Bug 468014 - (CVE-2008-4619) CVE-2008-4619 libtirpc: rpcbind DoS in the taddr2uaddr XDR_DECODE
CVE-2008-4619 libtirpc: rpcbind DoS in the taddr2uaddr XDR_DECODE
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20081020,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-22 08:26 EDT by Tomas Hoger
Modified: 2010-03-29 05:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 05:38:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-10-22 08:26:14 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4619 to the following vulnerability:

The RPC subsystem in Sun Solaris 9 allows remote attackers to cause a denial of
service (daemon crash) via a crafted request to procedure 8, related to the
XDR_DECODE operation and the taddr2uaddr function.

References:
http://www.milw0rm.com/exploits/6775
Comment 1 Tomas Hoger 2008-10-22 08:38:39 EDT
This also crashes rpcbind on Fedora and seems to be a libtirpc issue.

In rpcb_service_4(), rpcbind calls libtirpc's xdr_netbuf() when taddr2uaddr decode is required.  xdr_netbuf() first reads maxlen from the argument, later uses this as an upper bound while reading transport-encoded address to objp->buf using xdr_bytes() without further validation.  However, malicious request from the PoC referenced above causes maxlen to be 0, which causes xdr_bytes() to return TRUE without initializing objp->buf.  That is later used as inet_ntop argument, causing SEGV.
Comment 2 Tomas Hoger 2008-10-22 08:41:24 EDT
Steve, can you please check whether I'm missing anything here?  You also seem to be part of the libtirpc's upstream, can you let other libtirpc developers know about this issue, or should I try to contact them?  Thanks!
Comment 3 Tomas Hoger 2008-10-24 16:09:04 EDT
I've created upstream bug report for this:
http://sourceforge.net/tracker/index.php?func=detail&aid=2192645&group_id=183075&atid=903784
Comment 4 Steve Dickson 2008-10-27 12:40:07 EDT
I'm thinking the problem is not in xdr_netbuf() since its valid 
to return a zero length buffer. The problem is with the user of 
that zero length, in this case taddr2uaddr()->__rpc_taddr2uaddr_af()

Here is the patch I propose:

--- src/rpc_generic.c.orig	2008-10-27 10:04:32.000000000 -0400

+++ src/rpc_generic.c	2008-10-27 12:05:59.000000000 -0400

@@ -594,6 +594,9 @@ __rpc_taddr2uaddr_af(int af, const struc

 #endif

 	u_int16_t port;

 

+	if (nbuf->len <= 0)

+		return NULL;

+

 	switch (af) {

 	case AF_INET:

 		sin = nbuf->buf;
Comment 5 Fedora Update System 2008-10-27 13:58:17 EDT
libtirpc-0.1.7-20.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libtirpc-0.1.7-20.fc9
Comment 6 Steve Dickson 2008-10-28 05:56:13 EDT
Fixed in libtirpc-0.1.9-6.fc10
Comment 7 Tomas Hoger 2008-10-29 03:46:06 EDT
Looks like this issue is bit older and was originally assigned CVE id CVE-2007-0165:

Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind. 

References:
http://www.securityfocus.com/bid/21964/
http://secunia.com/advisories/23700/
http://secunia.com/advisories/32403/
Comment 8 Tomas Hoger 2008-10-29 04:02:41 EDT
(In reply to comment #6)
> Fixed in libtirpc-0.1.9-6.fc10

Steve, you've managed to typo NVR in the RPM changelog, as it now says 0.1.8-X instead of 0.1.9-X.
Comment 9 Fedora Update System 2008-10-30 08:49:17 EDT
libtirpc-0.1.7-20.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.