PGP SIGNED MESSAGE-----
CA-2003-10 Integer overflow in Sun RPC XDR library routines
release date: March 19, 2003
Last revised: --
revision history can be found at the end of this file.
using vulnerable implementations of SunRPC-derived XDR
libraries, which include
* Sun Microsystems network services library (libnsl)
* BSD-derived libraries with XDR/RPC routines (libc)
* GNU C library with sunrpc (glibc)
is an integer overflow in the xdrmem_getbytes() function
distributed as part of the Sun Microsystems XDR library. This overflow
can cause remotely exploitable buffer overflows in multiple
applications, leading to the execution of arbitrary code. Although the
library was originally distributed by Sun Microsystems, multiple
vendors have included the vulnerable code in their own
data representation) libraries are used to provide
platform-independent methods for sending data from one system process
to another, typically over a network connection. Such routines are
commonly used in remote procedure call (RPC) implementations to
provide transparency to application programmers who need to use common
interfaces to interact with many different types of systems. The
xdrmem_getbytes() function in the XDR library provided by Sun
Microsystems contains an integer overflow that can lead to improperly
sized dynamic memory allocation. Depending on how and where the
vulnerable xdrmem_getbytes() function is used, subsequent problems
like buffer overflows may result.
at eEye Digital Security discovered this vulnerability and
have also published an advisory. This issue is currently being tracked
as VU#516825 by the CERT/CC and as CAN-2003-0028 in the Common
Vulnerabilities and Exposures (CVE) dictionary. Note that this
vulnerability is similar to, but distinct from, VU#192995.
SunRPC-derived XDR libraries are used by a variety of vendors
in a variety of applications, this defect may lead to a number of
security problems. Exploiting this vulnerability will lead to denial
of service, execution of arbitrary code, or the disclosure of
impacts reported include the ability to crash the rpcbind
service and possibly execute arbitrary code with root privileges. In
addition, intruders may be able to crash the MIT KRB5 kadmind or cause
it to leak sensitive information, such as secret keys.
patch from your vendor
the appropriate patch or upgrade as specified by your vendor.
See Appendix A below and the Systems Affected section of VU#516825 for
XDR libraries can be used by multiple applications on most
systems. It may be necessary to upgrade or apply multiple patches and
then recompile statically linked applications.
that are statically linked must be recompiled using
patched libraries. Applications that are dynamically linked do not
need to be recompiled; however, running services need to be restarted
in order to use the patched libraries.
administrators should consider the following process when
addressing this issue:
1. Patch or obtain updated XDR/RPC libraries.
2. Restart any dynamically linked services that make use of the
3. Recompile any statically linked applications using the patched or
updated XDR/RPC libraries.
access to vulnerable services or applications
patches are available and can be applied, you may wish to
disable access to services or applications compiled with the
vulnerable xdrmem_getbytes() function.
As a best
practice, the CERT/CC recommends disabling all services that
are not explicitly required.
A. - Vendor Information
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
particular vendor is not listed below, we have not received their
X and Mac OS X Server do not contain the vulnerabilities
described in this report.
may be vulnerable and has opened spr's 724153 and 724154 to
currently investigating how the vulnerability reported under
VU#516825 affects the Fujitsu UXP/V O.S. We will update this statement
as soon as new information becomes available.
2.3.1 of the GNU C Library is vulnerable. Earlier versions are
also vulnerable. The following patches have been installed into the
CVS sources, and should appear in the next version of the GNU C
Library. These patches are also available from the following URLs:
(xdrmem_inline): Fix argument type.
* sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
* sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.
(struct XDR.xdr_ops.x_inline): 2nd arg
is now u_int, not int.
(struct XDR.x_handy): Now u_int, not int.
* sunrpc/xdr_mem.c: Include .
(xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
x_handy is now unsigned, not signed.
Do not decrement x_handy if no change is made.
(xdrmem_setpos): Check for int overflow.
* sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
(xdr_sizeof): Remove cast that is now unnecessary, now that
x_handy is unsigned.
of diffs available in the links included above --CERT/CC ]
Case ID SSRT2439
time of writing this document, Hewlett Packard is currently
investigating the potential impact to HP's released Operating System
information becomes available HP will provide notice of the
availability of any necessary patches through standard security
bulletin announcements and be available from your normal HP Services
GR2000 gibabit router series - is NOT vulnerable.
operating system is vulnerable to the issues discussed in CERT
vulnerability note VU#516825 in releases 4.3.3, 5.1.0 and 5.2.0.
the following official fixes:
for AIX 4.3.3: IY38524
APAR number for AIX 5.1.0: IY38434
APAR number for AIX 5.2.0: IY39231
contact your local IBM AIX support center for any assistance.
Networks products are not succeptable to the vulnerabilities
be possible for a remote attacker to exploit an integer
overflow in xdrmem_getbytes() to crash the kadmind server process by
read segmentation fault. For this to succeed, the kadmind process must
be able to allocate more than MAX_INT bytes of memory. This is
believed to be unlikely, as most installations are not likely to
permit that the allocation of that much memory.
also be possible for a remote attacker to exploit this integer
overflow to obtain sensitive information, such as secret keys, from
the kadmind process. This is believed to be extremely unlikely, as
there are unlikely to be ways for the information, once improperly
copied, of being returned to the attacker. In addition, the above
condition of the kadmind being able to allocate huge amounts of memory
must be satisfied.
may also be found at:
detached PGP signature is at:
Products] * EWS/UP 48 Series operating system - is NOT
types of the various xdr*_getbytes functions were made
consistent somewhere back in 1997 (all u_int), so we're not vulnerable
in that area.
products are not vulnerable to this issue.
has no relationship to the product we ship.
receiving CERT VU#516825 and is currently
investigating. This is being tracked as SGI Bug# 880925. No further
information is available at this time.
protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are available
for all vulnerable and supported SGI operating systems. Until SGI has
more definitive information to provide, customers are encouraged to
assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and
requirements. As further information becomes available, additional
advisories will be issued via the normal SGI security information
distribution methods including the wiretap mailing list on
2.6, 7, 8 and 9 are vulnerable to VU#516825.
Sun will be publishing a Sun Alert for the issue at the following
The Sun Alert will be updated with the patch information as soon as
the patches are available.
At that time, the patches listed in the Sun Alert will be available
B. - References
2. VU#192995 - http://www.kb.cert.org/vuls/id/192995
3. VU#516825 - http://www.kb.cert.org/vuls/id/516825
4. RFC1831 - http://www.ietf.org/rfc/rfc1831.txt
5. RFC1832 - http://www.ietf.org/rfc/rfc1832.txt
to Riley Hassell of eEye Digital Security for discovering and
reporting this vulnerability. Thanks also to Sun Microsystems for
additional technical details.
Chad Dougherty and Jeffrey Havrilla
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2003 Carnegie Mellon University.
Mar 19, 2003: Initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----