[6] in Best-of-Security
BoS: Buffer overrun condition in "gethostbyname()" library function
daemon@ATHENA.MIT.EDU (Aleph One)
Tue Jan 28 20:58:17 1997
Date: Tue, 28 Jan 1997 12:27:05 -0600
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
-----BEGIN PGP SIGNED MESSAGE-----
- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT
--
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE-
--
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
SECURITY VULNERABILITY ALERT
24 January 1997 13:00 GMT Number: ERS-SVA-E01-1997:001.1
===============================================================================
NOTE
The information in this Security Vulnerability Alert was originally released on
03 December 1996 as ERS-SVA-E01-1996:007.1. Since that time, two significant
events have occurred:
1. An exploit script for this vulnerability has been made public.
2. An error in the AIX 4.2 APAR for this problem has been discovered,
and a new version of the APAR has been released.
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer overrun condition in "gethostbyname()" library function
PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x
SOLUTION: Apply the fixes described below. Due to a packaging problem,
an incorrect fix for the AIX 4.2.x release was distributed.
We strongly recommend that the fix be downloaded and installed
again.
THREAT: An explot for the PowerPC AIX platform has been released which
allows super-user access to the system.
===============================================================================
DETAILED INFORMATION
I. Description
In TCP/IP networks such as the Internet and many corporate networks, hosts are
identified by 32-bit numbers called addresses. However, because these numbers
are difficult to remember, names are also given to hosts. Although people use
the names to refer to the hosts, computer software must translate these names
into the numeric addresses in order to use them.
The Domain Name System (DNS), also called "the name server," is the primary
database used to perform these name-to-address (and address-to-name)
translations. Other databases, such as the Network Information System (NIS,
formerly called Yellow Pages) and the "hosts file" are also used on some
systems.
When a program on a UNIX system wants to look up a host's name and obtain its
network address, it uses a library function called "gethostbyname()." This
function takes a host name as a parameter, contacts the Domain Name System (or
another source of information), and returns the host's address(es) to the
program. This saves the programmer the trouble of writing the complex code to
interface with the name server.
Under certain conditions, the "gethostbyname()" library function provided with
IBM AIX versions 3.2.x, 4.1.x, and 4.2.x can encounter a buffer overrun that
allows information on the program stack to be corrupted.
II. Impact
Many set-user-id and set-group-id programs, as well as many network programs
running with super-user privileges, make use of the "gethostbyname()" library
function. Corrupting the program stack of these programs may allow arbitrary
user-provided code to be executed inadvertently.
If successfully exploited, this buffer overrun condition could be used to gain
super-user access to the system. Such an action could be initiated over the
network from a remote system, or by a user on the local system. Penetration
through a firewall may also be possible, depending on which services and
applications are permitted by the firewall system.
A script that exploits a similar buffer overrun condition in the Sun Solaris
2.x version of "gethostbyname()" was publicly released in November, 1996. Sun
Microsystems announced fixes for that condition in Security Bulletin 137, which
was released on 20 Nov 96.
A script that exploits a similar buffer overrun condition in the IBM AIX
version of "gethostbyname()" was publicly released in January, 1997. Fixes
are described below.
III. Solutions
*****
***** NOTE
*****
***** Due to a packaging error in the original APAR for AIX 4.2, you should
***** check that bos.rte.libc is at version 4.2.0.7 or later. If not, you
***** should retrieve APAR IX62144 again and re-apply it.
*****
***** This packaging error affected the AIX 4.2 APAR ONLY. The AIX 3.2 and
***** AIX 4.1 APARS were not affected.
*****
The following Automated Program Analysis Reports (APARs) for IBM AIX are now
available to address the concerns described above:
AIX 3.2.x
---------
APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244)
To determine if you have this PTF on your system, run the following
command:
lslpp -lB U443452 U444191 U444206 U444213 U444233 U444244
AIX 4.1.x
---------
APAR - IX61019
To determine if you have this APAR on your system, run the following
command:
instfix -ivk IX61019
The bos.rte.libc fileset should be 4.1.4.18 or later.
AIX 4.2.x
---------
APAR - IX62144
To determine if you have this APAR on your system, run the following
command:
instfix -ivk IX62144
The bos.rte.libc fileset should be 4.2.0.7 or later.
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information on
FixDist, and to obtain fixes via the Internet, please reference
http://service.software.ibm.com/aixsupport/
or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in
the "Subject:" line.
IV. Acknowledgements
IBM-ERS would like to thank the CERT Coordination Center (CERT/CC), AUSCERT,
Sun Microsystems, and Marko Laakso (University of Oulu) for providing some of
the information in this advisory.
AIX is a registered trademark of International Business Machines Corporation.
===============================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).
As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services. From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources. To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information. The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.
Copyright 1996 International Business Machines Corporation.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries. The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.
The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident response
teams (both commercial and non-commercial), provided the above copyright is
kept intact and due credit is given to IBM-ERS.
This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent of
increasing the awareness of the Internet community.
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE-
--
- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT
--
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBMui5cPWDLGpfj4rlAQE/XgQAvtkvVTZBYqfBcWVgTlGDKTv86V9OtWBo
tnUU5f/CglzI4KIPrPFG+ACHPheo7aPRLD2zqOi8QqpG7+CsACEHjH3Cmkequefu
UpkHZrTOUiiwGXnhJw67gYrR3i1tIkeoaJ1Wy72JzoxvIcLer2NoYoqMmWsUPf7b
4KqJrox61XE=
=NvHe
-----END PGP SIGNATURE-----
