Advisories : Potential denial of service attack in the OSF/DCE security server

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Potential denial of service attack in the OSF/DCE security server

Title:	Potential denial of service attack in the OSF/DCE security server
Released by:	OPENGROUP
Date:	23rd October 1997
Printable version:	Click here



              Advisory on OSF/DCE Denial of Service Attack

                          October 23, 1997



   It has been discovered that OSF/DCE has a potential problem in the

   security server that could allow for a denial of service attack.



PROBLEM:

   If a principal, group, or organization is greater than 1024 characters

   (including the cell name, so the actual name limit is less than 1024)

   when passed to security daemon (secd), it will cause secd core dump.

   The buffer is overrun causing memory corruption.  In certain cases,

   the lookup attempt (or add or whatever) on the client will then

   rebind to another secd to make the request, eventually crashing

   all security daemons in the cell.



HOW TO AVOID:

   This potential denial of service attack has existed in all releases

   of OSF/DCE to date.  The Open Group sent a notification to all current

   DCE support licensees providing the following fix.  The Open Group is

   in the process of incorporating a fix for this defect to all future DCE

   maintenance releases.  The end-users may ask their DCE vendors for

   such a fix.



SOURCE CODE FIX:

   The quick fix is the following:

   In rsdb_name_util.c, the "rsdb_name_util_complete_name" routine

   should perform the following check after the ustrncpy.



   /* Retrieve the name_key record of the given domain directory.  */

   if(!check_domain(domain)) {

       SET_STATUS(st, sec_rgy_bad_domain);

       return false;

   }



   rsdb_util_get_key_of_id(domain, START_OF_LIST,

                            (Pointer)&name_key, &name_key_len);

   ustrncpy(complete_name, name_key.name, name_key.name_len);

   complete_name[name_key.name_len] = '\0';

   #ifdef FIX

      if (object_name_len < 1     ||

         object_name_len + name_key.name_len + 1 > sec_rgy_name_t_size - 1)

      {

          return false;

      }

   #endif /* FIX */



   if(object_name_len > 0) {

       ustrcat(complete_name, "/");

       ustrcat(complete_name, object_name);

   }

   return true;



CONTACT INFORMATION:



  The Open Group DCE Systems Engineering



  The Open Group

  11 Cambridge Center,

  Cambridge, MA 02142



  Telephone:  +1 617 621 8990

  E-mail:     dce-support-admin@opengroup.org





========================FORWARDED TEXT ENDS HERE=============================



Editor's NOTE:  



        CERT/CC has received information that the Silicon Graphics, Inc. 

        implementation of OSF/DCE is vulnerable to this denial of

        service attack.  For more information, please see Silicon Graphics

        Inc. Security Advisory, "OSF/DCE Denial of Service Attack", Number:

        19980601-01-PX, issued on June, 16 1998:



              http://www.sgi.com/Support/security/advisories.html