======================================================================= Network Associates, Inc. SECURITY ADVISORY February 16, 1999 EMERGENCY RELEASE Stack Overflow in NFR Web Server ======================================================================= SYNOPSIS An implementation fault in the Network Flight Recorder network forensics system makes it possible for a remote attacker to obtain system management privileges on boxes running NFR in a standard configuration. Information sufficient to construct working exploits for this problem is publicly available. ======================================================================= VULNERABLE HOSTS This problem has been confirmed and is known to be exploitable on hosts running Network Flight Recorder's NFR 2.0.2-Research release. Because source code is publicly available for this software, it is possible to confirm vulnerability to this problem by inspecting the source used to build an installation of NFR on an arbitrary host. Details on how to do this, as well as how to immediately resolve this problem, appear later in this document. ======================================================================= DETAILS The Network Flight Recorder custom web server is used to present an HTTP front-end to the NFR system. By default, the web server is called "webd", and is bound to TCP port 2001. In the absence of external network access control, arbitrary remote attackers can conduct transactions with the NFR web server. Due to an implementation fault in "webd", it is possible for a remote attacker to formulate an HTTP transaction that will cause the web server to overflow an automatic variable on the stack. By overwriting activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by the attacker in the HTTP transaction, and thus gain total control of the web server process. In a default installation, "webd" runs as the unprivileged "nfr" user. Thus, this attack does not grant an attacker immediate system management capabilities. However, in a standard installation of NFR, program binaries that are run by the superuser are owned by the "nfr" user. An attacker that has gained access to the "nfr" user via the web server can backdoor these files to gain root privileges when NFR is restarted. ======================================================================= TECHNICAL DETAILS Source code for the NFR system is publicly available under license from the NFR web site. This advisory makes reference to the source code in the NFR 2.0.2 Research release from Wed Jan 27 1999. The vulnerability discussed in this advisory occurs as a result of "webd"'s processing of the HTTP "POST" command. POST requests are handled in "nfr/webd/cmdpost.c". Regardless of the configuration of the NFR web server, the vulnerable POST handling code is exposed to remote attackers. The HTTP commands handled by the NFR web server are listed in the command table, which is located in "nfr/webd/ctab.c". The command table maps HTTP command names to function handlers. The function handler for "POST" commands which reference programs in the root directory of the web server is defined as "cmd_postbltin()", which is defined in "cmdpost.c". In order to process the POST command, the function handler attempts to read MIME headers for the POST data from the HTTP client. This is handled in "getpostdata()", also defined in "cmdpost.c". Among the headers recognized by the code is "Content-length", which defines the amount of data the client is sending the server in the POST transaction. Unfortunately, the MIME header recognition code does not sanity check the value given as the Content-length. It is possible for an attacker to specify an arbitrary Content-length header, which will be trusted by the server as valid input. After parsing MIME headers, the web daemon attempts to read as many bytes as the client specified in the Content-length header into an 8k buffer, named "buf", which is an automatic buffer in cmd_postbltin(). If the attacker specifies more than 8192 bytes of data in the header, the additional data will overwrite the stack frame for cmd_postbltin(), allowing the attacker to take over the web daemon process. Note that in some operating systems, causing a single read() to return more than 8192 bytes is difficult; this problem may not be easily exploited on these systems. This problem is known to be exploitable against 4.4BSD Unix operating systems running NFR. This is the recommended NFR platform. ======================================================================= RESOLUTION It is recommended that vulnerable users of NFR contact NFR immediately for a patch to this problem. In the absence of an available patch, the source code can be edited and rebuilt to resolve the problem by adding bounds checking to cmd_getpostbltin() or getpostdata(). NFR has announced the release of a patch that will correct this problem on February 16, 1999. This patch, which updates NFR to revision 2.0.3, should be available at the NFR website at http://www.nfr.com. ======================================================================= CREDITS Analysis and documentation of this problem was conducted by the Security Labs at Network Associates. This vulnerability was discovered, and NFR notified, on Wednesday, January 27, 1999. ======================================================================= ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 published security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at . ======================================================================= NETWORK ASSOCIATES SECURITY LABS PGP KEY -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 -----END PGP PUBLIC KEY BLOCK-----