COMMAND

    rdist

SYSTEMS AFFECTED

    Berkeley Software Design, Inc. (BSDI)
    Digital UNIX (Compaq)
    FreeBSD, Inc.
    IBM Corporation
    Silicon Graphics Inc. (SGI)
    Sun Microsystems, Inc.

PROBLEM

    Following  info  is  mostly  based  on  CERT  advisory.  The rdist
    program  is  a  UNIX  Operating  System utility used to distribute
    files  from  one  host  to  another.  On some systems, rdist opens
    network connections using  a privileged port  as the source  port.
    This  requires  root  privileges,  and  to attain these privileges
    rdist on such systems is installed set-user-id root.

    A  new  vulnerability  has  been  found  in  some set-user-id root
    implementations of rdist. The  vulnerability lies in the  function
    expstr(), where  macros supplied  as arguments  are expanded using
    sprintf().  It  is  possible  to  overwrite  stack frames and call
    specially  pre-crafted  native  machine  code.  If the appropriate
    machine  code  is  supplied,  an  attacker  can  execute arbitrary
    programs (such as the shell) with set-user-id root privileges.

    On systems with a vulnerable copy of rdist, anyone with access  to
    a local account  can gain root  access.  Exploitation  of this bug
    is completely straight-forwards, although the script that included
    with /usr/bin/mh/inc  will need  to be  modified for  Digital UNIX
    (see 'mh' in Digital section).  This buffer overflow exists on all
    version of Digital  Unix from 4.0  up through 4.0D  with patch kit
    #3.

SOLUTION

    If your system is vulnerable  and you need the functionality  that
    rdist provides, you  should install a  vendor patch (if  any - see
    below).   Until  you  can  do  so,  you  may  want to use a freely
    available version of rdist that  does not need to be  installed as
    set-user-id  root  and  is,  therefore,  not  susceptible  to  the
    exploitation described here.   So, if you  need the  functionality
    that rdist  provides but  a patched  version is  not yet available
    from  your  vendor,  consider  installing  rdist-6.1.3,  which  is
    freely available from:

        ftp://usc.edu/pub/rdist/rdist-6.1.3.tar.gz

   Following command will find all files on a system that:

        - are only in the file system you name (FILE_SYSTEM_NAMES -xdev)
        - are regular files (-type f)
        - are owned by root (-user root)
        - have "rdist" as a component of the name (-name '*rdist*')
        - are setuid (-perm -04000)

    find FILE_SYSTEM_NAMES -xdev -type f -user root \
             -name '*rdist*' -perm -04000 -exec ls -l '{}' \; \
             -ok chmod 0500 '{}' \;

    Once found, those files will

        - have their names and details printed (-exec ls -l '{}')
        - have the setuid mode removed (making the file available only
          to root) but only if you type `y' in response to the  prompt
          (-ok chmod 0500 '{}' \;)

    Below is a list of vendors who have provided information that  ARE
    vulnerable in CERT advisory.

    Berkeley Software Design, Inc. (BSDI)
    =====================================
        BSDI shipped a patch for  this for our 2.1 release  (U210-018)
        when  the  original  Bugtraq  advisory  was released.  The 3.0
        version of rdist  is not vulnerable  and in fact  is no longer
        even setuid.

    Digital, Inc.
    =============
        Lamont  Granquist  prooved,  despite  the official claims from
        Digital, that this is present vulnerability:

        % /usr/bin/rdist -d bleh=`perl -e 'print "a" x 8200'` -c /tmp/ '${bleh}'
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        rdist: line 1: Pathname too long
        Segmentation fault

        (again you need to do this from a reasonably recent version of
        tcsh which will not choke on `perl -e 'print "a" x 8200'` with
        a "Word too  long" error).   Digital is aware  of this problem
        and is working on patches.

    FreeBSD, Inc.
    =============
        2.1.0 is vulnerable.
        2.1.5, 2.1.6  and 2.1.7  are and  2.1-stable are  not. In  any
        case, upgrading to 2.1.7 or even better, 2.1-stable should  be
        considered.   If there  is demand,  we'll release  a patch for
        2.1.0
        All  2.2  releases,  2.2-stable  and  FreeBSD-current  are not
        vulnerable.


    IBM Corporation
    ===============
        All versions of  AIX are vulnerable  to this buffer  overflow.
        There is  no 3.2  fix.   It is  recommended that 3.2 customers
        upgrade  to  a  higher  level.   The  following  APARs will be
        available for AIX version 4 soon.

        AIX 3.2:  upgrade to 4.1.5 or higher
        AIX 4.1:  IX70876
        AIX 4.2:  IX70875


    Silicon Graphics Inc. (SGI)
    ===========================
        At this time, yet investigating.


    Sun Microsystems, Inc.
    ======================
        We are producing patches.