Date: 17 September 1999
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-1999.146 -- CERT Advisory CA-99-12
Buffer Overflow in amd
17 September 1999
===========================================================================
The CERT Coordination Centre has released the following advisory concerning
a buffer overflow in the Berkeley Automounter Daemon, amd. Remote users
may execute arbitrary code with the privilege of the amd daemon on
vulnerable systems. This vulnerability may allow remote users to gain root
access.
This vulnerability has been previously reported in the Red Hat specific
advisory RHSA-1999:032-01 (AusCERT ESB-1999.126).
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-12 Buffer Overflow in amd
Original release date: September 16, 1999
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running amd, the Berkeley Automounter Daemon
I. Description
There is a buffer overflow vulnerability in the logging facility of
the amd daemon.
This daemon automatically mounts file systems in response to attempts
to access files that reside on those file systems. Similar
functionality on some systems is provided by a daemon named
automountd.
Systems that include automounter daemons based on BSD 4.x source code
may also be vulnerable. A vulnerable implementation of amd is included
in the am-utils package, provided with many Linux distributions.
II. Impact
Remote intruders can execute arbitrary code as the user running the
amd daemon (usually root).
III. Solution
Install a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
We will update the appendix as we receive more information. If you do
not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact your vendor directly.
We will update this advisory as more information becomes available.
Please check the CERT/CC Web site for the most current revision.
Disable amd
If you are unable to apply a patch for this problem, you can disable
the amd daemon to prevent this vulnerability from being exploited.
Disabling amd may prevent your system from operating normally.
Appendix A. Vendor Information
BSDI
BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has
been configured. The amd daemon is not started if it has not been
configured locally. Mods (M410-017 for 4.0.1 and M310-057) are
available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web
site at http://www.bsdi.com/support/patches
Compaq Computer Corporation
Not vulnerable
Data General
DG/UX is not vulnerable to this problem.
Erez Zadok (am-utils maintainer)
The latest stable version of am-utils includes several important
security fixes. To retrieve it, use anonymous ftp for the following
URL
ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
The MD5 checksum of the am-utils-6.0.1.tar.gz archive is
MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999
The simplest instructions to build, install, and run am-utils are as
follows:
1. Retrieve the package via FTP.
2. Unpack it:
$ gunzip am-utils-6.0.1.tar.gz
$ tar xf am-utils-6.0.1.tar
If you have GNU tar and gunzip, you can issue a single command:
$ tar xzf am-utils-6.0.1.tar.gz
3. Build it:
$ cd am-utils-6.0.1
$ ./buildall
This would configure and build am-utils for installation in
/usr/local. If you built am-utils in the past using a different
procedure, you may repeat that procedure instead. For example, to
build am-utils using shared libraries and to enable debugging, use
either:
$ ./buildall -Ds -b
or
$ ./configure --enable-debug=yes --enable-shared --disable-static
You may run "./configure --help" to get a full list of available
options. You may run "./buildall -H" to get a full list of options
it offers. The buildall script is a simple wrapper script that
configures and builds am-utils for the most common desired
configurations.
4. Install it:
$ make install
This would install the programs, scripts, libraries, manual pages,
and info pages in /usr/local/{sbin,bin,lib,man,info}, etc.
5. Run it.
Assuming you have an Amd configuration file in /etc/amd.conf, you
can simply run:
$ /usr/local/sbin/ctl-amd restart
That will stop the older running Amd, and start a new one. If you
use a different Amd start-up script, you may use it instead.
FreeBSD
Please see the FreeBSD advisory at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd
.asc
for information on patches for this problem.
Fujitsu
This vulnerability is still under investigation by Fujitsu.
Hewlett-Packard Company
HP is not vulnerable.
IBM Corporation
AIX is not vulnerable. It does not ship the am-utils package.
OpenBSD
OpenBSD is not vulnerable.
RedHat Inc.
RedHat has released a security advisory on this topic. It is available
from our ftp server at:
http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html
SCO Unix
No SCO products are vulnerable.
SGI
SGI does not distribute am-utils in either IRIX or UNICOS operating
systems.
Sun Microsystems, Inc.
SunOS - All versions are not vulnerable.
Solaris - All versions are not vulnerable.
_________________________________________________________________
The CERT Coordination Center would like to thank Erez Zadok, the
maintainer of the am-utils package, for his assistance in preparing
this advisory.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-12-amd.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Revision History
Sep 16, 1999: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN+E6AHVP+x0t4w7BAQHwJQP7B+ghNLVt5h9LGkALYqnL1jBz5557fpmo
6z4ylqHfyHTqXdmjKL89ZhaxkpowvSOTpsAvcWyks+6aRjM0tNeNHc0Omlwt26sW
fULp0NC1QZxoD7sK/9gJXxjulMPobDw/9MGtoKJi/snSwL7T7LDElz/6MrtII+0l
vJ/ECkjL4JQ=
=lGut
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBN+dwPSh9+71yA2DNAQGCaQP6A226hqRxHqETvcSs03j58RyzLjBW9d9r
UwRXl1V8A+4uB+1Uy5bkMjesH22+q9ftC79OZcvnos7zI5Y7rCiG4I40cqDu/Rtj
VY07UQBGe6RgQLO2dz1kUHQEyx+ioEWq3MWiyB6F4j2Qfq6+3WVFSV1+Csp9Osyj
Bphd3YG4L7c=
=wXdg
-----END PGP SIGNATURE-----
|