Lucene search

K

nfr.sof.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 39 Views

Vulnerability in NFR 2.0.2 allows remote attackers to gain management privileges.

Show more
Code
`Date: Tue, 16 Feb 1999 14:19:15 -0800  
From: Security Research Labs <[email protected]>  
To: [email protected]  
Subject: NAI Security Advisory: Vulnerability in NFR 2.0.2-Research  
  
  
=======================================================================  
  
Network Associates, Inc.  
SECURITY ADVISORY  
February 16, 1999  
  
EMERGENCY RELEASE  
  
Stack Overflow in NFR Web Server  
  
=======================================================================  
  
SYNOPSIS  
  
An implementation fault in the Network Flight Recorder network forensics  
system makes it possible for a remote attacker to obtain system management  
privileges on boxes running NFR in a standard configuration. Information  
sufficient to construct working exploits for this problem is publicly  
available.  
  
=======================================================================  
  
VULNERABLE HOSTS  
  
This problem has been confirmed and is known to be exploitable on hosts  
running Network Flight Recorder's NFR 2.0.2-Research release. Because  
source code is publicly available for this software, it is possible to  
confirm vulnerability to this problem by inspecting the source used to  
build an installation of NFR on an arbitrary host. Details on how to do  
this, as well as how to immediately resolve this problem, appear later in  
this document.  
  
=======================================================================  
  
DETAILS  
  
The Network Flight Recorder custom web server is used to present an HTTP  
front-end to the NFR system. By default, the web server is called "webd",  
and is bound to TCP port 2001. In the absence of external network access  
control, arbitrary remote attackers can conduct transactions with the NFR  
web server.  
  
Due to an implementation fault in "webd", it is possible for a remote  
attacker to formulate an HTTP transaction that will cause the web server  
to overflow an automatic variable on the stack. By overwriting activation  
records stored on the stack, it is possible to force a transfer of control  
into arbitrary instructions provided by the attacker in the HTTP  
transaction, and thus gain total control of the web server process.  
  
In a default installation, "webd" runs as the unprivileged "nfr" user.  
Thus, this attack does not grant an attacker immediate system management  
capabilities. However, in a standard installation of NFR, program binaries  
that are run by the superuser are owned by the "nfr" user. An attacker  
that has gained access to the "nfr" user via the web server can backdoor  
these files to gain root privileges when NFR is restarted.  
  
=======================================================================  
  
TECHNICAL DETAILS  
  
Source code for the NFR system is publicly available under license from  
the NFR web site. This advisory makes reference to the source code in the  
NFR 2.0.2 Research release from Wed Jan 27 1999.  
  
The vulnerability discussed in this advisory occurs as a result of  
"webd"'s processing of the HTTP "POST" command. POST requests are handled  
in "nfr/webd/cmdpost.c". Regardless of the configuration of the NFR  
web server, the vulnerable POST handling code is exposed to remote  
attackers.  
  
The HTTP commands handled by the NFR web server are listed in the command  
table, which is located in "nfr/webd/ctab.c". The command table maps HTTP  
command names to function handlers. The function handler for "POST"  
commands which reference programs in the root directory of the web  
server is defined as "cmd_postbltin()", which is defined in "cmdpost.c".  
  
In order to process the POST command, the function handler attempts to  
read MIME headers for the POST data from the HTTP client. This is handled  
in "getpostdata()", also defined in "cmdpost.c". Among the headers  
recognized by the code is "Content-length", which defines the amount of  
data the client is sending the server in the POST transaction.  
  
Unfortunately, the MIME header recognition code does not sanity check the  
value given as the Content-length. It is possible for an attacker to  
specify an arbitrary Content-length header, which will be trusted by the  
server as valid input.  
  
After parsing MIME headers, the web daemon attempts to read as many bytes  
as the client specified in the Content-length header into an 8k buffer,  
named "buf", which is an automatic buffer in cmd_postbltin(). If the  
attacker specifies more than 8192 bytes of data in the header, the  
additional data will overwrite the stack frame for cmd_postbltin(),  
allowing the attacker to take over the web daemon process.  
  
Note that in some operating systems, causing a single read() to return  
more than 8192 bytes is difficult; this problem may not be easily  
exploited on these systems. This problem is known to be exploitable  
against 4.4BSD Unix operating systems running NFR. This is the recommended  
NFR platform.  
  
=======================================================================  
  
RESOLUTION  
  
It is recommended that vulnerable users of NFR contact NFR immediately for  
a patch to this problem. In the absence of an available patch, the source  
code can be edited and rebuilt to resolve the problem by adding bounds  
checking to cmd_getpostbltin() or getpostdata().  
  
NFR has announced the release of a patch that will correct this problem on  
February 16, 1999. This patch, which updates NFR to revision 2.0.3, should  
be available at the NFR website at http://www.nfr.com.  
  
=======================================================================  
  
CREDITS  
  
Analysis and documentation of this problem was conducted by the Security  
Labs at Network Associates. This vulnerability was discovered, and NFR  
notified, on Wednesday, January 27, 1999.  
  
=======================================================================  
  
ABOUT THE NETWORK ASSOCIATES SECURITY LABS  
  
The Security Labs at Network Associates hosts some of the most important  
research in computer security today. With over 30 published security  
advisories published in the last 2 years, the Network Associates security  
auditing teams have been responsible for the discovery of many of the  
Internet's most serious security flaws. This advisory represents our  
ongoing commitment to provide critical information to the security  
community.  
  
For more information about the Security Labs at Network Associates,  
see our website at http://www.nai.com or contact us at <[email protected]>.  
  
=======================================================================  
  
  
NETWORK ASSOCIATES SECURITY LABS PGP KEY  
  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
Version: PGP 5.5.5  
  
mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc  
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB  
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS  
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs  
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp  
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs  
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp  
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P  
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx  
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu  
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB  
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC  
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W  
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC  
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh  
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB  
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst  
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn  
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky  
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA  
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG  
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl  
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p  
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4  
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V  
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ  
=L3C6  
-----END PGP PUBLIC KEY BLOCK-----  
  
-----------------------------------------------------------------------------  
  
Date: Tue, 16 Feb 1999 16:48:26 -0500  
From: Deborah Greenberg Lidl <[email protected]>  
To: [email protected]  
Subject: NFR Version 2.0 Research: Patch 3 Now Available  
  
Network Flight Recorder announces the release of the following patch:  
  
Patch Number Applies to Product  
------------ ------------------  
2.0-p3 NFR Version 2.0.2 Research  
  
The REAMDE for the patch is included below. The patch is available as  
a patch file which can be applied to NFR Version 2.0.2 Research, and  
as a complete distribution. Both versions are available from  
  
http://www.nfr.net/downloads/  
  
If you have questions about this or other patches, send e-mail to  
[email protected].  
  
--------  
  
NFR Version 2.0 Patch 3  
(nfr-2.0-p3-research.tar)  
  
Apply to:  
  
NFR Version 2.0.2 Research  
  
Recommended Uses:  
  
This security patch is recommended for all users of NFR  
Version 2.0.2.  
  
Applying This Patch:  
  
1. Download the patch and place it in the following directory:  
  
~nfr/nfr-2.0.2-research/nfr  
  
2. Untar and apply the patch:  
  
% cd ~nfr/nfr-2.0.2-research/nfr  
% tar -xvf nfr-2.0-p3-research.tar  
% patch -p0 < patch2.0.3  
  
3. Recompile NFR, using fixmake, make, and make install, as  
described in the "Getting Started Guide."  
  
The patch program on some versions of Solaris sometimes fails  
silently when applying patches. If the patch process does  
not work on your Solaris machine, download and install the  
complete distribution (nfr-2.0.2-research-src.tar.Z).  
  
Contents:  
  
This patch is distributed as a tar file, which contains these  
files:  
  
README.PATCH this file  
patch2.0.3 the patch file  
  
Fixes:  
  
- webd: Buffer overruns in the Web server have been fixed. This fix  
addresses a problem recently discussed on the NFR users mailing  
list. Because buffer overruns can be used to bypass the security of  
software systems, NFR recommends installing this patch to improve the  
security of your NFR system.  
  
- webd: The Web server now does a better job at reading all input.  
This fix addresses a problem, discussed on the NFR users mailing  
list, in which certain browsers on certain operating systems did  
not receive all of the data from the Web server.  
  
- alertd: The alert system no longer creates a storm of forked process  
when a remote NFR system has lots of alerts queued and cannot  
contact the central NFR system. While this code is not exercised  
in the research version of the NFR software, the fix is included in  
this patch to the research version to maintain consistency in  
common sections of the code base.  
  
Deborah  
--  
Deborah Greenberg Lidl Network Flight Recorder  
Director of Communications and Product Management  
[email protected] Phone: 1.301.765.7945  
http://www.nfr.net Fax: 1.301.765.7946  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
0.1Low risk
Vulners AI Score0.1
39
.json
Report