20th Mar 2003 [SBWID-6075]
COMMAND
	XDR Integer Overflow
SYSTEMS AFFECTED
	 Sun Microsystems Network Services Library (libnsl)
	 BSD-derived libraries with XDR/RPC routines (libc)
	 GNU C library with sunrpc (glibc)
PROBLEM
	Marc Maiffret [[email protected]] says :
	XDR Integer Overflow
	
	Release Date:
	March 19, 2003
	Severity: High (Remote Code Execution/Denial of Service)
	Systems Affected:
	Sun Microsystems Network Services Library (libnsl)
	BSD-derived libraries with XDR/RPC routines (libc)
	GNU C library with sunrpc (glibc)
	
	Description:
	XDR is a standard for the description and  encoding  of  data  which  is
	used heavily in RPC implementations. Several libraries exist that  allow
	a  developer  to  incorporate  XDR  into  his   or   her   applications.
	Vulnerabilities were discovered in these libraries  during  the  testing
	of new Retina auditing  technologies  developed  by  the  eEye  research
	department.
	ADAM and EVE are two technologies developed  by  eEye  to  remotely  and
	locally audit applications for the existence of common  vulnerabilities.
	During an ADAM audit, an integer overflow  was  discovered  in  the  SUN
	Microsystems XDR  library.  By  supplying  specific  integer  values  in
	length fields during  an  RPC  transaction,  we  were  able  to  produce
	various overflow conditions in UNIX RPC services.
	Technical Description:
	The xdrmem_getbytes() function  in  the  XDR  library  provided  by  Sun
	Microsystems contains an integer overflow.  Depending  on  the  location
	and use of the vulnerable xdrmem_getbytes() routine, various  conditions
	may be presented that can permit  an  attacker  to  remotely  exploit  a
	service using this vulnerable routine.
	For the purpose of signature development and further  security  research
	a sample session is included below that replicates an  integer  overflow
	in the rpcbind shipped with various versions of  the  Solaris  operating
	system.
	
	char evil_rpc[] =
	"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
	"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
	"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
	"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
	"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
	"\xFF\xFF\xFF\xFF" // RPC argument length
	"EEYECLIPSE2003";
	
SOLUTION
	Vendor Status:
	Sun Microsystems was  contacted  on  November  13,  2002  and  CERT  was
	contacted shortly afterwards. Vendors believed  to  be  vulnerable  were
	contacted by CERT during a grace period of several months. Due  to  some
	difficulties communicating  with  vendors,  after  rescheduling  several
	times a release date was set for March 18, 2003.
	eEye recommends obtaining the necessary patches or updates from  vendors
	as they become  available  after  the  release  of  this  and  the  CERT
	advisory.
	For a list of vendors  and  their  responses,  please  review  the  CERT
	advisory at:
	
	 http://www.cert.org/advisories/CA-2003-10.html
	
	You can find the latest copy of this advisory,  along  with  other  eEye
	research at http://www.eeye.com/.
	
	Credit:
	Riley Hassell - Senior Research Associate
	Greetings:
	Liver destroyers of the world:
	Barnes (DOW!), FX, and last but definitely not least, Heather and Jenn.
	Copyright (c) 1998-2003 eEye Digital Security
	Permission is hereby granted for the redistribution of this alert
	electronically. It is not to be edited in any way without express consent of
	eEye. If you wish to reprint the whole or any part of this alert in any
	other medium excluding electronic medium, please e-mail [email protected] for
	permission.
	Disclaimer
	The information within this paper may change without notice. Use of this
	information constitutes acceptance for use in an AS IS condition. There are
	NO warranties with regard to this information. In no event shall the author
	be liable for any damages whatsoever arising out of or in connection with
	the use or spread of this information. Any use of this information is at the
	user's own risk.
	Feedback
	Please send suggestions, updates, and comments to:
	eEye Digital Security
	http://www.eEye.com
	[email protected]