FreeBSD Security Advisories
2003-Aug-03 17:04 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced: 2003-08-03 Credits: Janusz Niewiadomski <funkysh@isec.pl>, Wojciech Purczynski <cliph@isec.pl>, CERT/CC Affects: All releases of FreeBSD up to and including 4.8-RELEASE and 5.0-RELEASE FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0) 2003-08-03 23:43:43 UTC (RELENG_4_8) 2003-08-03 23:44:12 UTC (RELENG_4_7) 2003-08-03 23:44:36 UTC (RELENG_4_6) 2003-08-03 23:44:56 UTC (RELENG_4_5) 2003-08-03 23:45:41 UTC (RELENG_4_4) 2003-08-03 23:46:03 UTC (RELENG_4_3) 2003-08-03 23:47:39 UTC (RELENG_3) FreeBSD only: NO I. Background The realpath(3) function is used to determine the canonical, absolute pathname from a given pathname which may contain extra ``/'' characters, references to ``/./'' or ``/../'', or references to symbolic links. The realpath(3) function is part of the FreeBSD Standard C Library. II. Problem Description An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. As a result, if the resolved path name is exactly 1024 characters long and contains at least two directory separators, the buffer passed to realpath(3) will be overwritten by a single NUL byte. III. Impact Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. The impact on an individual application is highly dependent upon the source of the pathname passed to realpath, the position of the output buffer on the stack, the architecture on which the application is running, and other factors. Within the FreeBSD base system, several applications use realpath(3). Two applications which are negatively impacted are: (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to process the MLST and MLSD commands. [lukemftpd(8) is not built or installed by default.] (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process chdir commands. In both of the cases above, the realpath(3) vulnerability may be exploitable, leading to arbitrary code execution with the privileges of the authenticated user. This is probably only of concern on otherwise `closed' servers, e.g. servers without shell access. At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained the following applications which appear to use realpath(3). These applications have not been audited, and may or may not be vulnerable. There may be additional applications in the FreeBSD Ports Collection that use realpath(3), particularly statically-linked applications and applications added since 4.8-RELEASE. BitchX-1.0c19_1 Mowitz-0.2.1_1 XFree86-clients-4.3.0_1 abcache-0.14 aim-1.5.234 analog-5.24,1 anjuta-1.0.1_1 aolserver-3.4.2 argus-2.0.5 arm-rtems-gdb-5.2_1 avr-gdb-5.2.1 ccache-2.1.1 cdparanoia-3.9.8_4 cfengine-1.6.3_4 cfengine2-2.0.3 cmake-1.4.7 comserv-1.4.3 criticalmass-0.97 dedit-0.6.2.3_1 drweb_postfix-4.29.10a drweb-4.29.2 drweb_sendmail-4.29.10a edonkey-gui-gtk-0.5.0 enca-0.10.7 epic4-1.0.1_2 evolution-1.2.2_1 exim-3.36_1 exim-4.12_5 exim-ldap-4.12_5 exim-ldap2-4.12_5 exim-mysql-4.12_5 exim-postgresql-4.12_5 fam-2.6.9_2 fastdep-0.15 feh-1.2.4_1 ferite-0.99.6 fileutils-4.1_1 finfo-0.1 firebird-1.0.2 firebird-1.0.r2 frontpage-5.0.2.2623_1 galeon-1.2.8 galeon2-1.3.2_1 gdb-5.3_20030311 gdb-5.2.1_1 gdm2-2.4.1.3 gecc-20021119 gentoo-0.11.34 gkrellmvolume-2.1.7 gltron-0.61 global-4.5.1 gnat-3.15p gnomelibs-1.4.2_1 gprolog-1.2.16 gracula-3.0 gringotts-1.2.3 gtranslator-0.43_1 gvd-1.2.5 hercules-2.16.5 hte-0.7.0 hugs98-200211 i386-rtems-gdb-5.2_1 i960-rtems-gdb-5.2_1 installwatch-0.5.6 ivtools-1.0.6 ja-epic4-1.0.1_2 ja-gnomelibs-1.4.2_1 ja-msdosfs-20001027 ja-samba-2.2.7a.j1.1_1 kdebase-3.1_1 kdelibs-3.1 kermit-8.0.206 ko-BitchX-1.0c16_3 ko-msdosfs-20001027 leocad-0.73 libfpx-1.2.0.4_1 libgnomeui-2.2.0.1 libpdel-0.3.4 librep-0.16.1_1 linux-beonex-0.8.1 linux-divxplayer-0.2.0 linux-edonkey-gui-gtk-0.2.0.a.2002.02.22 linux-gnomelibs-1.2.8_2 linux-mozilla-1.2 linux-netscape-communicator-4.8 linux-netscape-navigator-4.8 linux-phoenix-0.3 linux_base-6.1_4 linux_base-7.1_2 lsh-1.5.1 lukemftpd-1.1_1 m68k-rtems-gdb-5.2_1 mips-rtems-gdb-5.2_1 mod_php4-4.3.1 moscow_ml-2.00_1 mozilla-1.0.2_1 mozilla-1.2.1_1,2 mozilla-1.2.1_2 mozilla-1.3b,1 mozilla-1.3b mozilla-embedded-1.0.2_1 mozilla-embedded-1.2.1_1,2 mozilla-embedded-1.3b,1 msyslog-1.08f_1 netraider-0.0.2 openag-1.1.1_1 openssh-portable-3.5p1_1 openssh-3.5 p5-PPerl-0.23 paragui-1.0.2_2 powerpc-rtems-gdb-5.2_1 psim-freebsd-5.2.1 ptypes-1.7.4 pure-ftpd-1.0.14 qiv-1.8 readlink-20010616 reed-5.4 rox-1.3.6_1 rox-session-0.1.18_1 rpl-1.4.0 rpm-3.0.6_6 samba-2.2.8 samba-3.0a20 scrollkeeper-0.3.11_8,1 sh-rtems-gdb-5.2_1 sharity-light-1.2_1 siag-3.4.10 skipstone-0.8.3 sparc-rtems-gdb-5.2_1 squeak-2.7 squeak-3.2 swarm-2.1.1 tcl-8.2.3_2 tcl-8.3.5 tcl-8.4.1,1 tcl-thread-8.1.b1 teTeX-2.0.2_1 wine-2003.02.19 wml-2.0.8 worker-2.7.0 xbubble-0.2 xerces-c2-2.1.0_1 xerces_c-1.7.0 xnview-1.50 xscreensaver-gnome-4.08 xscreensaver-4.08 xworld-2.0 yencode-0.46_1 zh-cle_base-0.9p1 zh-tcl-8.3.0 zh-tw-BitchX-1.0c19_3 zh-ve-1.0 zh-xemacs-20.4_1 IV. Workaround There is no generally applicable workaround. OpenSSH's sftp-server(8) may be disabled by editing /etc/ssh/sshd_config and commenting out the following line by inserting a `#' as the first character: Subsystem sftp /usr/libexec/sftp-server lukemftpd(8) may be replaced by the default ftpd(8). V. Solution 1) Upgrade your vulnerable system to 4.8-STABLE or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. The following patch has been tested to apply to all FreeBSD 4.x releases and to FreeBSD 5.0-RELEASE. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your operating system as described in <URL:http://www.freebsd.org/doc/handbook/makeworld.html>. NOTE WELL: Any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_3 src/lib/libc/stdlib/realpath.c 1.6.2.1 RELENG_4_3 src/UPDATING 1.73.2.28.2.32 src/lib/libc/stdlib/realpath.c 1.9.4.1 src/sys/conf/newvers.sh 1.44.2.14.2.22 RELENG_4_4 src/UPDATING 1.73.2.43.2.45 src/lib/libc/stdlib/realpath.c 1.9.6.1 src/sys/conf/newvers.sh 1.44.2.17.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.44 src/lib/libc/stdlib/realpath.c 1.9.8.1 src/sys/conf/newvers.sh 1.44.2.20.2.28 RELENG_4_6 src/UPDATING 1.73.2.68.2.42 src/lib/libc/stdlib/realpath.c 1.9.10.1 src/sys/conf/newvers.sh 1.44.2.23.2.31 RELENG_4_7 src/UPDATING 1.73.2.74.2.14 src/lib/libc/stdlib/realpath.c 1.9.12.1 src/sys/conf/newvers.sh 1.44.2.26.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.3 src/lib/libc/stdlib/realpath.c 1.9.14.1 src/sys/conf/newvers.sh 1.44.2.29.2.2 RELENG_5_0 src/UPDATING 1.229.2.14 src/lib/libc/stdlib/realpath.c 1.11.2.1 src/sys/conf/newvers.sh 1.48.2.9 - ------------------------------------------------------------------------- VII. References <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt> <URL:http://www.kb.cert.org/vuls/id/743092> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/LaFvFdaIBMps37IRAoO6AJ4zTutkdp69fekZGR1AcZTr4/HdVgCeK6v3 u9B/doXT8ns+tkXTCb7DX7M=oS/F -----END PGP SIGNATURE-----
At 17:04 03/08/2003 -0700, you wrote:>V. Solution >2) To patch your present system: >a) Download the relevant patch... >b) Apply the patch... >c) Recompile your operating system...I hesitate to suggest that people leave their systems unpatched for longer than absolutely necessary, but there *will* be binary patches available for 4.7-RELEASE and 4.8-RELEASE -- as soon as I finish building them (ETA about 17 hours). This only applies to people who performed a binary install of FreeBSD 4.7 or 4.8 ***and have not recompiled the world locally***. Affected applications which were statically linked to the vulnerable code would still need to be recompiled. Once the binary updates are available, FreeBSD Update (security/freebsd-update in the ports tree) will be able to fetch and install them; I'll send another email to this list after they've been built, signed, and uploaded. Colin Percival
FreeBSD Security Advisories wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================> FreeBSD-SA-03:08.realpath Security Advisory > The FreeBSD Project > > Topic: Single byte buffer overflow in realpath(3)Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. Please MFC to RELENG_4 too. Eugene Grosbein.
Christoph Moench-Tegeder
2003-Aug-04 01:50 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
## Eugene Grosbein (eugen@grosbein.pp.ru):> > Topic: Single byte buffer overflow in realpath(3) > Hi! I do not see fix for RELENG_4 not in this advisory nor in the Repo. > Please MFC to RELENG_4 too.: Affects: All releases of FreeBSD up to and including 4.8-RELEASE : and 5.0-RELEASE : FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I guess rev. 1.9.2.1 of realpath.c fixed the problem more or less by accident. Regards, Christoph -- Antivirus-software is protection for people against yesterdays threats. Antivirus-software is protection for moronic users against themselves. Antivirus-software is crap. I say we kill the users and be done with it. -- kh@telecomplus.dk
[My keyboard got stuck with the control key down, so I think a partially written copy of this got sent a moment ago; please disregard it.] At 10:10 04/08/2003 +0100, Chris Howells wrote:>On Monday 04 August 2003 08:54, Colin Percival wrote: > > Affected applications which were statically linked to the vulnerable > > code would still need to be recompiled. > >I'm just trying to work out which applications on my system are statically >linked or not.I'm sure someone else can offer better suggestions, but I'm just doing the following: $ sh -c 'find / -type f -perm +111 | while read x; do file $x; done | grep "statically linked" | cut -f 1 -d ":"' Colin Percival
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:>Affects: All releases of FreeBSD up to and including 4.8-RELEASE > and 5.0-RELEASE > FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC...>V. Solution > >1) Upgrade your vulnerable system to 4.8-STABLE >or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8 >(4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches >dated after the respective correction dates.I found the reference to RELENG_5_1 in the "Solutions" section but no reference to 5.1-RELEASE in the "Affects" section somewhat confusing. This is compounded by the failure to mention RELENG_5_0 in the "Solutions" section. I gather that 5.1-RELEASE is not vulnerable due to the realpath() rewrite in 1.14. May I suggest that in future, when a release is not vulnerable due to code rewrites or similar, this fact be explicitly mentioned. IMHO, it's far better to err on the side of caution when dealing with security issues. Peter
On Sun, 2003-08-03 at 19:04, FreeBSD Security Advisories wrote:> 2) To patch your present system: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. The following patch > has been tested to apply to all FreeBSD 4.x releases and to FreeBSD > 5.0-RELEASE. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patchIs it just me or is the patch referenced above wrong? I followed the instructions above but the patch failed: ##### snip ###### # cd /usr/src-all/current/src # Where my "/usr/src" lives # patch < /tmp/realpath.patch Hmm... Looks like a new-style context diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/stdlib/realpath.c |==================================================================|RCS file: /home/ncvs/src/lib/libc/stdlib/realpath.c,v |retrieving revision 1.9 |diff -c -c -r1.9 realpath.c |*** lib/libc/stdlib/realpath.c 27 Jan 2000 23:06:50 -0000 1.9 |--- lib/libc/stdlib/realpath.c 3 Aug 2003 17:21:20 -0000 -------------------------- Patching file lib/libc/stdlib/realpath.c using Plan A... Hunk #1 failed at 138. 1 out of 1 hunks failed--saving rejects to lib/libc/stdlib/realpath.c.rej done ##### snip ###### realpath.c.rej contains the entire patch: ##### snip ###### *************** *** 138,144 **** rootd = 0; if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } --- 138,145 ---- rootd = 0; if (*wbuf) { ! if (strlen(resolved) + strlen(wbuf) + (1-rootd) + 1 > ! MAXPATHLEN) { errno = ENAMETOOLONG; goto err1; } ##### snip ###### I wasn't really surprised that it failed since it looks like it should apply to crypto/openssh/openbsd-compat/realpath.c rather than lib/libc/stdlib/realpath.c. I assume (from the CVS logs) that cvsup has taken care of the libc version for me. Does the openssh file need to be patched too? -Ben
Jacques A. Vidrine
2003-Aug-04 14:32 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
On Mon, Aug 04, 2003 at 11:17:18PM +0200, Troels Holm wrote:> Jacques A. Vidrine wrote: > >> Does the openssh file need to be patched too? > > > > No, it is not used. > > But it states in the advisory that "sftp-server" is negatively > impacted....And its a part of OpenSSH. > Or did I get you wrong?The realpath.c that is distributed with OpenSSH-portable and found in our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is not used. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Jacques A. Vidrine wrote:> The realpath.c that is distributed with OpenSSH-portable and found in > our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is > not used.Just for the record :=) What u say is that the advisory is in error and my "sftp-server" is _not_ affected? Or are you just saying that sftp isnt using the realpath.c from OpenSSH? Thanks, -- Troels Holm
Jacques A. Vidrine
2003-Aug-04 15:20 UTC
FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
On Tue, Aug 05, 2003 at 12:10:14AM +0200, Troels Holm wrote:> Jacques A. Vidrine wrote: > > The realpath.c that is distributed with OpenSSH-portable and found in > > our CVS tree as /usr/src/crypto/openssh/openbsd-compat/realpath.c is > > not used. > > Just for the record :=) > What u say is that the advisory is in error and my "sftp-server" is _not_ > affected? Or are you just saying that sftp isnt using the realpath.c from > OpenSSH?The latter. sftp-server *is* affected, just as it says in the advisory. But OpenSSH as bundled with FreeBSD uses realpath(3) from libc, not from src/crypto/openssh/openbsd-compat/realpath.c, and so (in answer to the question by a previous poster) that file does not need patching. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
Jacques A. Vidrine
2003-Aug-04 15:35 UTC
IMPORTANT FOR lukemftpd USERS (was Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath)
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:> (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to > process the MLST and MLSD commands. [lukemftpd(8) is not built or > installed by default.][...]> the realpath(3) vulnerability may be > exploitable, leading to arbitrary code execution with the privileges > of the authenticated user. This is probably only of concern on > otherwise `closed' servers, e.g. servers without shell access.[...] I have a correction to make regarding the above text. In the case of lukemftpd (and lukemftpd only), in some situations the vulnerability may be used to execute code with _superuser privileges_. If lukemftpd is NOT invoked with `-r', then it does NOT completely drop privileges when a user logs in. Thus, a successful exploit will be able to regain superuser privileges. Conversely, if lukemftpd IS invoked with `-r', then the original advisory text above applies. The example usage for lukemftpd that was in /etc/inetd.conf prior to 5.1-RELEASE included the `-r' flag, but there is no longer an example in 5.1-RELEASE. I don't think there was ever an example entry for 4.x. I would normally immediately publish a revised advisory with this additional information, however lukemftpd is neither built nor installed by default. Since that is the case, I will probably wait a few days before revision in case further useful information comes to light. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
At 00:54 04/08/2003 -0700, I wrote: > Once the binary updates are available, FreeBSD Update >(security/freebsd-update in the ports tree) will be able to fetch and >install them; I'll send another email to this list after they've been >built, signed, and uploaded. Binary patches can now be installed via FreeBSD Update for any systems with a binary install of 4.7-RELEASE or 4.8-RELEASE which have not have any system binaries rebuilt or replaced locally (except by FreeBSD Update). With a recent copy of the ports tree: 1. cd /usr/ports/security/freebsd-update/ && make all install 2. cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf 3. /usr/local/sbin/freebsd-update fetch 4. /usr/local/sbin/freebsd-update install In FreeBSD 4.7, the following binaries were affected by this security advisory: /bin/mv /bin/pwd /bin/realpath /sbin/kldconfig /sbin/mount /sbin/mount_cd9660 /sbin/mount_ext2fs /sbin/mount_fdesc /sbin/mount_kernfs /sbin/mount_linprocfs /sbin/mount_mfs /sbin/mount_msdos /sbin/mount_nfs /sbin/mount_ntfs /sbin/mount_null /sbin/mount_nwfs /sbin/mount_portal /sbin/mount_procfs /sbin/mount_smbfs /sbin/mount_std /sbin/mount_umap /sbin/mount_union /sbin/mountd /sbin/newfs /sbin/umount /usr/bin/make /usr/lib/libc.a /usr/lib/libc.so.4 /usr/lib/libc_p.a /usr/lib/libc_pic.a /usr/lib/libc_r.a /usr/lib/libc_r.so.4 /usr/lib/libc_r_p.a /usr/libexec/lukemftpd /usr/libexec/sftp-server /usr/sbin/config /usr/sbin/pkg_add /usr/sbin/sshd In FreeBSD 4.8, the same binaries were affected, with the exception of /sbin/mount_kernfs (no longer installed), /usr/bin/make (no longer uses realpath), and /usr/libexec/lukemftpd (no longer installed). Colin Percival
Mike Hoskins wrote:>... but I can also see KISS. If you add more data than >absolutely needed, confusion may also arise... > >> I think that if one takes the `Affects' lines (and the rest of the >> advisory) at face value, without second-guessing, that it is crystal >> clear what versions of FreeBSD are affected.Along those lines it might be worth moving Affects: to the top of advisories page format, ahead of Credits:, Announced:, Module:, and Category:. A "REL-Advisories" list would also be helpful to those of us who don't use beta releases (aka -STABLE). -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Maybe Matching Threads
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
- FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
- Checking realpath file up to date
- remotely exploitable vulnerability in lukemftpd / tnftpd
- OpenSSH: multiple vulnerabilities in the new PAM code