SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libc Vendors:   GNU [multiple authors]
(NetBSD Issues Fix) libc strfmon() Integer Overflows May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019912
SecurityTracker URL:  http://securitytracker.com/id/1019912
CVE Reference:   CVE-2008-1391   (Links to External Site)
Date:  Apr 22 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in libc. A user can cause arbitrary code to be executed on the target system.

A remote user can send a specially crafted value that, when processed by the target application that uses libc, will trigger an integer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target application.

Applications that use the strfmon() function are affected.

Maksymilian Arciemowicz (cxib) of SecurityReason.com reported this vulnerability.

The original advisory is available at:

http://securityreason.com/achievement_securityalert/53

Impact:   A user can cause arbitrary code to be executed on the target system. The specific impact depends on the application using libc.
Solution:   NetBSD has released a fix.

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc

Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  4.0

Message History:   This archive entry is a follow-up to the message listed below.
Mar 27 2008 libc strfmon() Integer Overflows May Let Users Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2008-006: Integer overflow in strfmon(3)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2008-006
		 =================================

Topic:		Integer overflow in strfmon(3) function

Version:	NetBSD-current:		affected
		NetBSD 4.0:		affected
		NetBSD 3.1.*:		unaffected
		NetBSD 3.1:		unaffected
		NetBSD 3.0:		unaffected
		NetBSD 3.0.*:		unaffected

Severity:	Local user may be able to execute arbitrary code

Fixed:		NetBSD-current:		March 18, 2008
		NetBSD-4 branch:	March 19, 2008
			(4.1 will include the fix)
		NetBSD-4-0 branch:	March 19, 2008
			(4.0.1 will include the fix)


Abstract
========

The strfmon() function contains multiple integer overflows which can be
exploited by a local attacker to cause a crash or potentially execute
arbitrary code.


Technical Details
=================

The vulnerability exists in strfmon() because of the use of the GET_NUMBER()
macro.  This macro does not check for integer overflow, and its value is
passed as an argument to the memmove() and memset() functions, which can
result in a crash or possibly the execution of arbitrary code.

This issue has been assigned CVE reference CVE-2008-1391.


Solutions and Workarounds
=========================

The following instructions describe how to upgrade your libc binaries
by updating your source tree and rebuilding and installing a new version
of libc.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2008-03-18
	should be upgraded to NetBSD-current dated 2008-03-19 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/stdlib/strfmon.c

	To update from CVS, re-build, and re-install libc:

		# cd src
		# cvs update lib/libc/stdlib/strfmon.c
		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2008-03-19 should be upgraded from NetBSD 4.* source dated
	2008-03-20 or later.

	The following files need to be updated from the
	netbsd-4 or netbsd-4-0 CVS branches:
		lib/libc/stdlib/strfmon.c

	To update from CVS, re-build, and re-install libc:

		# cd src
		# cvs update -r <branch_name> lib/libc/stdlib/strfmon.c
		# cd lib/libc
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

Thanks To
=========

Maksymilian Arciemowicz for reporting this problem and Christos Zoulas
for providing a fix.

Revision History
================

	2008-04-21	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-006.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSAUSOD5Ru2/4N2IFAQLzCAQAp1P1sXgdVdcBYZ792JaU+ojWGMW3PqR1
tjSnp8rbkENkfGdtGKlkT2rLHshKiM0DzZL6SyiEDleSZtAv4cuzVQZf2ia+5WWR
SI9TOo/WkPivXnwuKxW1XVefH00wv/KK5wsZAXNxWFY/oIs1pNWQ6QUi4umGmj8L
C7he0Od/rdk=
=2ESK
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC