[ SOURCE: http://www.secureroot.com/security/advisories/9641778632.html ]



              Advisory on OSF/DCE Denial of Service Attack

                          October 23, 1997



   It has been discovered that OSF/DCE has a potential problem in the

   security server that could allow for a denial of service attack.



PROBLEM:

   If a principal, group, or organization is greater than 1024 characters

   (including the cell name, so the actual name limit is less than 1024)

   when passed to security daemon (secd), it will cause secd core dump.

   The buffer is overrun causing memory corruption.  In certain cases,

   the lookup attempt (or add or whatever) on the client will then

   rebind to another secd to make the request, eventually crashing

   all security daemons in the cell.



HOW TO AVOID:

   This potential denial of service attack has existed in all releases

   of OSF/DCE to date.  The Open Group sent a notification to all current

   DCE support licensees providing the following fix.  The Open Group is

   in the process of incorporating a fix for this defect to all future DCE

   maintenance releases.  The end-users may ask their DCE vendors for

   such a fix.



SOURCE CODE FIX:

   The quick fix is the following:

   In rsdb_name_util.c, the "rsdb_name_util_complete_name" routine

   should perform the following check after the ustrncpy.



   /* Retrieve the name_key record of the given domain directory.  */

   if(!check_domain(domain)) {

       SET_STATUS(st, sec_rgy_bad_domain);

       return false;

   }



   rsdb_util_get_key_of_id(domain, START_OF_LIST,

                            (Pointer)&name_key, &name_key_len);

   ustrncpy(complete_name, name_key.name, name_key.name_len);

   complete_name[name_key.name_len] = '\0';

   #ifdef FIX

      if (object_name_len < 1     ||

         object_name_len + name_key.name_len + 1 > sec_rgy_name_t_size - 1)

      {

          return false;

      }

   #endif /* FIX */



   if(object_name_len > 0) {

       ustrcat(complete_name, "/");

       ustrcat(complete_name, object_name);

   }

   return true;



CONTACT INFORMATION:



  The Open Group DCE Systems Engineering



  The Open Group

  11 Cambridge Center,

  Cambridge, MA 02142



  Telephone:  +1 617 621 8990

  E-mail:     dce-support-admin@opengroup.org





========================FORWARDED TEXT ENDS HERE=============================



Editor's NOTE:  



        CERT/CC has received information that the Silicon Graphics, Inc. 

        implementation of OSF/DCE is vulnerable to this denial of

        service attack.  For more information, please see Silicon Graphics

        Inc. Security Advisory, "OSF/DCE Denial of Service Attack", Number:

        19980601-01-PX, issued on June, 16 1998:



              http://www.sgi.com/Support/security/advisories.html