Subject: NetBSD Security Advisory 2002-006: buffer overrun in libc DNS resolver
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 06/27/2002 13:14:21
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-006
		 =================================

Topic:		buffer overrun in libc DNS resolver

Version:	NetBSD-current:	source prior to June 26, 2002
		NetBSD-1.6 beta:source prior to June 26, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected
		All prior NetBSD releases.
		pkgsrc:		net/bind4, bind-4.9.8 and before affected
				net/bind[89] may be vulnerable
				emulators/compat1[234]
				(there could be more)

Severity:	remote buffer overrun on any application that uses DNS,
		possible remote root exploit (not confirmed)

Fixed:		NetBSD-current:		June 26, 2002
		NetBSD-1.6 branch:	June 26, 2002 (1.6 will include the fix)
		NetBSD-1.5 branch:	June 26, 2002 (1.5.3 will include the fix)
		NetBSD-1.4 branch:	June 26, 2002 (1.4.4 will include the fix)
		pkgsrc:			net/bind4, bind-4.9.8nb1


Abstract
========

There was a buffer-length computation bug in BIND-based DNS resolver
code.  A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a remote
root exploit, though there are no public exploits in circulation at this
time.

NetBSD uses BIND4-based DNS resolver code in libc, and is found to be
vulnerable.  As there is no version number identification in the pine.nl
advisory, it is uncertain if BIND8/9 resolver code (used in named related
tools like /usr/bin/dig) is totally safe either.


Technical Details
=================

In lib/libc/net/gethnamaddr.c:getanswer() and
lib/libc/net/getnetnamadr.c:getnetanswer(), two variables manage
packet buffer parsing - a pointer to the byte we are looking at, and
the remaining length on the buffer.

The remaining length was not updated consistently, and malicious DNS
responses are able to write outside the buffer.  This may present an
attacker with the opportunity to insert arbitrary code for execution as
the user running the resolver query, potentially root.  No exploit
script to take advantage of this vulnerability is known at time of
writing.

It is important to understand that this issue can be triggered in a
manner unlike the more common buffer overflows in network daemons. Any
outgoing DNS query made to a hostile server would expose the
vulnerability. The exploit path includes email sent to Netscape users
which automatically display HTML, and hostile web pages which carry
embedded objects located on servers in domains with a hostile DNS
server.

Since client systems in many network environments are permitted to make
DNS queries directly to root servers, through routed IPs, or NATs,
realize that these systems are vulnerable even if behind a firewall,
since they are initiating the outgoing query.

As a workaround, it is highly worthwhile considering pointing your
client systems at a patched nameserver that does recusive resolution,
and blocking all direct query/responses at a gateway or firewall system.
This will allow central control over your network environment, and
protection while updates are being made to individual clients.


This issue was brought to the attention of the NetBSD security-officer
very recently. Unfortunately, coordination to deliver a full set of
updated binary releases was not possible, and given the severity of this
issue, this Advisory is being released immediately.

Updates will be made to this advisory providing additional pointers to
upgrade resources as available.

See also:
http://www.pine.nl/advisories/pine-cert-20020601.html


Solutions and Workarounds
=========================

Releases of NetBSD 1.5.3 and NetBSD 1.6 are imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.5.3.  Many security-related improvements
have been made.

Note that any statically-linked binary that makes any DNS query is
vulnerable, and cannot be fixed by replacing a shared library.
Therefore, updating the entire system is suggested.

Note also that shared libraries from other operating systems installed
for binary compatibility under /emul may also be vulnerable. Please
consult the vendor of those libraries for further details.

NetBSD systems ship with BIND8-based nameserver and utilities, and
they use separate resolver library codebase in dist/bind (not lib/libc/net).
Since we are still not certain if BIND8 is safe, you will need to
update the following directories as well before the build if BIND8
is found to be vulnerable:
	usr.sbin/bind
	dist/bind


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-06-25
	should be upgraded to NetBSD-current dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.6 betas:

	Systems running NetBSD 1.6 betas dated from before 2002-06-25
	should be upgraded to NetBSD 1.6 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-6 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.5.x:

	Systems running NetBSD 1.5.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.5 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* NetBSD 1.4.x:

	Systems running NetBSD 1.4.x dated from before 2002-06-25
	should be upgraded to NetBSD 1.4 tree dated 2002-06-26 or later.

	The following directories need to be updated from the
	netbsd-1-4 CVS branch:
		lib/libc/net

	To update from CVS, re-build, and re-install libc and statically linked
	binaries:
		# cd src
		# cvs update -d -P -r netbsd-1-5 lib/libc/net

		# cd lib/libc
		# make cleandir dependall
		# make install

		# cd ../..
		# make dependall
		# make install


* pkgsrc:

	bind-4.9.8 (pkgsrc/net/bind4) is vulnerable.  Upgrade to bind-4.9.8nb1
	is recommended.  Note that BIND4 nameserver is considered obsolete
	by the vendor (ISC), and it is recommended to use BIND9, or BIND8.

	It is still unclear if bind-[89] is vulnerable or not, therefore,
	keep yourself informed.

	Shared libraries in compat1[234]-* (pkgsrc/emulators/compat1[234])
	are vulnerable.  There is no fix supplied at this moment.

	Shared libraries for binary compatibility are available
	through pkgsrc for some operating systems, and may be
	vulnerable as noted above if installed.

Thanks To
=========

Jun-ichiro itojun Hagino for patches, and initial advisory text.


Revision History
================

	2002-06-26	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-006.txt,v 1.19 2002/06/27 14:30:30 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPRrmJj5Ru2/4N2IFAQHAJQP/VP7uoErXvLTjHnChbw0ucCtKaWen/Gw2
DjejlLgIwhUw8GFgGEjfaqXxtr4CVCgH6vQSd0CrXUJ9gkRbZSiocuGFlXWyGmD6
NinhLq3EdkidyPTs8IEdkOIn04LqAWdIBxbMCU9ZBDtPtO9tudMDS7rNT/r/j6mA
Ec/pxiuZlzU=
=pXfG
-----END PGP SIGNATURE-----