Microsoft Security Bulletin MS02-057
Flaw in Services for Unix 3.0 Interix SDK Could Allow Code Execution (Q329209)
Originally posted: October 02, 2002
Summary
Who should read this bulletin:
Administrators and developers who have deployed applications or utilities using the Sun [TM] Microsystems RPC library on the Services for Unix 3.0 Interix SDK.
Impact of vulnerability:
Denial of Service, run code of attacker's choice
Maximum Severity Rating:
Moderate
Recommendation:
Administrators who have deployed applications or utilities using the Sun Microsystems RPC library on the Interix SDK should apply the patch.
Affected Software:
Only applications or utilities running on the following operating systems using the Sun Microsystem RPC library on the Services for Unix 3.0 Interix SDK should consider applying the patch.
- Microsoft Windows NT4
- Microsoft Windows 2000
- Microsoft Windows XP
General Information
Technical details
Technical description:
All three vulnerabilities discussed in this bulletin involve the inclusion of the Sun RPC library in Microsoft's Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who created applications or utilities using the Sun RPC library from the Interix SDK need to evaluate three vulnerabilities.
Windows Services for UNIX (SFU) 3.0 provides a full range of cross-platform services to integrate Windows into existing UNIX environments. In version 3.0, the Interix subsystem technology is built in so that Windows Services for UNIX 3.0 can provide platform interoperability and application migration in one fully integrated and supported product from Microsoft. Developers who have integrated Windows into their existing UNIX environments may have used the Interix SDK to develop custom applications and utilities so that applications that only ran on the UNIX platform can now run in a Windows environment. Developers who used the Interix SDK to develop applications or utilities should read this bulletin.
The first vulnerability is an integer overflow in the XDR library that ships with the Sun RPC library on the Interix SDK for Microsoft's Services for Unix (SFU) 3.0. An attacker could send a malicious RPC request to the RPC server from a remote machine and cause corruption in the server program. This can cause the server to fail and potentially allow the attacker to run code of his or her choice in the context of the server program.
The second vulnerability is a buffer overrun. An attacker could send a malicious RPC request to the RPC server with an improper parameter size check. This could lead to a buffer overrun, causing the server to fail and preventing it from servicing any further requests from clients.
The third vulnerability is an RPC implementation error. An application using the Sun RPC library does not properly check the size of client TCP requests. This could result in a denial of service to a server application using the Sun RPC library. The RPC library expects client TCP requests to specify the size of the record that follows. Because there is a flaw in the way RPC detects client packets, an attacker could send a malformed RPC request to the RPC server from a remote machine and cause the server to fail by not servicing any further client requests.
After applying the patch, it is necessary to recompile any Interix application that is statically linked with the Interix SDK Sun RPC library.
Mitigating factors:
- Only applications or utilities that were created using the Interix SDK and specifically that use the Sun RPC library, would be affected by these vulnerabilities.
- If an administrator or developer has only installed the Interix SDK but has not actually created applications with the SDK that use the Sun RPC library, the systems where the SDK was installed would not be vulnerable.
Severity Rating:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| Interix SDK for Microsoft Services for Unix 3.0 | Moderate | Moderate | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Even though in one of the vulnerabilities described, an attacker could run code, it is only possible to run code in the context of the application.
Vulnerability identifier:
- Integer Overflow in XDR library:CAN-2002-0391
- Improper parameter size check leading to buffer overrun:CAN-2002-1140
- RPC implementation error:CAN-2002-1141
Tested Versions:
Microsoft tested Microsoft Windows NT, Windows 2000 and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
All three vulnerabilities discussed in this bulletin involve the inclusion of the SUN RPC library in Microsoft's Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who created applications or utilities using the SUN RPC library on the Interix SDK need to evaluate the following three vulnerabilities.
What is RPC?
RPC (Remote Procedure Call) is a technology that's used extensively to support distributed applications -- that is, applications whose components are located on different computers. The primary purpose of RPC is to provide a way for the components to communicate with each other. This allows the components to levy requests on each other and communicate the results of these requests. This bulletin pertains to the Sun RPC protocol.
What is SFU?
SFU stands for Services for UNIX. Windows Services for UNIX version 3.0 provides a full range of cross-platform services for integrating Windows into existing UNIX-based environments.
To get more detailed information regarding Services for Unix, please see http://www.microsoft.com/windows/sfu/docs/sfuwp.doc
How are Microsoft Services for Unix 3.0 and Interix related?
The Interix technology provides a UNIX environment that runs on top the Windows kernel, enabling UNIX applications and scripts to run natively on the Windows platform alongside Windows applications. With this capability, an installation can continue to get value out of its UNIX scripts and applications-simply reuse them on Windows.
The key difference between Windows Services for UNIX 2.0 and 3.0 is that Microsoft Interix is fully integrated into Windows Services for UNIX 3.0. The Interix subsystem technology provides a universal environment in which to run both Windows and UNIX applications on a single system. For a technical overview of Services for UNIX 3.0 with Interix, click here.
What is the Interix SDK?
The Interix SDK, included with SFU 3.0, provides compilers, tools, libraries & debuggers for migrating applications on UNIX to run in a Windows environment.
What kinds of applications or utilities are being created using the Interix SDK?
The application might be any UNIX -based application. Largely the Interix SDK is used to support existing applications that need to be ported to the Windows platform without changing their source code. Developers seldom write applications from scratch using the Interix SDK.
Doesn't Microsoft ship applications using the Sun RPC protocol along with Services for Unix 3.0? Aren't they vulnerable?
No. Microsoft shipped Server for NFS, Server for NIS, Server for PCNFS, PortMapper and User Name Mapping Server with Services for Unix 3.0. All of these applications use the Sun RPC protocol; however none of these applications uses the Interix SDK Sun RPC library. They have been verified not to be affected by any of the vulnerabilities discussed in this bulletin.
Does the SDK go to third party partners or is it generally available?
The SUN RPC Library ships with SFU 3.0 . Services for Unix 3.0 and Interix are also bundled by some ISV's so they may be providing the SDK with their products.
How do I tell if a third party product includes SFU 3.0 and the Interix SDK?
There is no standard way to tell. If you use a 3rd party Interix server application the best thing will be to contact the vendor to verify whether the application uses the Sun RPC library from the Interix SDK.
Integer Overflow in XDR library(CAN-2002-0391):
What's the scope of this vulnerability?
There is abuffer overrun due to an overflow in a variable that contains a parameter. This parameter defines the size of an array for applications that use External Data Representation (XDR). The vulnerability can lead to a denial of service by crashing the application or running code at a higher privilege level in a server application using Sun XDR library. Sun Microsystems distributed this functionality as part of their XDR library. This library ships with Services for Unix (SFU) 3.0 on the Interix SDK.
Remote attackers could exploit this vulnerability to either cause the application to fail or to cause the execution of arbitrary code on a target server. An attacker could send a malicious RPC request to the RPC server from a remote machine. This could cause heap corruption in the server program. The heap corruption in turn could cause the server to crash, thereby preventing it from servicing further requests from other client programs. The attacker could also exploit the heap corruption to run malicious code in the context of the server program.
What causes the vulnerability?
There is a buffer overrun in a variable used by applications developed with the Sun XDR library that shipped with SFU 3.0. It is possible to overflow a variable that holds the size of an array parameter.
What are the XDR libraries?
The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another over a network connection. These libraries shipped with Services For Unix 3.0.
To learn more about XDR please refer to XDR: External Data Representation Standard.
What's wrong with the XDR libraries?
There is a function in the XDR library that contains overflow which could result in memory being improperly allocated. Because inputs are not properly checked, the misallocation of memory could lead to a buffer overflow.
Is this issue related to a CERT advisory?
Yes, this relates to VU#192995.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to send a malformed RPC request that would cause the application to either fail or to run code as system in a server application using the Sun RPC library. If an attacker were able to run code on the RPC server, the attacker would have the same privileges as the application.
How could an attacker exploit this vulnerability?
An attacker can send a malicious RPC request to the RPC server from a remote machine. This can cause the heap corruption in the server program. The heap corruption in turn can cause the server to crash, thereby preventing it from servicing further requests from other client programs.
What does the patch do?
The patch eliminates the vulnerability by properly checking inputs for the integer overflow that could lead to the denial of service or code execution.
Improper parameter size check leading to denial of service (CAN-2002-1140):
What the scope of this vulnerability?
The RPC library expects client requests be broken down into variable sized fragments, with each fragment's leading bit specifying whether it is the last fragment. The next bits specify the size of the data to follow.
The RPC library expects that client requests sent to it will be broken into variable sized fragments in a certain format. If a malicious client were to send a particular malformed fragment to a service, the RPC library would go into a "hung" state and be unable to respond to any further requests - leading to a denial of service.
Any RPC server using the Sun RPC library is vulnerable.
What causes the vulnerability?
The RPC library expects that client requests will be broken down into variable sized fragments with each fragment's leading bit specifying whether it is the last fragment. The next bits specify the size of the data to follow. There is a flaw in the RPC library that will cause the application to hang if the fragmented packets are malformed in a particular way.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause an RPC server to stop responding to client requests. In other words, this is a denial of service vulnerability.
How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by writing a program that sent malformed packets to the RPC server and caused it to be unable to service any further client requests.
Does the attacker need to be an authenticated user?
No. Anyone who can access a computer through a network could carry out this attack.
Can a TCP attack be blocked at the firewall?
An administrator could block TCP port 111 on the firewall and block a remote user from sending malformed packets to a RPC server inside the firewall.
Is there any way to recover from the denial of service?
The administrator would normally only need to restart the application. There may be cases where the specific application might require an administrator to reboot the server.
What does the patch do?
The patch eliminates the vulnerability by properly checking inputs to the RPC server.
Denial of service by sending an invalid RPC request(CAN-2002-1141):
What's the scope of this vulnerability?
The third vulnerability is an RPC implementation error. An application using the Sun RPC library does not properly check the size of client TCP requests. This could result in a denial of service to a server application using the Sun RPC library. The RPC library expects client TCP requests to specify the size of the record that follows. Because there is a flaw in the way RPC detects client packets, an attacker could send a malformed RPC request to the RPC server from a remote machine and cause the server to fail by not servicing any further client requests
What causes the vulnerability?
The RPC library expects client TCP requests to be broken how into fragments of variable sizes. Because there is a flaw in the way the RPC library performs input validation on the fragmented client packets, an attacker could cause the server to enter a state from which it could not handle client requests.
What could this vulnerability enable an attacker to do?
An attacker could create a denial of service for client requests to the RPC server and cause the server to fail.
How could an attacker exploit this vulnerability?
An attacker could write a program that invoked the RPC implementation error by sending malformed data packets to the RPC server.
Does the attacker need to be an authenticated user?
No. Anyone who can access a computer through a network could carry out this attack.
Can a TCP attack be blocked at the firewall?
An administrator could block TCP port 111 on the firewall and block a remote user from sending malformed packets to a RPC server inside the firewall.
Is there any way to recover from the denial of service?
The administrator would normally only need to restart the application. There may be cases where the specific application might require an administrator to reboot the server.
What does the patch do?
The patch corrects the RPC implementation error by detecting invalid client packets and refusing to service them.
Patch availability
Download locations for this patch This patch can be installed on any of the following platforms:
- Microsoft Windows NT4 Service Pack 6a
- Windows 2000
- Windows XP
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Windows NT4 SP6a, Windows 2000 and Windows XP. Only administrators and developers who have deployed applications or utilities using the Sun Microsystem RPC library on the Interix SDK need to apply this patch.
Inclusion in future service packs:
The fix for this issue will be included in any updates to the Sun Microsystems RPC library on the Interix SDK.
Reboot needed: No
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
- To verify that the patch has been installed on the machine, please see Knowledge Base article Q329209
which will provide information on file time stamps.
Caveats:
None
Localization:
This patch is available in English only.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Support:
- Microsoft Knowledge Base article Q329209 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (October 02, 2002): Bulletin Created.