2.9 Notable Vulnerabilities
This section describes examples of notable buffer overflow vulnerabilities resulting from incorrect string handling. Many well-known incidents, including the Morris worm and the W32.Blaster.Worm, were the result of buffer overflow vulnerabilities.
Many UNIX systems provide the rlogin program. The rlogin program establishes a remote login session from its user's terminal to a remote host computer. The rlogin program passes the user's current terminal definition as defined by the TERM environment variable to the remote host computer. Many implementations of the rlogin program contained an unbounded string copy— copying the TERM environment variable into an array of 1024 characters declared as a local, stack variable. This buffer overflow can be exploited to smash the stack and execute arbitrary code with root privileges.
CERT Advisory CA-1997-06 "Vulnerability in rlogin/term," released on February 6, 1997 describes this issue.16 Larry Rogers provides an in-depth description of the rlogin buffer overflow vulnerability [Rogers 98].
Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.17
A vulnerability exists in the Kerberos 4 compatibility code contained within the MIT Kerberos 5 source distributions. This vulnerability allows a buffer overflow in the krb_rd_req() function, which is used by all Kerberosauthenticated services that use Kerberos 4 for authentication. This vulnerability is described further in the following:
- Buffer Overrun Vulnerabilities in Kerberos
- CERT Advisory CA-2000-06 "Multiple Buffer Overflows in Kerberos Authenticated Services"
- CERT vulnerability Note VU#24030 "Multiple Buffer Overflows in Kerberos Authenticated Services"
It is possible for an attacker to gain root access over the network by exploiting this vulnerability. This vulnerability is notable not only because of the severity and impact, but also because it represents the all too common case of vulnerabilities appearing in products that are supposed to improve the security of a system.
The metamail package is one of the first widely adopted packages developed to handle Multipurpose Internet Mail Extensions (MIME) data, and includes a number of programs for handling various MIME types. Although it is mostly historic, it is still in wide deployment in many environments. Two buffer overflows resulting from incorrect use of strcpy() have been discovered in the metamail code. These buffer overflows could allow a remote attacker to execute arbitrary code on a vulnerable system. An attacker may be able to exploit these vulnerabilities via a specially crafted e-mail message.
The first buffer overflow vulnerability occurs when a message has encoded non-ASCII characters in the mail headers and the substring that indentifies the character set is overly long. The cause of this problem is a strcpy() statement in the function PrintHeader() in metamail.c.
The second buffer overflow vulnerability appears in the splitmail executable that's generated when you compile the metamail package. This overflow occurs when a message has an overly long subject header. It is caused by a bad strcpy() statement in the function ShareThisHeader() in splitmail.c. This vulnerability is described further in:
- Secunia Advisory SA10908 "Metamail Message Parsing System Compromise Vulnerabilities"
- CERT Vulnerability Note VU#513062 "Metamail Contains Multiple Buffer Overflow Vulnerabilities"
Successful exploitation allows execution of arbitrary code on a user's system. The vulnerabilities affect version 2.7 and prior. Proof-of-concept exploit code has been published for this vulnerability.
While this vulnerability did not result in a CERT advisory, it is notable because it is a strcpy() vulnerability that was not discovered and reported until 2004—16 years after the Morris Worm.