Originally reported as affecting only WU-FTPD. It seems that the bug
is in code borrowed from the BSD C library. NetBSD, FreeBSD and OpenBSD
announcements attached.
David Mirza Ahmad
Symantec
PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.
--- Begin Message ---
[ this version has some typos fixed ]
An off-by-one error exists in the C library function realpath(3).
This is the same bug that was recently found in the wu-ftpd ftpd
server by Janusz Niewiadomski and Janusz Niewiadomski.
The OpenBSD ftp daemon does not use realpath(3) in a way that could
be exploited, however a number of other system binaries also use
the function. It is not currently known whether or not this bug
results in an exploitable security hole on OpenBSD. Since the bug
led to an exploitable hole in wu-ftpd, it is entirely possible that
some program using realpath(3) under OpenBSD may be vulnerable to
attack. For OpenBSD 3.3 and higher, the ProPolice stack protector
should provide some protection from this bug, but this cannot be
guaranteed.
This bug has been fixed in OpenBSD-current as well as the 3.2 and
3.3 stable branches. Patches are available for OpenBSD 3.2 and 3.3.
Patch for OpenBSD 3.2:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch
Patch for OpenBSD 3.3:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch
For versions of OpenBSD prior to 3.2, users may simply fetch
the current revision of realpath.c from:
ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c
then rebuild and install libc with the new realpath.c.
For more details, see the description of the wu-ftpd fp_realpath bug:
http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
--- End Message ---
From security-advisories@freebsd.org Mon Aug 4 11:26:03 2003
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: da@securityfocus.com
Received: (qmail 16019 invoked from network); 4 Aug 2003 00:01:38 -0000
Received: from mx2.freebsd.org (216.136.204.119)
by mail.securityfocus.com with SMTP; 4 Aug 2003 00:01:38 -0000
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])
by mx2.freebsd.org (Postfix) with ESMTP
id 3189056BC3; Sun, 3 Aug 2003 17:04:50 -0700 (PDT)
(envelope-from owner-freebsd-security@freebsd.org)
Received: from hub.freebsd.org (localhost [127.0.0.1])
by hub.freebsd.org (Postfix) with ESMTP
id BBCB437B409; Sun, 3 Aug 2003 17:04:48 -0700 (PDT)
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
by hub.freebsd.org (Postfix) with ESMTP
id 391AC37B404; Sun, 3 Aug 2003 17:04:33 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
by mx1.FreeBSD.org (Postfix) with ESMTP
id 4FCCF43FAF; Sun, 3 Aug 2003 17:04:31 -0700 (PDT)
(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id
h7404VUp030673;
Sun, 3 Aug 2003 17:04:31 -0700 (PDT)
(envelope-from security-advisories@freebsd.org)
Received: (from nectar@localhost)
by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7404VVL030671;
Sun, 3 Aug 2003 17:04:31 -0700 (PDT)
Date: Sun, 3 Aug 2003 17:04:31 -0700 (PDT)
Message-Id: <200308040004.h7404VVL030671@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: nectar set sender to
security-advisories@freebsd.org using -f
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Precedence: bulk
Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Reply-To: security-advisories@freebsd.org
List-Id: Security issues [members-only posting]
<freebsd-security.freebsd.org>
List-Unsubscribe:
<http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
Sender: owner-freebsd-security@freebsd.org
Errors-To: owner-freebsd-security@freebsd.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-03:08.realpath Security Advisory
The FreeBSD Project
Topic: Single byte buffer overflow in realpath(3)
Category: core
Module: libc
Announced: 2003-08-03
Credits: Janusz Niewiadomski <funkysh@isec.pl>,
Wojciech Purczynski <cliph@isec.pl>,
CERT/CC
Affects: All releases of FreeBSD up to and including 4.8-RELEASE
and 5.0-RELEASE
FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
2003-08-03 23:43:43 UTC (RELENG_4_8)
2003-08-03 23:44:12 UTC (RELENG_4_7)
2003-08-03 23:44:36 UTC (RELENG_4_6)
2003-08-03 23:44:56 UTC (RELENG_4_5)
2003-08-03 23:45:41 UTC (RELENG_4_4)
2003-08-03 23:46:03 UTC (RELENG_4_3)
2003-08-03 23:47:39 UTC (RELENG_3)
FreeBSD only: NO
I. Background
The realpath(3) function is used to determine the canonical,
absolute pathname from a given pathname which may contain extra
``/'' characters, references to ``/./'' or ``/../'', or references
to symbolic links. The realpath(3) function is part of the FreeBSD
Standard C Library.
II. Problem Description
An off-by-one error exists in a portion of realpath(3) that computes
the length of the resolved pathname. As a result, if the resolved
path name is exactly 1024 characters long and contains at least
two directory separators, the buffer passed to realpath(3) will be
overwritten by a single NUL byte.
III. Impact
Applications using realpath(3) MAY be vulnerable to denial of service
attacks, remote code execution, and/or privilege escalation. The
impact on an individual application is highly dependent upon the
source of the pathname passed to realpath, the position of the output
buffer on the stack, the architecture on which the application is
running, and other factors.
Within the FreeBSD base system, several applications use realpath(3).
Two applications which are negatively impacted are:
(1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
process the MLST and MLSD commands. [lukemftpd(8) is not built or
installed by default.]
(2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
chdir commands.
In both of the cases above, the realpath(3) vulnerability may be
exploitable, leading to arbitrary code execution with the privileges
of the authenticated user. This is probably only of concern on
otherwise `closed' servers, e.g. servers without shell access.
At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
the following applications which appear to use realpath(3). These
applications have not been audited, and may or may not be vulnerable.
There may be additional applications in the FreeBSD Ports Collection
that use realpath(3), particularly statically-linked applications and
applications added since 4.8-RELEASE.
BitchX-1.0c19_1
Mowitz-0.2.1_1
XFree86-clients-4.3.0_1
abcache-0.14
aim-1.5.234
analog-5.24,1
anjuta-1.0.1_1
aolserver-3.4.2
argus-2.0.5
arm-rtems-gdb-5.2_1
avr-gdb-5.2.1
ccache-2.1.1
cdparanoia-3.9.8_4
cfengine-1.6.3_4
cfengine2-2.0.3
cmake-1.4.7
comserv-1.4.3
criticalmass-0.97
dedit-0.6.2.3_1
drweb_postfix-4.29.10a
drweb-4.29.2
drweb_sendmail-4.29.10a
edonkey-gui-gtk-0.5.0
enca-0.10.7
epic4-1.0.1_2
evolution-1.2.2_1
exim-3.36_1
exim-4.12_5
exim-ldap-4.12_5
exim-ldap2-4.12_5
exim-mysql-4.12_5
exim-postgresql-4.12_5
fam-2.6.9_2
fastdep-0.15
feh-1.2.4_1
ferite-0.99.6
fileutils-4.1_1
finfo-0.1
firebird-1.0.2
firebird-1.0.r2
frontpage-5.0.2.2623_1
galeon-1.2.8
galeon2-1.3.2_1
gdb-5.3_20030311
gdb-5.2.1_1
gdm2-2.4.1.3
gecc-20021119
gentoo-0.11.34
gkrellmvolume-2.1.7
gltron-0.61
global-4.5.1
gnat-3.15p
gnomelibs-1.4.2_1
gprolog-1.2.16
gracula-3.0
gringotts-1.2.3
gtranslator-0.43_1
gvd-1.2.5
hercules-2.16.5
hte-0.7.0
hugs98-200211
i386-rtems-gdb-5.2_1
i960-rtems-gdb-5.2_1
installwatch-0.5.6
ivtools-1.0.6
ja-epic4-1.0.1_2
ja-gnomelibs-1.4.2_1
ja-msdosfs-20001027
ja-samba-2.2.7a.j1.1_1
kdebase-3.1_1
kdelibs-3.1
kermit-8.0.206
ko-BitchX-1.0c16_3
ko-msdosfs-20001027
leocad-0.73
libfpx-1.2.0.4_1
libgnomeui-2.2.0.1
libpdel-0.3.4
librep-0.16.1_1
linux-beonex-0.8.1
linux-divxplayer-0.2.0
linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
linux-gnomelibs-1.2.8_2
linux-mozilla-1.2
linux-netscape-communicator-4.8
linux-netscape-navigator-4.8
linux-phoenix-0.3
linux_base-6.1_4
linux_base-7.1_2
lsh-1.5.1
lukemftpd-1.1_1
m68k-rtems-gdb-5.2_1
mips-rtems-gdb-5.2_1
mod_php4-4.3.1
moscow_ml-2.00_1
mozilla-1.0.2_1
mozilla-1.2.1_1,2
mozilla-1.2.1_2
mozilla-1.3b,1
mozilla-1.3b
mozilla-embedded-1.0.2_1
mozilla-embedded-1.2.1_1,2
mozilla-embedded-1.3b,1
msyslog-1.08f_1
netraider-0.0.2
openag-1.1.1_1
openssh-portable-3.5p1_1
openssh-3.5
p5-PPerl-0.23
paragui-1.0.2_2
powerpc-rtems-gdb-5.2_1
psim-freebsd-5.2.1
ptypes-1.7.4
pure-ftpd-1.0.14
qiv-1.8
readlink-20010616
reed-5.4
rox-1.3.6_1
rox-session-0.1.18_1
rpl-1.4.0
rpm-3.0.6_6
samba-2.2.8
samba-3.0a20
scrollkeeper-0.3.11_8,1
sh-rtems-gdb-5.2_1
sharity-light-1.2_1
siag-3.4.10
skipstone-0.8.3
sparc-rtems-gdb-5.2_1
squeak-2.7
squeak-3.2
swarm-2.1.1
tcl-8.2.3_2
tcl-8.3.5
tcl-8.4.1,1
tcl-thread-8.1.b1
teTeX-2.0.2_1
wine-2003.02.19
wml-2.0.8
worker-2.7.0
xbubble-0.2
xerces-c2-2.1.0_1
xerces_c-1.7.0
xnview-1.50
xscreensaver-gnome-4.08
xscreensaver-4.08
xworld-2.0
yencode-0.46_1
zh-cle_base-0.9p1
zh-tcl-8.3.0
zh-tw-BitchX-1.0c19_3
zh-ve-1.0
zh-xemacs-20.4_1
IV. Workaround
There is no generally applicable workaround.
OpenSSH's sftp-server(8) may be disabled by editing
/etc/ssh/sshd_config and commenting out the following line by
inserting a `#' as the first character:
Subsystem sftp /usr/libexec/sftp-server
lukemftpd(8) may be replaced by the default ftpd(8).
V. Solution
1) Upgrade your vulnerable system to 4.8-STABLE
or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
dated after the respective correction dates.
2) To patch your present system:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility. The following patch
has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
5.0-RELEASE.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your operating system as described in
<URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
NOTE WELL: Any statically linked applications that are not part of
the base system (i.e. from the Ports Collection or other 3rd-party
sources) must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_3
src/lib/libc/stdlib/realpath.c 1.6.2.1
RELENG_4_3
src/UPDATING 1.73.2.28.2.32
src/lib/libc/stdlib/realpath.c 1.9.4.1
src/sys/conf/newvers.sh 1.44.2.14.2.22
RELENG_4_4
src/UPDATING 1.73.2.43.2.45
src/lib/libc/stdlib/realpath.c 1.9.6.1
src/sys/conf/newvers.sh 1.44.2.17.2.36
RELENG_4_5
src/UPDATING 1.73.2.50.2.44
src/lib/libc/stdlib/realpath.c 1.9.8.1
src/sys/conf/newvers.sh 1.44.2.20.2.28
RELENG_4_6
src/UPDATING 1.73.2.68.2.42
src/lib/libc/stdlib/realpath.c 1.9.10.1
src/sys/conf/newvers.sh 1.44.2.23.2.31
RELENG_4_7
src/UPDATING 1.73.2.74.2.14
src/lib/libc/stdlib/realpath.c 1.9.12.1
src/sys/conf/newvers.sh 1.44.2.26.2.13
RELENG_4_8
src/UPDATING 1.73.2.80.2.3
src/lib/libc/stdlib/realpath.c 1.9.14.1
src/sys/conf/newvers.sh 1.44.2.29.2.2
RELENG_5_0
src/UPDATING 1.229.2.14
src/lib/libc/stdlib/realpath.c 1.11.2.1
src/sys/conf/newvers.sh 1.48.2.9
- -------------------------------------------------------------------------
VII. References
<URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>
<URL:http://www.kb.cert.org/vuls/id/743092>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/LaFvFdaIBMps37IRAoO6AJ4zTutkdp69fekZGR1AcZTr4/HdVgCeK6v3
u9B/doXT8ns+tkXTCb7DX7M=
=oS/F
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2003-011
=================================
Topic: off-by-one error in realpath(3)
Version: NetBSD-current: source prior to August 4, 2003
NetBSD 1.6.1: affected
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
Severity: Possible remote buffer overrun/root compromise
Fixed: NetBSD-current: August 4, 2003
NetBSD-1.6 branch: August 5, 2003 (1.6.2 will include the fix)
NetBSD-1.5 branch: Awaiting pullups
Abstract
========
In the library function realpath(3), there was a string manipulation
mistake which could lead to 1-byte buffer overrun. realpath(3) is
being used by important network daemons such as ftpd(8),
therefore the vulnerability could be remotely exploitable.
Note: The same error remained in a derived function in the distribution
of the wu-ftpd server (Not part of NetBSD's base system). This
information has been available to the general public for a matter of
days now. Exploits have been released against wu-ftpd. They are probably
being written against other affected services as well. If you offer any
of the affected services, you are advised to patch your system
immediately.
Technical Details
=================
http://www.kb.cert.org/vuls/id/743092
Binaries in the NetBSD base system which use realpath(3) include:
/bin/systrace
/usr/libexec/ftpd (*)
/sbin/mount
/sbin/umount
/usr/sbin/mountd (*)
/usr/bin/ssh
/usr/sbin/sshd (*)
/usr/libexec/sftp-server (*)
/usr/sbin/bootpd (*)
Binaries marked (*) listen on network interfaces, and could be remotely
exploitable.
Solutions and Workarounds
=========================
To fix this vulnerability you will need to upgrade your libc.
The following instructions describe how to upgrade your libc
binaries by updating your source tree and rebuilding and
installing a new version of libc.
Note that all statically-linked binaries, such as the following, must be
rebuilt:
- - binaries under /sbin and /bin for 1.5 and 1.6-based systems
- - binaries under /rescue for NetBSD-current systems
- - statically-linked binaries built by pkgsrc
Also, running instances of daemons must be restarted, if you do not plan
to reboot the machine after the update of libc.
* NetBSD-current:
Systems running NetBSD-current dated from before 2003-08-03
should be upgraded to NetBSD-current dated 2003-08-04 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libc
To update from CVS, re-build, and re-install libc and rescue:
# cd src
# cvs update -d -P lib/libc
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../rescue
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
(then, reboot, or restart affected daemons)
* NetBSD 1.6, 1.6.1:
The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable.
Systems running NetBSD 1.6 sources dated from before
2003-08-04 should be upgraded from NetBSD 1.6 sources dated
2003-08-05 or later.
NetBSD 1.6.2 will include the fix.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
lib/libc
To update from CVS, re-build, and re-install libc and static
binaries:
# cd src
# cvs update -d -P -r netbsd-1-6 lib/libc
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../sbin
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../bin
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
(then, reboot, or restart affected daemons)
Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch
To patch, re-build and re-install libc, and static binaries:
# cd src
# patch < /path/to/SA2003-011-realpath.patch
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../sbin
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../bin
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
(then, reboot, or restart affected daemons)
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
The binary distributions of NetBSD 1.5, 1.5.1, 1.5.2, and 1.5.3
are vulnerable.
Changes have not yet been pulled up to the 1.5 source branch.
Apply the following patch (with potential offset differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch
To patch, re-build and re-install libc, and static binaries:
# cd src
# patch < /path/to/SA2003-011-realpath.patch
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../sbin
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../bin
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
(then, reboot, or restart affected daemons)
Thanks To
=========
CERT
Revision History
================
2003-08-04 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2003-011.txt,v 1.7 2003/08/04 16:02:47 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPy6EcD5Ru2/4N2IFAQGJfgP9HXf/mfaGmp9y22PlfA+mxlTiTfb/9N8H
ovrKNKiETzFTSr1Ni/l4pqNrkYDRqyP1J4VnS/6wv1ewDYmIzXW1c98gM7+m792l
rgZSkaDWxLyPRUhQ8N3BLJKMHvMRdNWPuYwyL76QMVVVFmUo8vSlcH8PRNJrjD8K
FIhI6NQ3/+Q=
=do/K
-----END PGP SIGNATURE-----
