NetBSD Problem Report #47615
From Wolfgang.Stukenbrock@nagler-company.com Mon Mar 4 11:31:36 2013
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id B301B63C07C
for <gnats-bugs@gnats.NetBSD.org>; Mon, 4 Mar 2013 11:31:35 +0000 (UTC)
Message-Id: <20130304113126.B2457123B93@test-s0.nagler-company.com>
Date: Mon, 4 Mar 2013 12:31:26 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: security problem with ypserv
X-Send-Pr-Version: 3.95
>Number: 47615
>Category: bin
>Synopsis: security problem with ypserv
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 04 11:35:00 +0000 2013
>Closed-Date: Tue Apr 10 22:39:04 +0000 2018
>Last-Modified: Tue Apr 10 22:39:04 +0000 2018
>Originator: Dr. W. Stukenbrock
>Release: NetBSD 5.1.2
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD test-s0 5.1.2 NetBSD 5.1.2 (NSW-WS) #3: Fri Dec 21 15:15:43 CET 2012 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
If a request is denied by ypserv, it sends the data of a previously successfull request
processed with the error message to the client.
This may be used to exploid the crypted passwords from the master
password yp-map by asking the server for "something" and try to
analyse the data send back after the error indication.
>How-To-Repeat:
The following parts seen in ktruss of my application will demonstrate the problem:
I haven't fully analysed the problem - no time at the moment, but it looks like the
"garbage" information send ist not nessesary the one of the last successfull call to ypserv.
parent process: does a yp_match() for NU_HTTPS in netgroup.byname
24147 1 httpd sendto(0xf, 0xba6da338, 0x4c, 0, 0xba6d8008, 0x10) = 76
"\M-J@\M-{\M^^\0\0\0\0\0\0\0\^B\0\^A\M^F\M-$\0\0\0\^B\0\0\0\^C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^FWST+AG\0\0\0\0\0\bnetgroup\0\0\0\bNU_HTTPS"
24147 1 httpd pollts(0xba6d80d0, 0x1, 0xbfbfe8c0, 0xbfbfe8a0) = 1
24147 1 httpd recvfrom(0xf, 0xba6d80d8, 0x2260, 0, 0, 0) = 48
"\M-J@\M-{\M^^\0\0\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^A\0\0\0\r(-,wgstuken,)\0\0\0"
parent process: does a call to function 11 (get yp-maps as done in ypwhich)
24147 1 httpd sendto(0xf, 0xba6da338, 0x34, 0, 0xba6d8008, 0x10) = 52
"\M^Fo\^F?\0\0\0\0\0\0\0\^B\0\^A\M^F\M-$\0\0\0\^B\0\0\0\v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^FWST+AG\0\0"
24147 1 httpd pollts(0xba6d80d0, 0x1, 0xbfbfe920, 0xbfbfe900) = 1
24147 1 httpd recvfrom(0xf, 0xba6d80d8, 0x2260, 0, 0, 0) = 864
"\M^Fo\^F?\0\0\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^A\0\0\0\^A\0\0\0\^Onetmasks.byaddr\0\0\0\0\^A\0\0\0\ano_mail\0\0\0\0\^A\0\0\0\^Ppublickey.byname\0\0\0\^A\0\0\0\^Tp"
parent process: start child and do exec (found master_passwd.byname and is not UID == 0)
24147 1 httpd fork() = 9916
9916 1 NC_auth_NIS_help emul(netbsd)
9916 1 NC_auth_NIS_help execve("/etc/pkg/sbin/NC_auth_NIS_helper", 0xbfbfe974, 0xbfbfee24) JUSTRETURN
child process: does the yp-maps check again
9916 1 NC_auth_NIS_help sendto(0x3, 0xbb92a338, 0x34, 0, 0xbb928008, 0x10) = 52
"\M-tYy\M-w\0\0\0\0\0\0\0\^B\0\^A\M^F\M-$\0\0\0\^B\0\0\0\v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^FWST+AG\0\0"
9916 1 NC_auth_NIS_help pollts(0xbb9280d0, 0x1, 0xbfbfecd0, 0xbfbfecb0) = 1
9916 1 NC_auth_NIS_help recvfrom(0x3, 0xbb9280d8, 0x2260, 0, 0, 0) = 864
"\M-tYy\M-w\0\0\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^A\0\0\0\^A\0\0\0\^Onetmasks.byaddr\0\0\0\0\^A\0\0\0\ano_mail\0\0\0\0\^A\0\0\0\^Ppublickey.byname\0\0\0\^A\0\0\0\^T"
child process: tries to get the password (fails, because I've missed to set the UID-s-bit on the binary)
9916 1 NC_auth_NIS_help sendto(0x3, 0xbb92a338, 0x58, 0, 0xbb928008, 0x10) = 88
"\M-_\M-3\^W\M-C\0\0\0\0\0\0\0\^B\0\^A\M^F\M-$\0\0\0\^B\0\0\0\^C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^FWST+AG\0\0\0\0\0\^Tmaster.passwd.byname\0\0\0\bwgstuken"
9916 1 NC_auth_NIS_help pollts(0xbb9280d0, 0x1, 0xbfbfec50, 0xbfbfec30) = 1
9916 1 NC_auth_NIS_help recvfrom(0x3, 0xbb9280d8, 0x2260, 0, 0, 0) = 48
"\M-_\M-3\^W\M-C\0\0\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\M^?\M^?\M^?\M-z\0\0\0\r(-,wgstuken,)\0\0\0"
Here we have the answer of the yp_match(NU_HTTPS in netgroup.byname) again.
No other map has this entry - and "(-,wgstuken,)" is the only contents of NU_HTTPS.
This call is done only by the parent process prior the exec call.
I'm shure that no other process has requested NU_HTTPS from any system in the middle.
The problem may be related to a cache in ypserv that tries to avoid to do the work again if UPD packest
of the answer are lost and the request is submittet again.
Perhaps the request is not checked correctly in ypserv when retransmitting the data.
This behaviour of ypserv is reproducable. I've already seen some other data in failed requests, but
I've no trace of that available anymore.
>Fix:
Do not send any data back to client that does not belong to the current
request. (I've no time to look into ypserv at the moment - sorry.)
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: src/usr.sbin/ypserv/ypserv
Date: Tue, 16 Jan 2018 22:16:10 -0500
Module Name: src
Committed By: christos
Date: Wed Jan 17 03:16:10 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv: ypserv_proc.c
Log Message:
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
XXX: pullup-6,7,8
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-8] src/usr.sbin/ypserv/ypserv
Date: Sun, 11 Feb 2018 21:52:54 +0000
Module Name: src
Committed By: snj
Date: Sun Feb 11 21:52:54 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-8]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #542):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.17.8.1 src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-7] src/usr.sbin/ypserv/ypserv
Date: Mon, 19 Feb 2018 19:45:24 +0000
Module Name: src
Committed By: snj
Date: Mon Feb 19 19:45:23 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-7]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1566):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.16.20.1 -r1.16.20.2 src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-7-1] src/usr.sbin/ypserv/ypserv
Date: Mon, 19 Feb 2018 19:48:21 +0000
Module Name: src
Committed By: snj
Date: Mon Feb 19 19:48:20 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-7-1]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1566):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.16.20.1 -r1.16.20.1.6.1 \
src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-7-0] src/usr.sbin/ypserv/ypserv
Date: Mon, 19 Feb 2018 19:49:31 +0000
Module Name: src
Committed By: snj
Date: Mon Feb 19 19:49:31 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-7-0]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1566):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.16.20.1 -r1.16.20.1.2.1 \
src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 10 Apr 2018 09:12:06 +0000
State-Changed-Why:
still awaiting pullup-6 #1528
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-6-0] src/usr.sbin/ypserv/ypserv
Date: Tue, 10 Apr 2018 17:44:15 +0000
Module Name: src
Committed By: snj
Date: Tue Apr 10 17:44:15 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-6-0]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1528):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18 via patch
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.10.1 src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-6-1] src/usr.sbin/ypserv/ypserv
Date: Tue, 10 Apr 2018 17:44:17 +0000
Module Name: src
Committed By: snj
Date: Tue Apr 10 17:44:17 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-6-1]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1528):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18 via patch
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.16.1 src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47615 CVS commit: [netbsd-6] src/usr.sbin/ypserv/ypserv
Date: Tue, 10 Apr 2018 17:44:19 +0000
Module Name: src
Committed By: snj
Date: Tue Apr 10 17:44:19 UTC 2018
Modified Files:
src/usr.sbin/ypserv/ypserv [netbsd-6]: ypserv_proc.c
Log Message:
Pull up following revision(s) (requested by christos in ticket #1528):
usr.sbin/ypserv/ypserv/ypserv_proc.c: 1.18 via patch
PR/47615: Dr. W. Stukenbrock: Always zero out the result structs in the
svc procs to avoid returning stale request data to the client.
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.16.4.1 src/usr.sbin/ypserv/ypserv/ypserv_proc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Tue, 10 Apr 2018 22:39:04 +0000
State-Changed-Why:
fixed. thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.