-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-014 ================================= Topic: fd_set overrun in mbone tools and pppd Version: NetBSD-current: source prior to August 10, 2002 NetBSD 1.6 beta: sources prior to August 11, 2002 NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: possible local root compromise Fixed: NetBSD-current: August 10, 2002 NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP daemon pppd(8), are setuid root binaries. A malicious local user can cause a buffer overrun in these programs by filling file descriptor tables before exec'ing them, which could lead to local root compromise. No exploit code is known to exist at this moment. Technical Details ================= These tools use select(2). select(2) uses fd_set bitmap, which supports up to FD_SETSIZE (256) file descriptors. These tools did not have a boundary check when doing FD_SET() operations. Therefore, if the file descriptor used for select(2) equals to or exceeds FD_SETSIZE, a buffer overrun occurs. More details are in the NetBSD-current select(2) manpage "BUGS" section: Although the provision of getdtablesize(3) was intended to allow user programs to be written independent of the kernel limit on the number of open files, the dimension of a sufficiently large bit field for select remains a problem. The default bit size of fd_set is based on the symbol FD_SETSIZE (currently 256), but that is somewhat smaller than the current kernel limit to the number of open files. However, in order to accommo- date programs which might potentially use a larger number of open files with select, it is possible to increase this size within a program by providing a larger definition of FD_SETSIZE before the inclusion of . The kernel will cope, and the userland libraries provided with the system are also ready for large numbers of file descriptors. Solutions and Workarounds ========================= If you do not run, and do not plan to use, multicast-related tools or pppd, the problem can be worked around by removing the setuid bit from those binaries. Users can therefore no longer escalate their privileges by exploiting the bug: # chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd Nevertheless, we suggest upgrading these binaries to make sure you don't have vulnerable code in your system. The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Otherwise, the following instructions describe how to upgrade your binaries by updating your source tree and rebuilding and installing a new version. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-10 should be upgraded to NetBSD-current dated 2002-08-10 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd To update from CVS, re-build, and re-install mrinfo and mtrace: # cd src # cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd # cd usr.sbin/mrinfo # make cleandir dependall # make install # cd usr.sbin/mtrace # make cleandir dependall # make install # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-11 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd To update from CVS, re-build, and re-install mrinfo and mtrace: # cd src # cvs update -d -P -r netbsd-1-6 \ usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd # cd usr.sbin/mrinfo # make cleandir dependall # make install # cd usr.sbin/mtrace # make cleandir dependall # make install # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5 branch dated from before 2002-09-05 should be upgraded to NetBSD-1.5 branch dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd To update from CVS, re-build, and re-install mrinfo and mtrace: # cd src # cvs update -d -P -r netbsd-1-5 \ usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd # cd usr.sbin/mrinfo # make cleandir dependall # make install # cd usr.sbin/mtrace # make cleandir dependall # make install # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= xs@kittenz.org for finding this bug and sending fixes. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-09-16 Initial release More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-014.txt,v 1.13 2002/09/16 05:17:55 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqaD5Ru2/4N2IFAQGipAP/QwtISx0xcoOwzB3HrjGmn8DMX0V13q6d ecx1QZ/4TuCjEYmgbhXdW8ReB7yQ1wy2tIG61U3pvoQW9EMqoK1n7ispixwUIS7X Yp3gpYp4nTAeeLvv3mYoT6NFERqzku7qakoSFq92uojwborR/yXFsiC41IMudhK6 HuwbKbDG9WM= =Ez96 -----END PGP SIGNATURE-----