www.NetBSD.ORG/Security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6 beta, 1.5, 1.4

Message History:   None.


 Source Message Contents

Subject:  NetBSD Security Advisory 2002-014: fd_set overrun in mbone tools and pppd



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-014
		 =================================

Topic:		fd_set overrun in mbone tools and pppd

Version:	NetBSD-current:	source prior to August 10, 2002
		NetBSD 1.6 beta: sources prior to August 11, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	possible local root compromise

Fixed:		NetBSD-current:		August 10, 2002
		NetBSD-1.6 branch:	August 11, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP
daemon pppd(8), are setuid root binaries.  A malicious local user can
cause a buffer overrun in these programs by filling file descriptor
tables before exec'ing them, which could lead to local root
compromise.

No exploit code is known to exist at this moment.


Technical Details
=================

These tools use select(2).  select(2) uses fd_set bitmap, which
supports up to FD_SETSIZE (256) file descriptors.  These tools did not
have a boundary check when doing FD_SET() operations.  Therefore, if
the file descriptor used for select(2) equals to or exceeds
FD_SETSIZE, a buffer overrun occurs.

More details are in the NetBSD-current select(2) manpage "BUGS" section:

   Although the provision of getdtablesize(3) was intended to allow user
   programs to be written independent of the kernel limit on the number of
   open files, the dimension of a sufficiently large bit field for select
   remains a problem.  The default bit size of fd_set is based on the symbol
   FD_SETSIZE (currently 256), but that is somewhat smaller than the current
   kernel limit to the number of open files.  However, in order to accommo-
   date programs which might potentially use a larger number of open files
   with select, it is possible to increase this size within a program by
   providing a larger definition of FD_SETSIZE before the inclusion of
   <sys/types.h>.  The kernel will cope, and the userland libraries provided
   with the system are also ready for large numbers of file descriptors.


Solutions and Workarounds
=========================

If you do not run, and do not plan to use, multicast-related tools or
pppd, the problem can be worked around by removing the setuid bit from
those binaries.  Users can therefore no longer escalate their
privileges by exploiting the bug:

	# chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd

Nevertheless, we suggest upgrading these binaries to make sure you
don't have vulnerable code in your system.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Otherwise, the following instructions describe how to upgrade your
binaries by updating your source tree and rebuilding and installing a
new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-10
	should be upgraded to NetBSD-current dated 2002-08-10 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		usr.sbin/mrinfo
		usr.sbin/mtrace
		usr.sbin/pppd

	To update from CVS, re-build, and re-install mrinfo and mtrace:
		# cd src
		# cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

		# cd usr.sbin/mrinfo
		# make cleandir dependall
		# make install

		# cd usr.sbin/mtrace
		# make cleandir dependall
		# make install

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-11 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		usr.sbin/mrinfo
		usr.sbin/mtrace
		usr.sbin/pppd

	To update from CVS, re-build, and re-install mrinfo and mtrace:
		# cd src
		# cvs update -d -P -r netbsd-1-6 \
			usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

		# cd usr.sbin/mrinfo
		# make cleandir dependall
		# make install

		# cd usr.sbin/mtrace
		# make cleandir dependall
		# make install

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD-1.5 branch dated from before 2002-09-05
	should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		usr.sbin/mrinfo
		usr.sbin/mtrace
		usr.sbin/pppd

	To update from CVS, re-build, and re-install mrinfo and mtrace:
		# cd src
		# cvs update -d -P -r netbsd-1-5 \
			usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd

		# cd usr.sbin/mrinfo
		# make cleandir dependall
		# make install

		# cd usr.sbin/mtrace
		# make cleandir dependall
		# make install

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.


Thanks To
=========

xs@kittenz.org for finding this bug and sending fixes.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-014.txt,v 1.13 2002/09/16 05:17:55 dan Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqaD5Ru2/4N2IFAQGipAP/QwtISx0xcoOwzB3HrjGmn8DMX0V13q6d
ecx1QZ/4TuCjEYmgbhXdW8ReB7yQ1wy2tIG61U3pvoQW9EMqoK1n7ispixwUIS7X
Yp3gpYp4nTAeeLvv3mYoT6NFERqzku7qakoSFq92uojwborR/yXFsiC41IMudhK6
HuwbKbDG9WM=
=Ez96
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC