Subject: NetBSD Security Advisory 2002-014: fd_set overrun in mbone tools and pppd
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 09/17/2002 12:36:43
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-014
=================================
Topic: fd_set overrun in mbone tools and pppd
Version: NetBSD-current: source prior to August 10, 2002
NetBSD 1.6 beta: sources prior to August 11, 2002
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: possible local root compromise
Fixed: NetBSD-current: August 10, 2002
NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: September 5, 2002
NetBSD-1.4 branch: not yet
Abstract
========
The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP
daemon pppd(8), are setuid root binaries. A malicious local user can
cause a buffer overrun in these programs by filling file descriptor
tables before exec'ing them, which could lead to local root
compromise.
No exploit code is known to exist at this moment.
Technical Details
=================
These tools use select(2). select(2) uses fd_set bitmap, which
supports up to FD_SETSIZE (256) file descriptors. These tools did not
have a boundary check when doing FD_SET() operations. Therefore, if
the file descriptor used for select(2) equals to or exceeds
FD_SETSIZE, a buffer overrun occurs.
More details are in the NetBSD-current select(2) manpage "BUGS" section:
Although the provision of getdtablesize(3) was intended to allow user
programs to be written independent of the kernel limit on the number of
open files, the dimension of a sufficiently large bit field for select
remains a problem. The default bit size of fd_set is based on the symbol
FD_SETSIZE (currently 256), but that is somewhat smaller than the current
kernel limit to the number of open files. However, in order to accommo-
date programs which might potentially use a larger number of open files
with select, it is possible to increase this size within a program by
providing a larger definition of FD_SETSIZE before the inclusion of
<sys/types.h>. The kernel will cope, and the userland libraries provided
with the system are also ready for large numbers of file descriptors.
Solutions and Workarounds
=========================
If you do not run, and do not plan to use, multicast-related tools or
pppd, the problem can be worked around by removing the setuid bit from
those binaries. Users can therefore no longer escalate their
privileges by exploiting the bug:
# chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd
Nevertheless, we suggest upgrading these binaries to make sure you
don't have vulnerable code in your system.
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
Otherwise, the following instructions describe how to upgrade your
binaries by updating your source tree and rebuilding and installing a
new version.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-10
should be upgraded to NetBSD-current dated 2002-08-10 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd
To update from CVS, re-build, and re-install mrinfo and mtrace:
# cd src
# cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
# cd usr.sbin/mrinfo
# make cleandir dependall
# make install
# cd usr.sbin/mtrace
# make cleandir dependall
# make install
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-11 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd
To update from CVS, re-build, and re-install mrinfo and mtrace:
# cd src
# cvs update -d -P -r netbsd-1-6 \
usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
# cd usr.sbin/mrinfo
# make cleandir dependall
# make install
# cd usr.sbin/mtrace
# make cleandir dependall
# make install
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5 branch dated from before 2002-09-05
should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
usr.sbin/mrinfo
usr.sbin/mtrace
usr.sbin/pppd
To update from CVS, re-build, and re-install mrinfo and mtrace:
# cd src
# cvs update -d -P -r netbsd-1-5 \
usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
# cd usr.sbin/mrinfo
# make cleandir dependall
# make install
# cd usr.sbin/mtrace
# make cleandir dependall
# make install
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
xs@kittenz.org for finding this bug and sending fixes.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-09-16 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-014.txt,v 1.13 2002/09/16 05:17:55 dan Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqaD5Ru2/4N2IFAQGipAP/QwtISx0xcoOwzB3HrjGmn8DMX0V13q6d
ecx1QZ/4TuCjEYmgbhXdW8ReB7yQ1wy2tIG61U3pvoQW9EMqoK1n7ispixwUIS7X
Yp3gpYp4nTAeeLvv3mYoT6NFERqzku7qakoSFq92uojwborR/yXFsiC41IMudhK6
HuwbKbDG9WM=
=Ez96
-----END PGP SIGNATURE-----