SecuriTeam - FreeBSD patch for the AMD vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

As we discussed in our previous articles: Exploit code for the AMD vulnerability has been released and Buffer overflows in RedHat's amd package there is a buffer overflow in the RPC.AMD daemon that allows remote and local users to gain root privileges. FreeBSD has released a patch that solves this issue.

Credit:
This patch has been reported by: Aleph One.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
FreeBSD 3.2 (and earlier)
FreeBSD-current before the correction date.
FreeBSD 3.2-stable before the correction date.

Non-vulnerable systems:
FreeBSD-3.3 RELEASE
FreeBSD-current as of September 7, 1999
FreeBSD-3.2-stable as of August 25, 1999
The FreeBSD-3.3-RC series of releases are not affected.

FreeBSD recommends that you upgrade your system to one that is listed above as having the problem resolved, or you may patch your present systems.

To patch your present system apply the following patches to amd, rebuild, install and restart amd (or reboot).

Patches for 3.2-stable and -current systems before the resolution date:

Index: xutil.c
===================================================================
RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v
retrieving revision 1.1.1.3
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3 -r1.1.1.3.2.1
--- xutil.c 1999/01/13 19:20:33 1.1.1.3
+++ xutil.c 1999/08/25 18:59:39 1.1.1.3.2.1
@@ -272,16 +272,18 @@

/*
* Take a log format string and expand occurrences of %m
- * with the current error code taken from errno.
+ * with the current error code taken from errno. Make sure
+ * 'e' never gets longer than maxlen characters.
*/
static void
-expand_error(char *f, char *e)
+expand_error(char *f, char *e, int maxlen)
{
extern int sys_nerr;
- char *p;
+ char *p, *q;
int error = errno;
+ int len = 0;

- for (p = f; (*e = *p); e++, p++) {
+ for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) {
if (p[0] == '%' && p[1] == 'm') {
const char *errstr;
if (error < 0 || error >= sys_nerr)
@@ -289,13 +291,15 @@
else
errstr = sys_errlist[error];
if (errstr)
- strcpy(e, errstr);
+ strcpy(q, errstr);
else
- sprintf(e, "Error %d", error);
- e += strlen(e) - 1;
+ sprintf(q, "Error %d", error);
+ len += strlen(q) - 1;
+ q += strlen(q) - 1;
p++;
}
}
+ e[maxlen-1] = '\0'; /* null terminate, to be sure */
}

@@ -401,9 +405,15 @@
checkup_mem();
#endif /* DEBUG_MEM */

- expand_error(fmt, efmt);
+ expand_error(fmt, efmt, 1024);

+ /*
+ * XXX: ptr is 1024 bytes long. It is possible to write into it
+ * more than 1024 bytes, if efmt is already large, and vargs expand
+ * as well.
+ */
vsprintf(ptr, efmt, vargs);
+ msg[1023] = '\0'; /* null terminate, to be sure */

ptr += strlen(ptr);
if (ptr[-1] == '\n')
Index: amq_subr.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- amq_subr.c 1999/01/13 20:03:54 1.3
+++ amq_subr.c 1999/09/07 23:07:03 1.4
@@ -204,11 +204,24 @@
int *
amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp)
{
- static int rc;
- char *s = *(amq_string *) argp;
+ static int rc = EINVAL;
+ char s[AMQ_STRLEN];
char *cp;
+ char dq[20];
+ struct sockaddr_in *sin;
+
+ if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) {
+ plog(XLOG_ERROR, "amu_svc_getcaller returned NULL");
+ return &rc;
+ }
+
+ strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1);
+ s[AMQ_STRLEN-1] = '\0'; /* null terminate, to be sure */
+ plog(XLOG_ERROR,
+ "amq requested mount of %s from %s.%d",
+ s, inet_dquad(dq, sin->sin_addr.s_addr),
+ ntohs(sin->sin_port));

- plog(XLOG_INFO, "amq requested mount of %s", s);
/*
* Minimalist security check.
*/

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities