__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Buffer Overflow Vulnerability in amd September 29, 1999 22:00 GMT Number J-071 ______________________________________________________________________________ PROBLEM: There is a buffer overflow vulnerability in the amd daemon that could allow remote users to execute arbitrary code as root. PLATFORM: Systems running amd, the Berkeley Automounter Daemon DAMAGE: If exploited, a remote intruder can cause a buffer overflow leading to a root compromise. SOLUTION: Apply available vendor patch. ______________________________________________________________________________ VULNERABILITY Risk is high. This exploit is available on the internet and can ASSESSMENT: lead to a total system compromise. ______________________________________________________________________________ [Start CERT Advisory] CERT Advisory CA-99-12 Buffer Overflow in amd Original release date: September 16, 1999 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running amd, the Berkeley Automounter Daemon I. Description There is a buffer overflow vulnerability in the logging facility of the amd daemon. This daemon automatically mounts file systems in response to attempts to access files that reside on those file systems. Similar functionality on some systems is provided by a daemon named automountd. Systems that include automounter daemons based on BSD 4.x source code may also be vulnerable. A vulnerable implementation of amd is included in the am-utils package, provided with many Linux distributions. II. Impact Remote intruders can execute arbitrary code as the user running the amd daemon (usually root). III. Solution Install a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. We will update this advisory as more information becomes available. Please check the CERT/CC Web site for the most current revision. Disable amd If you are unable to apply a patch for this problem, you can disable the amd daemon to prevent this vulnerability from being exploited. Disabling amd may prevent your system from operating normally. Appendix A. Vendor Information BSDI BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has been configured. The amd daemon is not started if it has not been configured locally. Mods (M410-017 for 4.0.1 and M310-057) are available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web site at http://www.bsdi.com/support/patches Compaq Computer Corporation Not vulnerable Data General DG/UX is not vulnerable to this problem. Erez Zadok (am-utils maintainer) The latest stable version of am-utils includes several important security fixes. To retrieve it, use anonymous ftp for the following URL ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/ The MD5 checksum of the am-utils-6.0.1.tar.gz archive is MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999 The simplest instructions to build, install, and run am-utils are as follows: 1. Retrieve the package via FTP. 2. Unpack it: $ gunzip am-utils-6.0.1.tar.gz $ tar xf am-utils-6.0.1.tar If you have GNU tar and gunzip, you can issue a single command: $ tar xzf am-utils-6.0.1.tar.gz 3. Build it: $ cd am-utils-6.0.1 $ ./buildall This would configure and build am-utils for installation in /usr/local. If you built am-utils in the past using a different procedure, you may repeat that procedure instead. For example, to build am-utils using shared libraries and to enable debugging, use either: $ ./buildall -Ds -b or $ ./configure --enable-debug=yes --enable-shared --disable-static You may run "./configure --help" to get a full list of available options. You may run "./buildall -H" to get a full list of options it offers. The buildall script is a simple wrapper script that configures and builds am-utils for the most common desired configurations. 4. Install it: $ make install This would install the programs, scripts, libraries, manual pages, and info pages in /usr/local/{sbin,bin,lib,man,info}, etc. 5. Run it. Assuming you have an Amd configuration file in /etc/amd.conf, you can simply run: $ /usr/local/sbin/ctl-amd restart That will stop the older running Amd, and start a new one. If you use a different Amd start-up script, you may use it instead. FreeBSD Please see the FreeBSD advisory at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd .asc for information on patches for this problem. Fujitsu This vulnerability is still under investigation by Fujitsu. Hewlett-Packard Company HP is not vulnerable. IBM Corporation AIX is not vulnerable. It does not ship the am-utils package. OpenBSD OpenBSD is not vulnerable. RedHat Inc. RedHat has released a security advisory on this topic. It is available from our ftp server at: http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html SCO Unix No SCO products are vulnerable. SGI SGI does not distribute am-utils in either IRIX or UNICOS operating systems. Sun Microsystems, Inc. SunOS - All versions are not vulnerable. Solaris - All versions are not vulnerable. _________________________________________________________________ The CERT Coordination Center would like to thank Erez Zadok, the maintainer of the am-utils package, for his assistance in preparing this advisory. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-12-amd.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Revision History Sep 16, 1999: Initial release [End CERT Advisory] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-061: Lotus Notes Domino Server Denial of Service Attacks J-062: Netscape Enterprise and FastTrack Web Servers Buffer Overflow J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities J-065: Wu-ftpd Vulnerability J-066: FreeBSD File Flags and Man-In-The-Middle Attack J-067: Profiling Across FreeBSD Exec Calls J-068: FreeBSD Vulnerabilities in wu-ftpd and proftpd J-069: SunOS LC_MESSAGES Environment Variable Vulnerability J-070: Microsoft Windows 95 and 98 Telnet Client Vulnerability