LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
NetBSD: 'libc' Buffer overrun vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
NetBSD remote buffer overrun on any application that uses DNS, possible remote root exploit (not confirmed)

 NetBSD Security Advisory 2002-006
		 =================================

Topic:		buffer overrun in libc DNS resolver

Version:	NetBSD-current:	source prior to June 26, 2002
		NetBSD-1.6 beta:source prior to June 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.
		pkgsrc:		net/bind4, bind-4.9.8 and before affected
				net/bind[89] may be vulnerable
				emulators/compat1[234]
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 26, 2002
		NetBSD-1.6 branch:	June 26, 2002 (1.6 will include the fix)
		NetBSD-1.5 branch:	June 26, 2002 (1.5.3 will include the fix)
		NetBSD-1.4 branch:	June 26, 2002 (1.4.4 will include the fix)
		pkgsrc:			net/bind4, bind-4.9.8nb1


Abstract
========

There was a buffer-length computation bug in BIND-based DNS resolver
code.  A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.

NetBSD uses BIND4-based DNS resolver code in libc, and is found to be
vulnerable.  As there is no version number identification in the pine.nl
advisory, it is uncertain if BIND8/9 resolver code (used in named related
tools like /usr/bin/dig) is totally safe either.


Technical Details
=================

In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.

The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer.  This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root.  No exploit
script to take advantage of this vulnerability is known at time of
writing.

It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.

Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.

As a workaround, it is highly worthwhile considering pointing your
client systems at a patched nameserver that does recusive resolution,
and blocking all direct query/responses at a gateway or firewall system.
This will allow central control over your network environment, and
protection while updates are being made to individual clients.


This issue was brought to the attention of the NetBSD security-officer
very recently. Unfortunately, coordination to deliver a full set of
updated binary releases was not possible, and given the severity of this
issue, this Advisory is being released immediately.

Updates will be made to this advisory providing additional pointers to
upgrade resources as available.

See also: 
http://www.pine.nl/advisories/pine-cert-20020601.html


Solutions and Workarounds
=========================

Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.5.3.  Many security-related improvements
have been made.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

NetBSD systems ship with BIND8-based nameserver and utilities, and
they use separate resolver library codebase in dist/bind (not lib/libc/net).
Since we are still not certain if BIND8 is safe, you will need to
update the following directories as well before the build if BIND8
is found to be vulnerable:
	usr.sbin/bind
	dist/bind


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-06-25
	should be upgraded to NetBSD-current dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 betas dated from before 2002-06-25
	should be upgraded to NetBSD 1.6 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	Systems running NetBSD 1.4.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-4 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* pkgsrc:

	bind-4.9.8 (pkgsrc/net/bind4) is vulnerable.  Upgrade to bind-4.9.8nb1
	is recommended.  Note that BIND4 nameserver is considered obsolete
	by the vendor (ISC), and it is recommended to use BIND9, or BIND8.

	It is still unclear if bind-[89] is vulnerable or not, therefore,
	keep yourself informed.

	Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
	are vulnerable.  There is no fix supplied at this moment.

	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and may be
	vulnerable as noted above if installed.

Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.


Revision History
================

	2002-06-26	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
   ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.ORG/ and  http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-006.txt,v 1.19 2002/06/27 14:30:30 david Exp $





 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.