Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Universal NFS Server vulnerable to MAX_PATH buffer overflow 10 Nov. 1999    Summary It is possible to overflow NFSd's path+filename string buffer, causing the program to crash and execute arbitrary code, by creating a very large directory structure and a very long file name. When both are combined in a "DELETE FILE" command under NFSd the path+filename are larger than the buffer intended to hold them, causing a buffer overflow and potentially allowing the execution of arbitrary code.   Credit: This vulnerability was reported by: Mariusz Marcinkiewicz. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems: Universal NFS Server 2.2beta46 and below. Non vulnerable systems: Universal NFS Server 2.2beta47 and above. The cause of the problem is that the code relies on the total length of a path to not exceed PATH_MAX + NAME_MAX. It's not clean whether this is a common Unix problem, but it was verified on Linux. While PATH_MAX merely seems to put an upper limit on the length of a single path you can hand to a syscall (size of a page - 1, i.e. 4095), it still allows you to create files within that directory as long as you use relative names only. As to the impact of the problem, it's nasty, but the attacker will need to have a directory-exported read/write in order to exploit it (or at least to be able to impersonate a host with this kind of access). Patch: Below is a patch for 2.2beta46 that rectifies this problem. ---------------------- diff -ur nfs-server-2.2beta46/ChangeLog nfs-server-2.2beta47/ChangeLog --- nfs-server-2.2beta46/ChangeLog    Tue Sep 14 11:21:15 1999 +++ nfs-server-2.2beta47/ChangeLog    Wed Nov 10 10:17:51 1999 @@ -1,3 +1,9 @@ +Wed Nov 10 10:17:16 1999 + +    * Security fix for buffer overflow in fh_buildpath +      No thanks to Mariusz who reported it to bugtraq +      rather than me. + Wed Sep  8 09:07:38 1999     * If a host is listed by IP addr, do a reverse lookup diff -ur nfs-server-2.2beta46/auth_clnt.c nfs-server-2.2beta47/auth_clnt.c --- nfs-server-2.2beta46/auth_clnt.c    Tue Sep  7 09:54:50 1999 +++ nfs-server-2.2beta47/auth_clnt.c    Wed Nov 10 10:18:06 1999 @@ -12,6 +12,7 @@   */ +#include "system.h" #include "nfsd.h" #include "fakefsuid.h" diff -ur nfs-server-2.2beta46/exports.man nfs-server-2.2beta47/exports.man --- nfs-server-2.2beta46/exports.man    Mon Dec  8 16:59:50 1997 +++ nfs-server-2.2beta47/exports.man    Wed Nov 10 10:18:49 1999 @@ -75,11 +75,12 @@ off, specify .IR insecure . .TP -.IR ro -Allow only read-only requests on this NFS volume. The default is to -allow write requests as well, which can also be made explicit by using -the -.IR rw " option. +.\" This used to be a documentation bug in previous versions... +.IR rw +Allow the client to modify files and directories. The default is to +restrict the client to read-only request, which can be made explicit +by using the +.IR ro " option. .TP .I noaccess This makes everything below the directory inaccessible for the named diff -ur nfs-server-2.2beta46/fh.c nfs-server-2.2beta47/fh.c --- nfs-server-2.2beta46/fh.c    Mon Nov 23 14:08:11 1998 +++ nfs-server-2.2beta47/fh.c    Wed Nov 10 10:31:49 1999 @@ -43,6 +43,10 @@   *        This software maybe be used for any purpose provided   *        the above copyright notice is retained.  It is supplied   *        as is, with no warranty expressed or implied. + * + * Note: the original code mistakenly assumes that the overall path + *    length remains within the value given by PATH_MAX... that leads + *    to interesting buffer overflows all over the place.   */ #include <assert.h> @@ -533,7 +537,7 @@     char        *slash_stack[HP_LEN];     struct stat    sbuf;     psi_t        psi; -    int        i; +    int        i, pathlen;     if (h->hash_path[0] >= HP_LEN) {         Dprintf(L_ERROR, "impossible hash_path[0] value: %s\n", @@ -549,7 +553,7 @@             return (NULL);         return xstrdup("/");     } -    /* else */ +     if (hash_psi(psi) != h->hash_path[1])         return (NULL); @@ -562,35 +566,42 @@     backtrack:         if (efs_stat(pathbuf, &sbuf) >= 0 -            && (dir = efs_opendir(pathbuf)) != NULL) { +         && (dir = efs_opendir(pathbuf)) != NULL) { +            pathlen = strlen(pathbuf);             if (cookie_stack[i] != 0)                 efs_seekdir(dir, cookie_stack[i]);             while ((dp = efs_readdir(dir))) { -                if (strcmp(dp->d_name, ".") != 0 -                    && strcmp(dp->d_name, "..") != 0) { -                    psi = pseudo_inode(dp->d_ino, sbuf.st_dev); -                    if (i == h->hash_path[0] + 1) { -                        if (psi == h->psi) { -                            /*GOT IT*/ -                            strcat(pathbuf, dp->d_name); -                            path = xstrdup(pathbuf); -                            efs_closedir(dir); -                            auth_override_uid(auth_uid); -                            return (path); -                        } -                    } else { -                        if (hash_psi(psi) == h->hash_path[i]) { -                            /*PERHAPS WE'VE GOT IT */ -                            cookie_stack[i] = efs_telldir(dir); -                            cookie_stack[i + 1] = 0; -                            slash_stack[i] = pathbuf + strlen(pathbuf); -                            strcpy(slash_stack[i], dp->d_name); -                            strcat(pathbuf, "/"); - -                            efs_closedir(dir); -                            goto deeper; -                        } -                    } +                char    *name = dp->d_name; +                int    n = strlen(name); + +                if (pathlen + n + 1 >= NFS_MAXPATHLEN +                 || (name[0] == '.' +                  && (n == 1 || (n == 2 && name[1] == '.')))) +                    continue; + +                psi = pseudo_inode(dp->d_ino, sbuf.st_dev); +                if (i == h->hash_path[0] + 1) { +                    if (psi != h->psi) +                        continue; +                    /* GOT IT */ +                    strcpy(pathbuf + pathlen, dp->d_name); +                    path = xstrdup(pathbuf); +                    efs_closedir(dir); +                    auth_override_uid(auth_uid); +                    return (path); +                } else { +                    if (hash_psi(psi) != h->hash_path[i]) +                        continue; + +                    /* PERHAPS WE'VE GOT IT */ +                    cookie_stack[i] = efs_telldir(dir); +                    cookie_stack[i + 1] = 0; +                    slash_stack[i] = pathbuf + pathlen; +                    strcpy(slash_stack[i], dp->d_name); +                    strcat(pathbuf, "/"); + +                    efs_closedir(dir); +                    goto deeper;                 }             }             /* dp == NULL */ @@ -1252,6 +1263,10 @@          * FH; don't bother with setting up a cache entry for          * now (happens later). */         if (fname[0] == '/') { +            /* shouldn't happen because the name's limited +             * by NFS_MAXNAMELEN == 255 */ +            if (strlen(fname) >= NFS_MAXPATHLEN) +                return NFSERR_NAMETOOLONG;             sbp->st_nlink = 0;             return fh_create(new_fh, fname);         } @@ -1265,6 +1280,10 @@             return NFSERR_ACCES;         fname = dopa->name;     } + +    /* Security check */ +    if (strlen(dirh->path) + strlen(dopa->name) + 1 >= NFS_MAXPATHLEN) +        return NFSERR_NAMETOOLONG;     /* Construct path.      * Lookups of "" generated by broken OS/2 clients diff -ur nfs-server-2.2beta46/nfsd.c nfs-server-2.2beta47/nfsd.c --- nfs-server-2.2beta46/nfsd.c    Sun Aug 29 17:19:29 1999 +++ nfs-server-2.2beta47/nfsd.c    Wed Nov 10 10:33:28 1999 @@ -194,8 +194,10 @@         return status;     /* Get the directory path and append "/" + dopa->filename */ -    sp = fhc->path; +    if (strlen(fhc->path) + strlen(dopa->name) + 1 >= NFS_MAXPATHLEN) +        return NFSERR_NAMETOOLONG; +    sp = fhc->path;     while (*sp)        /* strcpy(buf, fhc->path); */         *buf++ = *sp++;     *buf++ = '/';        /* strcat(buf, "/");  */ @@ -207,12 +209,8 @@     }     *buf = '\0'; -    if (strlen(path) > NFS_MAXPATHLEN) -        return NFSERR_NAMETOOLONG; - -    if ((nfsmount = auth_path(nfsclient, rqstp, path)) == NULL) { +    if ((nfsmount = auth_path(nfsclient, rqstp, path)) == NULL)         return NFSERR_ACCES; -    }     auth_user(nfsmount, rqstp);     return (NFS_OK); diff -ur nfs-server-2.2beta46/version.c nfs-server-2.2beta47/version.c --- nfs-server-2.2beta46/version.c    Tue Sep  7 10:38:26 1999 +++ nfs-server-2.2beta47/version.c    Wed Nov 10 10:33:33 1999 @@ -1 +1 @@ -char version[] = "Universal NFS Server 2.2beta46"; +char version[] = "Universal NFS Server 2.2beta47";  ----------------- The full source for 2.2beta47 can be found at: ftp://mathematik.tu-darmstadt.de/pub/linux/people/okir  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability Insight Control for Linux Multiple Vulnerabilities HP-UX Running NFS/ONCplus Denial of Service Vulnerability HP-UX Running BIND Denial of Service Vulnerability 2011 HP-UX Running XNTP Denial of Service Vulnerability HP-UX Denial of Service Vulnerability Webkit Detached Body Element Code Execution Vulnerability Mac OS X Compact Font Format Decoder Code Execution Vulnerability WebKit WBR Tag Removal Code Execution Vulnerability Webkit Undefined DOM Prototype Attach Code Execution Vulnerability Apple HFS Information Disclosure Vulnerability XPDF arbitrary Arbitrary Code Execution Vulnerabilities Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities  Featured Articles RealNetworks RealPlayer Malformed AAC File Parsing Code Execution Vulnerability ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®