COMMAND

    gnuserv/XEmacs

SYSTEMS AFFECTED

    gnuserv/XEmacs prior to 3.12

PROBLEM

    Jan Vroonhof posted following.   All currently  available versions
    of  gnuserv  for  unix  prior  to  3.12  are  vulnerable to remote
    exploit due to a buffer overflow and weak security.  Gnuserv is  a
    remote control facility  for Emacsen.   Gnuserv ships with  XEmacs
    but is  also available  stand-alone from  various sources  for use
    with GNU Emacs.

    An attacker can  excute remote commands  with the uid  of the user
    that is running gnuserv.

    This problem was discovered by Klaus Frank.  Klaus provided a  fix
    as well.

    gnuserv/gnuclient  is  a  pair  of  utility  programs used to sent
    commands to  an already  running Emacs  process.   gnuserv is  the
    helper binary used  by the running  Emacs to listen  for commands.
    It  must  be  started  explicitly  using the gnuserv-start command
    (However we have seen many icons for XEmacs in UI's start  "xemacs
    -f gnuserv" so it is not always obvious to the user he is  running
    gnuserv).

    gnuserv can use several different communication mechanisms, one of
    them being a tcp port.  This can be switched off at compile  time,
    but defaults to on.  If enabled gnuserv binds to a user  specified
    TCP port, with  the default being  (21490 + uid).   Note that  (if
    enabled) gnuserv _always_ listens for TCP connections, even if one
    of the other mechanisms is normally used by the user.

    Connections on the gnuserv port are authenticated either against a
    list of trusted  hosts or using  a MIT-MAGIC-COOKIE based  system.
    (MIT-MAGIC_COOKIE authentication can be switched of, but again  is
    the default.)

    The problem lies in the  fact that the gnuserv program  trusts the
    remote sides specification  for the lenght  of the cookie  without
    any sanity checking.  This allows the attacker to:

        1. Overflow the buffer used to hold a copy of the cookie.
        2. Force the comparison of  the cookies to be restricted  to a
           prefix  of  a  length  chosen  by  him, e.g. 1 byte, making
           bruteforcing the authentication trivial.

    Both problems are sufficient to  give any attacker easy access  to
    running  arbitrary  commands  under  the  uid  of the user running
    gnuserv.

    Unfortunately gnuserv has rather  a complicated history.   gnuserv
    was origionally written  by Andy Norman  (ange).  The  problematic
    Xauth based authentication was later  added by somebody else.   As
    ange     effectively     stopped     maintaining     his   version
    (gnuserv-2.1alpha.tar.gz)  various  people  have  put up their own
    modified copies.  That  includes among others the  version shipped
    with XEmacs and fgnuserv by  Noah Friedman, which is an  easier to
    compile stand-alone version.

    After  a  recent  rewrite  the  XEmacs version the official verion
    (with permission form Andy Norman), and bumped the version  number
    to the 3.x  range.  Martin  Schwenke has made  a backport of  this
    version for use with Emacs using fgnuserv's build mecahnism.

    All of the above versions should be assumbed vulnerable, including
    those shipped with XEmacs 21.1.x for x < 14.  As a test run

        strings gnuserv | grep "gnuserv version"

    If this gives either nothing or a version below 3.12, then you are
    vulnerable.

SOLUTION

    There  is  a  seperate  fork  for  gnuserv on windows for use with
    NTEmacs.  This is not vulnerable as it uses a completely different
    communication channel.  This is, however, unconfirmed.

    A fix by Klaus Frank is in gnuserv 3.12.  If you are using  XEmacs
    we suggest upgrading to XEmacs 21.1.14 that contains this  version
    (or 21.2.43 if you  are running betas).   This version can be  had
    from

        http://www.xemacs.org/Releases/21.1.14.html

    or mirrors.

    If you are using  a standalone gnuserv with  GNU Emacs on unix  we
    suggest getting Martin Schwenkes fixed version from

        http://www.linuxcare.com.au/people/martins/hacks/emacs/src/gnuserv-3.12.1.tar.gz

    For RedHat:

        ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-21.1.14-2.62.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-el-21.1.14-2.62.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/alpha/xemacs-info-21.1.14-2.62.alpha.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/xemacs-21.1.14-2.62.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/xemacs-el-21.1.14-2.62.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/i386/xemacs-info-21.1.14-2.62.i386.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-21.1.14-2.62.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-el-21.1.14-2.62.sparc.rpm
        ftp://updates.redhat.com/powertools/6.2/sparc/xemacs-info-21.1.14-2.62.sparc.rpm