The Nessus plugin for Sun RPC XDR xdrmem_getbytes Function Remote Overflow [1] causes rpcbind to crash due to freeing an invalid pointer. *** glibc detected *** /sbin/rpcbind: free(): invalid pointer: 0xbf7f494c *** poll returned read fds < 6 > ======= Backtrace: ========= /lib/libc.so.6(-0xff84c1cf)[0x240e31] /lib/libtirpc.so.1(xdr_bytes+0x9f)[0xb3ca9f] /sbin/rpcbind(+0x5714)[0x631714] /lib/libtirpc.so.1(+0x14ea4)[0xb36ea4] /lib/libtirpc.so.1(+0x14e6e)[0xb36e6e] /sbin/rpcbind(+0x591e)[0x63191e] /sbin/rpcbind(pmap_service+0x174)[0x6344e4] /lib/libtirpc.so.1(svc_getreq_common+0x2ae)[0xb3600e] /lib/libtirpc.so.1(svc_getreq_poll+0x8f)[0xb360bf] /sbin/rpcbind(+0x509b)[0x63109b] /sbin/rpcbind(main+0x4dc)[0x62fd3c] /lib/libc.so.6(__libc_start_main+0xe6)[0x1e6ce6] /sbin/rpcbind(+0x21c1)[0x62e1c1] ======= Memory map: ======== 001d0000-00360000 r-xp 00000000 08:03 131950 /lib/libc-2.12.so 00360000-00361000 ---p 00190000 08:03 131950 /lib/libc-2.12.so 00361000-00363000 r--p 00190000 08:03 131950 /lib/libc-2.12.so 00363000-00364000 rw-p 00192000 08:03 131950 /lib/libc-2.12.so 00364000-00367000 rw-p 00000000 00:00 0 0056e000-00585000 r-xp 00000000 08:03 137050 /lib/libnsl-2.12.so 00585000-00586000 r--p 00016000 08:03 137050 /lib/libnsl-2.12.so 00586000-00587000 rw-p 00017000 08:03 137050 /lib/libnsl-2.12.so 00587000-00589000 rw-p 00000000 00:00 0 0062c000-00639000 r-xp 00000000 08:03 394181 /sbin/rpcbind 00639000-0063a000 rw-p 0000d000 08:03 394181 /sbin/rpcbind 00688000-00690000 r-xp 00000000 08:03 137055 /lib/libwrap.so.0.7.6 00690000-00691000 r--p 00007000 08:03 137055 /lib/libwrap.so.0.7.6 00691000-00692000 rw-p 00008000 08:03 137055 /lib/libwrap.so.0.7.6 0076f000-00786000 r-xp 00000000 08:03 131977 /lib/libpthread-2.12.so 00786000-00787000 r--p 00016000 08:03 131977 /lib/libpthread-2.12.so 00787000-00788000 rw-p 00017000 08:03 131977 /lib/libpthread-2.12.so 00788000-0078a000 rw-p 00000000 00:00 0 008bb000-008bc000 r-xp 00000000 00:00 0 [vdso] 008ef000-008fb000 r-xp 00000000 08:03 137169 /lib/libnss_files-2.12.so 008fb000-008fc000 r--p 0000b000 08:03 137169 /lib/libnss_files-2.12.so 008fc000-008fd000 rw-p 0000c000 08:03 137169 /lib/libnss_files-2.12.so 0099f000-009bd000 r-xp 00000000 08:03 131584 /lib/ld-2.12.so 009bd000-009be000 r--p 0001d000 08:03 131584 /lib/ld-2.12.so 009be000-009bf000 rw-p 0001e000 08:03 131584 /lib/ld-2.12.so 009d6000-009de000 r-xp 00000000 08:03 136753 /lib/libgssglue.so.1.0.0 009de000-009df000 rw-p 00007000 08:03 136753 /lib/libgssglue.so.1.0.0 00ad9000-00af6000 r-xp 00000000 08:03 136736 /lib/libgcc_s-4.4.7-20120601.so.1 00af6000-00af7000 rw-p 0001d000 08:03 136736 /lib/libgcc_s-4.4.7-20120601.so.1 00b22000-00b48000 r-xp 00000000 08:03 131852 /lib/libtirpc.so.1.0.10 00b48000-00b49000 rw-p 00026000 08:03 131852 /lib/libtirpc.so.1.0.10 00e35000-00e38000 r-xp 00000000 08:03 132420 /lib/libdl-2.12.so 00e38000-00e39000 r--p 00002000 08:03 132420 /lib/libdl-2.12.so 00e39000-00e3a000 rw-p 00003000 08:03 132420 /lib/libdl-2.12.so 014aa000-014cb000 rw-p 00000000 00:00 0 [heap] b770f000-b7712000 rw-p 00000000 00:00 0 b772d000-b7730000 rw-p 00000000 00:00 0 bf7e3000-bf808000 rw-p 00000000 00:00 0 [stack] rpcbind debugging enabled. This is not the same flaw as CVE-2003-0028 (what the plugin was written for). The above observed on a Red Hat Enterprise Linux 6 host. [1] http://www.tenable.com/plugins/index.php?view=single&id=11420
It looks like the problem is libtirpc. Its a regression from: commit 82cc2e6129c872c8be09381055f2fb5641c5e6fe Author: Matthew N. Dodd <matthew.nygard.dodd> Date: Mon Jun 20 13:34:56 2011 -0400 SVCAUTH_WRAP/SVCAUTH_UNWRAP The following code as added to svc_dg_getargs() @@ -264,7 +282,12 @@ svc_dg_getargs(xprt, xdr_args, args_ptr) xdrproc_t xdr_args; void *args_ptr; { - return (*xdr_args)(&(su_data(xprt)->su_xdrs), args_ptr); + if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs), + xdr_args, args_ptr)) { + (void)svc_freeargs(xprt, xdr_args, args_ptr); + return FALSE; + } + return TRUE; } That svc_freeargs() should not exist.
An invalid pointer free flaw was found in the way server side code implementation for connectionless RPC requests of libtirpc, a library implementing Transport-Independent RPC (TI-RPC), (previously) performed arguments retrieval (due to a regression in commit 82cc2e61 svc_dg_getargs() routine callers would crash with invalid pointer free). A remote attacker could issue a specially-crafted Sun RPC request that, when processed would lead to rpcbind daemon crash. A different vulnerability than CVE-2003-0028. Relevant upstream patch: [1] http://git.infradead.org/users/steved/libtirpc.git/commitdiff/a9f437119d79a438cb12e510f3cadd4060102c9f
Created libtirpc tracking bugs for this issue Affects: fedora-all [bug 955211]
This issue affects the version of the libtirpc package, as shipped with Red Hat Enterprise Linux 6.
Acknowledgements: Red Hat would like to thank Michael Armstrong for reporting this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0884 https://rhn.redhat.com/errata/RHSA-2013-0884.html