SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net-snmp Vendors:   [Multiple Authors/Vendors]
(SCO Issues Fix for OpenLinux) Snmpnetstat Component of Net-snmp (ucd-snmp) Has Heap Overflow That Allows Remote Servers to Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1008120
SecurityTracker URL:  http://securitytracker.com/id/1008120
CVE Reference:   CVE-2002-1570   (Links to External Site)
Date:  Nov 8 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): snmpnetstat from ucd-SNMP-4.2.3
Description:   It is reported that there is a heap overflow in the snmpnetstat tool from the net-snmp (ucd-snmp) package. A remote server can cause arbitrary code to be executed by the snmpnetstat client.

It is reported that snmpnetstat allocates an array when requesting the list of interfaces. It then sends a getnextrequest PDU to the server requesting ifindex, ifaddr, and ifnetmask. If the ifindex value returned by server is different from the previously retrieved value and the interface currently being scanned is the last interface, the heap overflow vulnerability will be triggered and the memory located after the array will be overwritten with the variables returned by server.

The vendor has reportedly been notified.

A demonstration exploit is included in the Source Message (it is Base64-encoded).

Impact:   A remote user (snmp server) can cause arbitrary code to be executed on the host running net-snmp's snmpnetstat with the privileges of snmpnetstat.
Solution:   SCO has released a fix for OpenLinux 3.1.1 Server and Workstation.

For OpenLinux 3.1.1 Server:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-029.0/RPMS

Packages

126ee06bd94f366289364150ed7d87fb ucd-snmp-4.2.1-18.i386.rpm
6653905d5244636d0a699c48d447d627 ucd-snmp-devel-4.2.1-18.i386.rpm
947bf938d44ea9d03a5d2d242244855c ucd-snmp-tkmib-4.2.1-18.i386.rpm
ec04d382fd0010911277e7635b2312b7 ucd-snmp-utils-4.2.1-18.i386.rpm

To install:

rpm -Fvh ucd-snmp-4.2.1-18.i386.rpm
rpm -Fvh ucd-snmp-devel-4.2.1-18.i386.rpm
rpm -Fvh ucd-snmp-tkmib-4.2.1-18.i386.rpm
rpm -Fvh ucd-snmp-utils-4.2.1-18.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-029.0/SRPMS

Source Packages

adcdbf58ba2b5ef0075c46fcc80dc399 ucd-snmp-4.2.1-18.src.rpm


For OpenLinux 3.1.1 Workstation:

Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-029.0/RPMS

Packages

126ee06bd94f366289364150ed7d87fb ucd-snmp-4.2.1-18.i386.rpm
6653905d5244636d0a699c48d447d627 ucd-snmp-devel-4.2.1-18.i386.rpm
947bf938d44ea9d03a5d2d242244855c ucd-snmp-tkmib-4.2.1-18.i386.rpm
ec04d382fd0010911277e7635b2312b7 ucd-snmp-utils-4.2.1-18.i386.rpm

To install:

rpm -Fvh ucd-snmp-4.2.1-18.i386.rpm
rpm -Fvh ucd-snmp-devel-4.2.1-18.i386.rpm
rpm -Fvh ucd-snmp-tkmib-4.2.1-18.i386.rpm
rpm -Fvh ucd-snmp-utils-4.2.1-18.i386.rpm

Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-029.0/SRPMS

Source Packages

adcdbf58ba2b5ef0075c46fcc80dc399 ucd-snmp-4.2.1-18.src.rpm

Vendor URL:  www.net-snmp.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Caldera/SCO)
Underlying OS Comments:  3.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Jan 3 2002 Snmpnetstat Component of Net-snmp (ucd-snmp) Has Heap Overflow That Allows Remote Servers to Execute Arbitrary Code on the System



 Source Message Contents

Subject:  OpenLinux: ucd-snmp remote heap overflow



To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: ucd-snmp remote heap overflow
Advisory number: 	CSSA-2003-029.0
Issue date: 		2003 October 30
Cross reference:	sr883603 fz528212 erg712406 CAN-2002-1570
______________________________________________________________________________


1. Problem Description

	ucd-snmp is a set of tools relating to the Simple Network
	Management Protocol (SNMP), which is used for remote
	administration and monitoring of network devices and
	lervices. 
	
	Juan M. de la Torre found a remote heap overflow
	vulnerability in snmpnetstat (a tool used to retrieve information
	about a remote host). When a list of interfaces is requested, a
	malicious server can return information in a way that will cause
	a heap overflow in snmpnetstat. A remote atacker able to control
	a snmp server can exploit this vulnerability to execute arbitrary
	code with the privileges of the user running snmpnetstat.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to ucd-snmp-4.2.1-18.i386.rpm
					prior to ucd-snmp-devel-4.2.1-18.i386.rpm
					prior to ucd-snmp-tkmib-4.2.1-18.i386.rpm
					prior to ucd-snmp-utils-4.2.1-18.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to ucd-snmp-4.2.1-18.i386.rpm
					prior to ucd-snmp-devel-4.2.1-18.i386.rpm
					prior to ucd-snmp-tkmib-4.2.1-18.i386.rpm
					prior to ucd-snmp-utils-4.2.1-18.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-029.0/RPMS

	4.2 Packages

	126ee06bd94f366289364150ed7d87fb	ucd-snmp-4.2.1-18.i386.rpm
	6653905d5244636d0a699c48d447d627	ucd-snmp-devel-4.2.1-18.i386.rpm
	947bf938d44ea9d03a5d2d242244855c	ucd-snmp-tkmib-4.2.1-18.i386.rpm
	ec04d382fd0010911277e7635b2312b7	ucd-snmp-utils-4.2.1-18.i386.rpm

	4.3 Installation

	rpm -Fvh ucd-snmp-4.2.1-18.i386.rpm
	rpm -Fvh ucd-snmp-devel-4.2.1-18.i386.rpm
	rpm -Fvh ucd-snmp-tkmib-4.2.1-18.i386.rpm
	rpm -Fvh ucd-snmp-utils-4.2.1-18.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-029.0/SRPMS

	4.5 Source Packages

	adcdbf58ba2b5ef0075c46fcc80dc399	ucd-snmp-4.2.1-18.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-029.0/RPMS

	5.2 Packages

	126ee06bd94f366289364150ed7d87fb	ucd-snmp-4.2.1-18.i386.rpm
	6653905d5244636d0a699c48d447d627	ucd-snmp-devel-4.2.1-18.i386.rpm
	947bf938d44ea9d03a5d2d242244855c	ucd-snmp-tkmib-4.2.1-18.i386.rpm
	ec04d382fd0010911277e7635b2312b7	ucd-snmp-utils-4.2.1-18.i386.rpm

	5.3 Installation

	rpm -Fvh ucd-snmp-4.2.1-18.i386.rpm
	rpm -Fvh ucd-snmp-devel-4.2.1-18.i386.rpm
	rpm -Fvh ucd-snmp-tkmib-4.2.1-18.i386.rpm
	rpm -Fvh ucd-snmp-utils-4.2.1-18.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-029.0/SRPMS

	5.5 Source Packages

	adcdbf58ba2b5ef0075c46fcc80dc399	ucd-snmp-4.2.1-18.src.rpm


6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1570

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr883603 fz528212
	erg712406.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank	Juan M. de la Torre for reporting this issue.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/rARmbluZssSXDTERAtlUAJ9figxbsL6A/Nd5QwJjqAD87xi04gCgwLHK
/qExdik2m3lWQrKFheX+GoU=
=fKrF
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC