Bugzilla – Bug 1037559
VUL-0: CVE-2017-8779: rpcbind,libtirpc: rpcbomb: remote rpcbind denial-of-service
Last modified: 2019-02-01 11:15:21 UTC
via oss-sec From: Guido Vranken <guidovranken@gmail.com> Subject: [oss-security] rpcbomb: remote rpcbind denial-of-service This vulnerability allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote rpcbind host, and the memory is never freed unless the process crashes or the administrator halts or restarts the rpcbind service. Attacking a system is trivial; a single attack consists of sending a specially crafted payload of around 60 bytes through a UDP socket. This can slow down the system’s operations significantly or prevent other services (such as a web server) from spawning processes entirely. An extensive write-up can be found here: https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/ Exploit + patches: https://github.com/guidovranken/rpcbomb/
Created attachment 723770 [details] rpcbomb.rb QA REPRODUCER: ps auxw|grep rpcbind note down virtual memory used ruby rpcbomb.rb localhost 9999999999 ps auxw|grep rpcbind note down virtgual memory used. BEFORE: rpc 477 0.0 0.0 11243712 1516 ? Ss Mär02 0:06 /sbin/rpcbind -w -f ... jumps to ... rpc 477 0.0 0.0 13997752 1516 ? Ss Mär02 0:06 /sbin/rpcbind -w -f The amount should not be much higher than before
Created attachment 723772 [details] rpcbind_patch.txt rpcbind_patch.txt
Created attachment 723773 [details] libtirpc_patch.txt libtirpc_patch.txt
The patches look sane. As far as I can tell, the central portion of the patch is in xdr_bytes(). Maybe it would make sense to verify that the code in glibc doesn't suffer from the same problem (which would then affect older SLES releases that didn't have libtirpc yet).
I am only waiting for a CVE, but you could already submit fixed packages.
as for glibc, the RPC code looks differently. I do not spot any of above patch patterns, so it is very hard to say. :(
Created attachment 723848 [details] glibc-2.11.3-xdr_bytes.patch glibc in SLE11 seems to have the same issue; here's a tentative patch. I do not think this is a huge issue, btw. We're indeed leaking virtual memory, but we're never touching it AFAICT, so you're probably not leaking more than 2 pages worth of actual memory per RPC call.
(In reply to Marcus Meissner from comment #1) > Created attachment 723770 [details] > rpcbomb.rb > > QA REPRODUCER: > > ps auxw|grep rpcbind > > note down virtual memory used > > ruby rpcbomb.rb localhost 9999999999 > > ps auxw|grep rpcbind > > note down virtgual memory used. > > BEFORE: > rpc 477 0.0 0.0 11243712 1516 ? Ss Mär02 0:06 > /sbin/rpcbind -w -f > ... jumps to ... > rpc 477 0.0 0.0 13997752 1516 ? Ss Mär02 0:06 > /sbin/rpcbind -w -f > > > > The amount should not be much higher than before Is this rpcbomb intentionally innocuous? At least on my tests, it does allocate virtual memory but the system memory is kept free. After 571GB of virtual memory for rpcbind, my system (xen dom0) with 1GB of RAM was still fine. sles12sp1:~ # ps auxw|grep rpcbind rpc 1783 0.0 0.5 571581660 5600 ? Ss 18:03 0:00 /sbin/rpcbind -w -f sles12sp1:~ # free total used free shared buffers cached Mem: 1062096 511560 550536 8044 464 370412 -/+ buffers/cache: 140684 921412 Swap: 1048572 0 1048572
Yeah, it seems to be only virtual memory. The exploit only delivers a large size causing this allocation, but not the content. to fill the content it would need bigger data to be sent.
glibc is tracked in bug 1037930 seperately.
This is an autogenerated message for OBS integration: This bug (1037559) was mentioned in https://build.opensuse.org/request/show/493468 42.2 / rpcbind https://build.opensuse.org/request/show/493471 42.2 / libtirpc
patches submitted, closing
reassigning to security-team
SUSE-SU-2017:1306-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libtirpc-0.2.3-13.3.1 SUSE Linux Enterprise Server 12-SP1 (src): libtirpc-0.2.3-13.3.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libtirpc-0.2.3-13.3.1
SUSE-SU-2017:1314-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libtirpc-1.0.1-16.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libtirpc-1.0.1-16.1 SUSE Linux Enterprise Server 12-SP2 (src): libtirpc-1.0.1-16.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libtirpc-1.0.1-16.1
Created attachment 725355 [details] Always call svc_freeargs, even if svc_getargs failed
SUSE-SU-2017:1328-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): rpcbind-0.2.3-23.1 SUSE Linux Enterprise Server 12-SP2 (src): rpcbind-0.2.3-23.1 SUSE Linux Enterprise Desktop 12-SP2 (src): rpcbind-0.2.3-23.1
SUSE-SU-2017:1336-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): rpcbind-0.2.1_rc4-17.3.1 SUSE Linux Enterprise Desktop 12-SP1 (src): rpcbind-0.2.1_rc4-17.3.1
I am using 100000 bytes and it continues to increase. ==32264== 500,005 bytes in 5 blocks are definitely lost in loss record 86 of 86 ==32264== at 0x4C27FFB: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32264== by 0x50592B9: xdr_string (xdr.c:700) ==32264== by 0x5052805: xdr_rpcb (rpcb_prot.c:59) ==32264== by 0x10D6A2: rpcb_service_4 (rpcb_svc_4.c:217) ==32264== by 0x50532A8: svc_getreq_common (svc.c:681) ==32264== by 0x505337B: svc_getreq_poll (svc.c:766) ==32264== by 0x10E1EA: my_svc_run (rpcb_svc_com.c:1260) ==32264== by 0x10CF1B: main (rpcbind.c:253) I think 9999999999 is too large as the maxsimum is (u_int) ~0, so 0xffff.ffff and above is 0x2.540B.E3FF
(In reply to Marcus Meissner from comment #32) > I am using 100000 bytes and it continues to increase. > > > ==32264== 500,005 bytes in 5 blocks are definitely lost in loss record > 86 of 86 > ==32264== at 0x4C27FFB: calloc (in > /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==32264== by 0x50592B9: xdr_string (xdr.c:700) > ==32264== by 0x5052805: xdr_rpcb (rpcb_prot.c:59) > ==32264== by 0x10D6A2: rpcb_service_4 (rpcb_svc_4.c:217) > ==32264== by 0x50532A8: svc_getreq_common (svc.c:681) > ==32264== by 0x505337B: svc_getreq_poll (svc.c:766) > ==32264== by 0x10E1EA: my_svc_run (rpcb_svc_com.c:1260) > ==32264== by 0x10CF1B: main (rpcbind.c:253) > > I think 9999999999 is too large as the maxsimum is (u_int) ~0, so > 0xffff.ffff > and above is 0x2.540B.E3FF Thanks, I could verify the bug and the fixes on SLES11 SP4 now.
(In reply to Andreas Schwab from comment #29) > Created attachment 725355 [details] > Always call svc_freeargs, even if svc_getargs failed Thanks Andreas, I have added your patch.
openSUSE-SU-2017:1381-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: openSUSE Leap 42.2 (src): libtirpc-1.0.1-2.3.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-05-31. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63637
openSUSE-SU-2017:1412-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: openSUSE Leap 42.2 (src): rpcbind-0.2.3-3.3.1
SUSE-SU-2017:1468-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1037559 CVE References: CVE-2017-8779 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libtirpc-0.2.1-1.12.3 SUSE Linux Enterprise Server 11-SP4 (src): libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2 SUSE Linux Enterprise Point of Sale 11-SP3 (src): libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2
This is an autogenerated message for OBS integration: This bug (1037559) was mentioned in https://build.opensuse.org/request/show/517662 Factory / rpcbind
reassigning to security team in order to confirm the fix and to close the bug as appropriate.
released