[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Potential denial of service attack in the OSF/DCE security server

Title: Potential denial of service attack in the OSF/DCE security server
Released by: OPENGROUP
Date: 23rd October 1997
Printable version: Click here

              Advisory on OSF/DCE Denial of Service Attack

                          October 23, 1997

   It has been discovered that OSF/DCE has a potential problem in the

   security server that could allow for a denial of service attack.


   If a principal, group, or organization is greater than 1024 characters

   (including the cell name, so the actual name limit is less than 1024)

   when passed to security daemon (secd), it will cause secd core dump.

   The buffer is overrun causing memory corruption.  In certain cases,

   the lookup attempt (or add or whatever) on the client will then

   rebind to another secd to make the request, eventually crashing

   all security daemons in the cell.


   This potential denial of service attack has existed in all releases

   of OSF/DCE to date.  The Open Group sent a notification to all current

   DCE support licensees providing the following fix.  The Open Group is

   in the process of incorporating a fix for this defect to all future DCE

   maintenance releases.  The end-users may ask their DCE vendors for

   such a fix.


   The quick fix is the following:

   In rsdb_name_util.c, the "rsdb_name_util_complete_name" routine

   should perform the following check after the ustrncpy.

   /* Retrieve the name_key record of the given domain directory.  */

   if(!check_domain(domain)) {

       SET_STATUS(st, sec_rgy_bad_domain);

       return false;


   rsdb_util_get_key_of_id(domain, START_OF_LIST,

                            (Pointer)&name_key, &name_key_len);

   ustrncpy(complete_name, name_key.name, name_key.name_len);

   complete_name[name_key.name_len] = '\0';

   #ifdef FIX

      if (object_name_len < 1     ||

         object_name_len + name_key.name_len + 1 > sec_rgy_name_t_size - 1)


          return false;


   #endif /* FIX */

   if(object_name_len > 0) {

       ustrcat(complete_name, "/");

       ustrcat(complete_name, object_name);


   return true;


  The Open Group DCE Systems Engineering

  The Open Group

  11 Cambridge Center,

  Cambridge, MA 02142

  Telephone:  +1 617 621 8990

  E-mail:     dce-support-admin@opengroup.org

========================FORWARDED TEXT ENDS HERE=============================

Editor's NOTE:  

        CERT/CC has received information that the Silicon Graphics, Inc. 

        implementation of OSF/DCE is vulnerable to this denial of

        service attack.  For more information, please see Silicon Graphics

        Inc. Security Advisory, "OSF/DCE Denial of Service Attack", Number:

        19980601-01-PX, issued on June, 16 1998:


(C) 1999-2000 All rights reserved.