{"vuid":"VU#516825","idnumber":"516825","name":"Integer overflow in Sun RPC XDR library routines","keywords":["Sun","Solaris","integer overflow","XDR library","xdrmem_getbytes()","xdrmem_","RPC"],"overview":"The XDR library from Sun Microsystems is a widely used implementation for RPC services. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. Some implementations of standard functions in this API may contain an integer overflow.","clean_desc":"The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. Some memory allocation routines in the XDR library provided by Sun Microsystems contain an integer overflow that can lead to improperly sized dynamic memory allocation. The length of the allocated buffer is interpreted as a signed integer, whereas the callers interpret the length as an unsigned integer. The xdrmem_getbytes() function is one example of where the flaw may occur. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdrmem_getbytes() function is used. Other functions in the xdrmem_*()  family may suffer from an identical error. Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This vulnerability is similar to, but distinct from, VU#192995.","impact":"Because Sun RPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Furthermore, because RPC services often run as root on affected systems, this vulnerability may be leveraged to gain remote root access on vulnerable systems.","resolution":"Apply a patch from the vendor Several vendors of relevant or derived implementations have released patches to address this vulnerability; please see the vendor section of this document for further details.","workarounds":"Workarounds Disable access to vulnerable services or applications Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdrmem_*() functions. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.","sysaffected":"","thanks":"Thanks to Riley Hassell of \neEye Digital Security\n for reporting this vulnerability.","author":"This document was written by Chad R Dougherty and Jeffrey S Havrilla.","public":["http://www.eeye.com/html/Research/Advisories/AD20030318.html","http://www.ietf.org/rfc/rfc1831.txt","http://www.ietf.org/rfc/rfc1832.txt"],"cveids":["CVE-2003-0028"],"certadvisory":"CA-2003-10","uscerttechnicalalert":null,"datecreated":"2003-03-20T16:15:43Z","publicdate":"2003-03-18T00:00:00Z","datefirstpublished":"2003-03-19T19:20:39Z","dateupdated":"2004-02-11T16:37:36Z","revision":33,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"1","cam_exploitation":"0","cam_internetinfrastructure":"14","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"10","cam_attackeraccessrequired":"15","cam_scorecurrent":"12.0234375","cam_scorecurrentwidelyknown":"27.253125","cam_scorecurrentwidelyknownexploited":"43.284375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.0234375,"vulnote":null}