There is an integer overflow present in the xdr_array()
function that is distributed as part of Sun Microsystems
XDR library. This leads to remotely exploitable buffer
overflows in multiple applications, leading to the execution
of arbitrary code.
Multiple vendors have included the vulnerable code in
their own implementations.
The XDR (external data representation) libraries are
used to provide platform-independent methods for sending
data from one system process to another, typically over
a network connection.
The xdr_array() function in the XDR library contains
an integer flow that can lead to improperly sized dynamic
As the XDR library is used by various vendors in a variety
of applications, the flaw can lead to numerous security
issues. The vulnerability can lead to denial of service,
execution of arbitrary code, or the disclosure of sensitive
information. Some specific impacts reported include
the ability to execute arbitrary code with root privileges
(by exploiting dmispd, rpc.cmsd, or kadmind). Intruders
who exploit the XDR overflow in MIT KRB5 kadmind may
be able to gain control of a Key Distribution Center
(KDC) and improperly authenticate to other services.
Some applications using vulnerable implementations of
SunRPC-derived XDR libraries.
Microsystems network services library (libnsl)
libraries with XDR/RPC routines (libc)
C library with SunRPC (glibc)
The libraries can be used by multiple applications on
most systems. It may be imperative to upgrade or apply
multiple patches and then recompile statically linked
applications. Applications that are statically linked
must be recompiled using patched libraries. Applications
that are dynamically linked do not need to be recompiled;
however running services need to be restarted in order
to use the patched libraries.
For more details check sunsolve.sun.com/security
horse version of OpenSSH
It has been reported that some copies of the source
code for the OpenSSH package have been modified by an
intruder and contain a Trojan horse.
The following files were modified to include the malicious
openssh - 3 . 4pl . tar . gz
openssh - 3 . 4 . tgz
openssh - 3 . 2 . 2pl . tar . gz
The Trojan horse versions of OpenSSH contain malicious
code that is run when the software is compiled. This
code connects to a fixed remote server on 6667/tcp.
It can then open a shell running as the user who compiled
OpenSSH. Anyone who has installed OpenSSH from the OpenBSD
ftp server or any mirror within that time frame should
consider his system compromised. The Trojan allows the
attacker to gain control of the system as the user compiling
the binary. Arbitrary commands can be executed.
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been infected
on the OpenBSD ftp server and potentially propagated
via the normal mirroring process to other ftp servers.
Sites that have downloaded a copy of the OpenSSH distribution
need to verify the authenticity of their distribution,
regardless of where it was obtained.
You can use the MD5 checksums to verify the integrity
of your OpenSSH source code distribution.
Vendor specific patches are available at their respective
Both the OpenSSH in the base NetBSD system, and the
OpenSSH distribution files available from ftp.netbsd.org
have not been compromised with this trojan code.
NetBSD mirror sites that retrieve their copy from ftp.netbsd.org,
are also unaffected.
Nortel Networks products and solutions are not affected
by the vulnerabilities identified.
IBM's AIX operating system does not ship with OpenSSHOpenSSH
is available for installation on AIX via the Linux Affinity
Toolkit. The packages currently available on the website
do not contain the trojan code. It has been verified
that the OpenSSH packages were generated from clean
source packages from the OpenSSH organization.