-----Original Message-----
From: CERT Advisory <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, September 16, 1999 9:54 PM
Subject: CERT Advisory CA-99.12 - Buffer Overflow in amd
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-99-12 Buffer Overflow in amd
>
> Original release date: September 16, 1999
> Last revised: --
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
>Systems Affected
>
> * Systems running amd, the Berkeley Automounter Daemon
>
>I. Description
>
> There is a buffer overflow vulnerability in the logging facility of
> the amd daemon.
>
> This daemon automatically mounts file systems in response to attempts
> to access files that reside on those file systems. Similar
> functionality on some systems is provided by a daemon named
> automountd.
>
> Systems that include automounter daemons based on BSD 4.x source code
> may also be vulnerable. A vulnerable implementation of amd is included
> in the am-utils package, provided with many Linux distributions.
>
>II. Impact
>
> Remote intruders can execute arbitrary code as the user running the
> amd daemon (usually root).
>
>III. Solution
>
>Install a patch from your vendor
>
> Appendix A contains information provided by vendors for this advisory.
> We will update the appendix as we receive more information. If you do
> not see your vendor's name, the CERT/CC did not hear from that vendor.
> Please contact your vendor directly.
>
> We will update this advisory as more information becomes available.
> Please check the CERT/CC Web site for the most current revision.
>
>Disable amd
>
> If you are unable to apply a patch for this problem, you can disable
> the amd daemon to prevent this vulnerability from being exploited.
> Disabling amd may prevent your system from operating normally.
>
>Appendix A. Vendor Information
>
>BSDI
>
> BSD/OS 4.0.1 and 3.1 are both vulnerable to this problem if amd has
> been configured. The amd daemon is not started if it has not been
> configured locally. Mods (M410-017 for 4.0.1 and M310-057) are
> available via ftp from ftp://ftp.bsdi.com/bsdi/patches or via our web
> site at http://www.bsdi.com/support/patches
>
>Compaq Computer Corporation
>
> Not vulnerable
>
>Data General
>
> DG/UX is not vulnerable to this problem.
>
>Erez Zadok (am-utils maintainer)
>
> The latest stable version of am-utils includes several important
> security fixes. To retrieve it, use anonymous ftp for the following
> URL
>
> ftp://shekel.mcl.cs.columbia.edu/pub/am-utils/
>
> The MD5 checksum of the am-utils-6.0.1.tar.gz archive is
>
> MD5 (am-utils-6.0.1.tar.gz) = ac33a4394d30efb4ca47880cc5703999
>
> The simplest instructions to build, install, and run am-utils are as
> follows:
> 1. Retrieve the package via FTP.
> 2. Unpack it:
> $ gunzip am-utils-6.0.1.tar.gz
> $ tar xf am-utils-6.0.1.tar
> If you have GNU tar and gunzip, you can issue a single command:
> $ tar xzf am-utils-6.0.1.tar.gz
> 3. Build it:
> $ cd am-utils-6.0.1
> $ ./buildall
> This would configure and build am-utils for installation in
> /usr/local. If you built am-utils in the past using a different
> procedure, you may repeat that procedure instead. For example, to
> build am-utils using shared libraries and to enable debugging, use
> either:
> $ ./buildall -Ds -b
> or
> $ ./configure --enable-debug=yes --enable-shared --disable-static
> You may run "./configure --help" to get a full list of available
> options. You may run "./buildall -H" to get a full list of options
> it offers. The buildall script is a simple wrapper script that
> configures and builds am-utils for the most common desired
> configurations.
> 4. Install it:
> $ make install
> This would install the programs, scripts, libraries, manual pages,
> and info pages in /usr/local/{sbin,bin,lib,man,info}, etc.
> 5. Run it.
> Assuming you have an Amd configuration file in /etc/amd.conf, you
> can simply run:
> $ /usr/local/sbin/ctl-amd restart
> That will stop the older running Amd, and start a new one. If you
> use a different Amd start-up script, you may use it instead.
>
>FreeBSD
>
> Please see the FreeBSD advisory at
>
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:06.amd
> .asc
>
> for information on patches for this problem.
>
>Fujitsu
>
> This vulnerability is still under investigation by Fujitsu.
>
>Hewlett-Packard Company
>
> HP is not vulnerable.
>
>IBM Corporation
>
> AIX is not vulnerable. It does not ship the am-utils package.
>
>OpenBSD
>
> OpenBSD is not vulnerable.
>
>RedHat Inc.
>
> RedHat has released a security advisory on this topic. It is available
> from our ftp server at:
>
> http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html
>
>SCO Unix
>
> No SCO products are vulnerable.
>
>SGI
>
> SGI does not distribute am-utils in either IRIX or UNICOS operating
> systems.
>
>Sun Microsystems, Inc.
>
> SunOS - All versions are not vulnerable.
>
> Solaris - All versions are not vulnerable.
> _________________________________________________________________
>
> The CERT Coordination Center would like to thank Erez Zadok, the
> maintainer of the am-utils package, for his assistance in preparing
> this advisory.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-99-12-amd.html
> ______________________________________________________________________
>
>CERT/CC Contact Information
>
> Email: [EMAIL PROTECTED]
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
>Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To be added to our mailing list for advisories and bulletins, send
> email to [EMAIL PROTECTED] and include SUBSCRIBE
> your-email-address in the subject of your message.
>
> Copyright 1999 Carnegie Mellon University.
> Conditions for use, disclaimers, and sponsorship information can be
> found in
>
> http://www.cert.org/legal_stuff.html
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Revision History
>Sep 16, 1999: Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBN+E6AHVP+x0t4w7BAQHwJQP7B+ghNLVt5h9LGkALYqnL1jBz5557fpmo
>6z4ylqHfyHTqXdmjKL89ZhaxkpowvSOTpsAvcWyks+6aRjM0tNeNHc0Omlwt26sW
>fULp0NC1QZxoD7sK/9gJXxjulMPobDw/9MGtoKJi/snSwL7T7LDElz/6MrtII+0l
>vJ/ECkjL4JQ=
>=lGut
>-----END PGP SIGNATURE-----
