From phzy@nmrc.org Tue Aug 21 13:01:12 2001 From: Phuzzy L0gik To: vulnwatch@vulnwatch.org Date: Tue, 21 Aug 2001 13:20:45 -0400 (EDT) Subject: Re: [VulnWatch] Security Update: [CSSA-2001-031.0] Linux -security issues in ucd-snmp (fwd) Took a quick look at the ucd-snmp-4.2.1 source off of sourceforge: Aside from the obvious strcpy()'s littered throughout the source; namely, with the agent's '-l' commandline argument I found this: (I think the rpm package reads ~/.rpmrc which makes this exploitable) : in agent/mibgroup/host/hr_swinst.c : #define SNMP_MAXPATH MAXPATHLEN /* MAXPATHLEN = 1024 */ static char string [SNMP_MAXPATH]; char path[SNMP_MAXPATH]; ... rpmReadConfigFiles(NULL, NULL, NULL, 0); /* read ~/.rpmrc */ swi->swi_dbpath = rpmGetVar(RPMVAR_DBPATH); >> sprintf(path, "%s/packages.rpm", swi->swi_dbpath); swi->swi_directory = strdup(path); ... if (swi->swi_directory != NULL) strcpy(string, swi->swi_directory); mta_sendmail.c also misuses vsprintf(buffer, format, ap); but is not exploitable as sizeof(format) is 200 whereas buffer is 600. Format string problems exist in the following : apps/snmpnetstat/inet.c and inet6.c apps/snmptable.c snmplib/mib.c snmplib/read_config.c snmplib/snmp_debug.c snmplib/snmp_logging.c and the race condition is in agent/mibgroup/util_funcs.c : if ((cfd = open(cachefile,O_WRONLY|O_TRUNC|O_CREAT,0644)) < 0) { note the missing O_EXCL. - phzy > ---------- Forwarded message ---------- > Date: Sat, 18 Aug 2001 06:02:43 +0000 (GMT) > From: Rain Forest Puppy > To: vulnwatch@vulnwatch.org > Subject: [VulnWatch] Security Update: [CSSA-2001-031.0] Linux -security > issues in ucd-snmp (fwd) > > > Sorry for the forward...pulled this off the announce list. Hints at > unknown ucd-snmp problems. > > - rfp > > ---------- Forwarded message ---------- > Date: Fri, 17 Aug 2001 15:31:17 -0600 > From: Support Info > Reply-To: announce@lists.caldera.com > To: announce@lists.caldera.com > Subject: Security Update: [CSSA-2001-031.0] Linux -security issues in > ucd-snmp > > ______________________________________________________________________________ > Caldera International, Inc. Security Advisory > > Subject: Linux - security issues in ucd-snmp > Advisory number: CSSA-2001-031.0 > Issue date: 2001, August 16 > Cross reference: > ______________________________________________________________________________ > > > 1. Problem Description > > In a routine security audit of the ucd-snmp package we have found > several problems, including several potentially exploitable buffer > overflows, format string bugs, signedness issues and tempfile race > conditions. Some of these might allow remote attackers to gain access > to the UID under which snmpd is running. This update fixes all known > problems and also makes the snmpd run as user 'nobody', reducing the > impact of further problems. > > > 2. Vulnerable Versions > > System Package > ----------------------------------------------------------- > OpenLinux 2.3 not vulnerable > > OpenLinux eServer 2.3.1 All packages previous to > and OpenLinux eBuilder ucd-snmp-4.2.1-6b > > OpenLinux eDesktop 2.4 not vulnerable > > OpenLinux Server 3.1 not vulnerable > > OpenLinux Workstation 3.1 not vulnerable > > > 3. Solution > > Workaround > > none > > The proper solution is to upgrade to the latest packages. > > 4. OpenLinux 2.3 > > not vulnerable > > 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 > > 5.1 Location of Fixed Packages > > The upgrade packages can be found on Caldera's FTP site at: > > ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS > > The corresponding source code package can be found at: > > ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS > > 5.2 Verification > > cb200e856acac6bd14fec9eb67eabb14 RPMS/ucd-snmp-4.2.1-6b.i386.rpm > 0c8f8963ce490f80a47681996e9370ab RPMS/ucd-snmp-devel-4.2.1-6b.i386.rpm > d584b6cd0b799b4b928dadce9f2ec058 RPMS/ucd-snmp-utils-4.2.1-6b.i386.rpm > 1e78df3f5bfce4319ce8e7622e45d795 SRPMS/ucd-snmp-4.2.1-6b.src.rpm > > > 5.3 Installing Fixed Packages > > Upgrade the affected packages with the following commands: > > rpm -Fvh ucd-snmp-4.2.1-6b.i386.rpm \ > ucd-snmp-devel-4.2.1-6b.i386.rpm \ > ucd-snmp-utils-4.2.1-6b.i386.rpm > > > 6. OpenLinux eDesktop 2.4 > > not vulnerable > > 7. OpenLinux 3.1 Server > > not vulnerable > > 8. OpenLinux 3.1 Workstation > > not vulnerable > > 9. References > > This and other Caldera security resources are located at: > > http://www.caldera.com/support/security/index.html > > This security fix closes Caldera's internal Problem Report 10043. > > > 10. Disclaimer > > Caldera International, Inc. is not responsible for the misuse of > any of the information we provide on this website and/or through our > security advisories. Our advisories are a service to our customers > intended to promote secure installation and use of Caldera OpenLinux. > ______________________________________________________________________________ > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I'm in trouble for the things I haven't got to yet" hellNbak@nmrc.org http://www.nmrc.org -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-