TUCoPS :: SunOS/Solaris :: sun5331.htm

Solaris cachefsd remote buffer overflow vulnerability
6th May 2002 [SBWID-5331]
COMMAND

	Solaris cachefsd remote buffer overflow vulnerability

SYSTEMS AFFECTED

	Solaris 2.5.1, 2.6, 7, 8

PROBLEM

	Last Stage of Delirium [http://lsd-pl.net] members reports :
	

	The cachefsd program is  installed  (and  started)  by  default  on  all
	versions of SUN's Solaris operating system starting  from  version  2.6.
	The purpose of this program is  to  cache  requests  for  operations  on
	remote file systems mounted  with  the  use  of  NFS  protocol.  In  the
	Solaris operating system, the  cachefsd  service  is  installed  as  RPC
	service with a number 100235.
	

	We have  found  that  there  exists  a  security  vulnerability  in  the
	cachefsd service, which can be remotely exploited to  gain  unauthorised
	access to the system with administrative (root user) privileges.
	

	 Description of the vulnerability

	 ================================

	 

	The vulnerability found belongs to the so called class of  "heap  buffer
	overflow" errors. It can be  triggered  by  sending  appropriate  string
	argument as the second parameter (cache name) of the  5th  RPC  function
	cachefsd_fs_mounted_1_svc()  of  the  cachefsd  service.  This  function
	takes two character strings as arguments.  These  are  respectively  the
	name of directory to  be  mounted  and  a  cache  name.  During  further
	operation   of   cachefsd_fs_mounted_1_svc()   function,   a   call   to
	subr_add_mount()  is  made  as  it  is  responsible  for  servicing  the
	request. The two forementioned string parameters are also  passed  along
	with it as they will be used in a creation of a  new  cachefs  structure
	by the cfsd_fscache_create() function. As the new cachefs  structure  is
	allocated (cfsd_calloc()) it is also filled with data, and this is  done
	with  the  use  of  passed  directory  name  and  cache   name   values.
	Unfortunately this data initialisation is not safe  as  it  is  done  by
	calling  strcpy()  function.  This   leads   to   overwriting   internal
	structures of memory allocator and when properly  exploited  can  change
	the execution path of a vulnerable  program  so  that  a  user  provided
	machine code  instructions  will  be  executed.  Below  you  can  see  a
	detailed trace log from our bptrace tool,  which  clearly  illustratates
	the cachefsd execution path that leads to the overflow condition.
	

	breakpoint trace [version 1.4]

	copyright by LAST STAGE OF DELIRIUM 1998 Poland

	    found 340 symbols

	    340 breakpoints enabled, 0 disabled, 0 aliases

	==> attaching process 14548 (/usr/lib/fs/cachefs/cachefsd)

	....

	[14548] 0x00028ea4    1  xdr_cachefsd_fs_mounted()

	[14548] 0x0003b324    1  xdr_string()

	[14548] 0x0003b324    2  xdr_string()

	---

	[14548] 0x00016c58    1  cachefsd_fs_mounted_1_svc()

	---

	[14548] 0x0003b1c8    5  thr_getspecific()

	[14548] 0x0002623c    5  db_debugon()

	---

	[14548] 0x00023c74    1  subr_add_mount()

	---

	[14548] 0x0003b1a4    8  free(0x00047e08)

	[14548] 0x0003b000   21  mutex_unlock()

	---

	[14548] 0x000206a0    1  cfsd_fscache_create()

	---

	[14548] 0x00024c94   12  dbug_object_create()

	[14548] 0x0003aff4   23  mutex_lock()

	[14548] 0x00024b00    2  cfsd_calloc()

	[14548] 0x0003b198   15  calloc(13920,1) -> 0x00067a38

	

	[14548] 0x0003af10   27  strcpy(0x00067a38,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAA")

	

	After the above strcpy() function call, the chunk  of  memory  allocator
	gets overwritten and this condition can be exploited at  the  next  call
	to malloc() or free().
	

	

	 Update (25 July 2002)

	 ======

	

	Cisco announced many sun based products to be vulnerable, check :
	

	http://www.cisco.com/warp/public/707/Solaris-cachefs.shtml

	

SOLUTION

	Workaround ==========
	

	Comment out cachefsd in /etc/inetd.conf as shown below:
	

	For Solaris 2.6, 7 and 8:
	

	 #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd 

	 cachefsd

	

	Fot Solaris 2.5.1:
	

	 #100235/1 stream rpc/tcp wait root

	 /usr/lib/fs/cachefs/cachefsd  cachefsd

	

	Once the line is commented out either reboot, or send a  HUP  signal  to
	inetd(1M) and kill existing cachefsd processes, for example, on  Solaris
	2.5.1 and 2.6 do the following:
	

	               $ kill -HUP <PID of inetd>

	               $ kill <PIDs of any cachefsd processes>

	

	Solaris 7 and 8 do the following
	

	              $ pkill -HUP inetd

	              $ pkill cachefsd

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH