TUCoPS :: SGI :: nsdroot.txt

Irix nsd root vuln 


Hello,

We have discovered a serious security vulnerability in the IRIX nsd service,
which when properly exploited can result in an unauthorized remote root access
to the vulnerable system. SGI was informed about this issue and assigned this
bug number CVE CAN-2003-0575 (<ftp://patches.sgi.com/support/free/security/advisories/20030704-01-P>).

The /usr/etc/nsd program is installed and started by default on all versions of
SGI's IRIX operating system beginnig from version 6.5.0 (from 6.5.x the nsd
service is listening only on localhost interface). It is responsible for
providing consistent namespace and cache mechanisms for different name services
(i.e. DNS, NIS, local configurations). It uses NFS based, virtual file system
(in memory file system) for the purpose of storing different information data
files. In IRIX operating system, all functions operating on namespaces make use
of the functionality provided by the nsd service. This specifically refers to
functions like getpwnam() and gethostbyname().

This is also the primary reason why this service cannot be easily turned off, as
this would influence the opeariting of the IRIX name services and the whole
system as well.

DESCRIPTION OF THE VULNERABILITY

In order to allow user applications to communicate with the nsd services, it
implements the NFS protocol. This interface is accessible through a dynamically
assigned (at the system startup) UDP port (usually 1024 and above). The
vulnerability that we have found is in the function implementing the RPC
AUTH_UNIX method. It belongs to the so called class of "heap buffer overflow"
errors.

The vulnerability can be triggered by sending specially crafted RPC AUTH_UNIX
udp packet to the nsd service. Upon reception of such a packet, nsd invokes
the nfs_dispatch() function for handling the NFS protocol requests. From within
the latter function, a call to nsd_cred_new() one is done. The nsd_cred_new()
function allocates heap memory to store the received authorisation data.

Next, just after returning from the nsd_cred_new() function, a copy loop is
executed. This loop simply copies elements of c_gid table (containing the list
of group identifiers to which the user belongs) to the proper offset of the
nsd_cred structure previously allocated by the nsd_cred_new() function. Both,
the loop counter (c_gids), as well as the copied data are taken directly from
the body of the received packet. In a result, the user can fully control the
length of copied data. Particularily, he can arrange it in such a way, so that
a buffer overflow condition will be triggered in a result of which some control
data from (and after) the nsd_cred structure will be overwritten.

Below you can see a detailed trace log from our bptrace tool, which clearly
illustratates the nsd execution path that leads to the overflow condition.

breakpoint trace [version 1.4]
copyright by LAST STAGE OF DELIRIUM 1998 Poland
found 168 symbols
168 breakpoints enabled, 0 disabled, 0 aliases
==> attaching process 2901956 (/usr/etc/nsd)
[2901956] 0x1000521c 1 nsd_callback_get()
[2901956] 0x1001535c 1 nsd_logprintf()
[2901956] 0x10015624 1 nsd_calloc()
[2901956] 0x0fa35e5c 1 calloc(1,40)
[2901956] 0x0fa34bc4 1 malloc(40)
[2901956] 0x0fa37838 1 memset(0x1002a168,0,40)
[2901956] 0x0fa494cc 1 tsix_recvfrom_mac()

-------------------------------------------------------------------------------
[2901956] 0x10005254 1 nsd_cred_new() Allocating new nsd_cred
[2901956] 0x10015624 2 nsd_calloc() strucuture
-------------------------------------------------------------------------------
There is a described above loop
-------------------------------------------------------------------------------
[2901956] 0x10010c4c 1 nfs2_dispatch()
[2901956] 0x1001535c 2 nsd_logprintf()
[2901956] 0x0fa49734 1 tsix_sendto_mac()
[2901956] 0x0fa5eadc 1 sendto(5,
00 00 00 00 00 00 00 01 00 00 00 00 00 .............
00 00 00 00 00 00 00 00 00 00 00 00 00 .............
00 00 ..
,28,0,)
[2901956] 0x100053ac 1 nsd_cred_clear()
[2901956] 0x0fa35c6c 1 free(0x10037b90)
[2901956] 0x0fa35c6c 2 free(0x1002a168)
[2901956] 0x100142b4 1 nsd_timeout_set()
[2901956] 0x0fa57fd8 1 gettimeofday()
[2901956] 0x0fa5e73c 1 select()
[2901956] 0x1000521c 2 nsd_callback_get()
[2901956] 0x1001535c 3 nsd_logprintf()
[2901956] 0x10015624 3 nsd_calloc()
[2901956] 0x56] 0x0fa5eadc 2 sendto(5,
00 00 00 00 00 00 00 01 00 00 00 00 00 .............
00 00 00 00 00 00 00 00 00 00 00 00 00 .............
00 00 ..
,28,0,)
-------------------------------------------------------------------------------
[2901956] 0x100053ac 2 nsd_cred_clear() Freeing nsd_cred and asmcode
execution
-------------------------------------------------------------------------------
==> process 2901956 forking to 2901957
==> attaching process 2901957 (/usr/etc/nsd)
==> process 2901957 executing /bin/sh
found 32 symbols
32 breakpoints enabled, 0 disabled, 0 aliases


-------------------------------------------------------------------------------

We have verified that this vulnerability is exploitable and we have written a
fully operational proof of concept code. It will be available for download from
our webpage in the future.

With best regards,
Members of
The Last Stage of Delirium
Research Group
<http://lsd-pl.net>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH