[12511] in bugtraq
Re: undocumented bugs - nfsd
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Nov 10 12:48:23 1999
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=3MwIy2ne0vdjdPXF
Message-Id: <19991110105431.B31766@monad.swb.de>
Date: Wed, 10 Nov 1999 10:54:31 +0100
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.20.9911091058140.12964-100000@mail.zigzag.pl>; from
Mariusz Marcinkiewicz on Tue, Nov 09, 1999 at 11:39:39AM +0100
--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii
On Tue, Nov 09, 1999 at 11:39:39AM +0100, Mariusz Marcinkiewicz wrote:
> After reading lcamtuf's posts I decided write this one. Few months ago one
> of my friends - digit - found bug in linux nfsd daemon. I made example
> sploit about IV 1999. Now in distributions is new nfsd and nowhere was
> information about security weaknes of old version!
Well, one gets used to people posting to bugtraq without bothering to
send any mail whatsoever to the maintainer of a free software package.
But whining about the bug not having been fixed without even sending
a bug report *anywhere* kind of beats everything I've seen so far.
Am I now supposed to follow alt.support.p30ple.with.sp311ing.pr0blemz?
FWIW, the source distribution of unfsd contains a file called BUGS
which even the attention span challenged have a hard time overlooking.
This file contains fairly detailed instructions on how to submit a
bug report.
Concerning the problem Mariusz has been handwaving about, this is a
serious issue. It's got nothing to do with realpath(), however. The true
cause of the problem is that the code relies on the total length of a
path to not exceed PATH_MAX + NAME_MAX. I'm not sure whether this is a
common Unix problem, but at least on Linux, PATH_MAX merely seems to put
an upper limit on the length of a single path you can hand to a syscall
(size of a page - 1, i.e. 4095). However it still allows you to create
files within that directory as long as you use relative names only...
As to the impact of the problem, it's nasty, but you will need to have
a directory exported read/write to you in order to exploit it (or you're
able to impersonate a host with this kind of access).
Appended you'll find a patch against 2.2beta46 that rectifies this problem.
The full source for 2.2beta47 can be found at
ftp://mathematik.tu-darmstadt.de/pub/linux/people/okir
Another version (2.2.48) that has some additional, non-security related
fixes I have been working on can be found in the dontuse subdirectory.
Olaf
-----BEGIN PGP SIGNED MESSAGE-----
79a29fe9f79b2f3241d4915767b8c511 nfs-server-2.2beta47.tar.gz
c2ef6e37064ca7d9e52de7b711a7ebec patch-2.2.47.gz
-----BEGIN PGP SIGNATURE-----
iQCVAwUBOClCC+FnVHXv40etAQGRvwP/czA9uZ3EYthdO01h9E98tOmKgJ+rkJ9q
tBQwrs452a+A3xv6t1/V4rT6Q5BTPnzVkxyAIjiXwhSYbUbBS7C/yCqYfi/fzb2i
6lCYqdBxjxE9hX5PuYR983egHNOnA4dTlSgjhP13bSaNKifF1XwD1IYgGuo1ZoGp
eDNa0+cFGG8=
=dHTh
-----END PGP SIGNATURE-----
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
--3MwIy2ne0vdjdPXF
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="patch-2.2.47.gz"
Content-Transfer-Encoding: base64
H4sICPY+KTgAA3BhdGNoLTIuMi40NwCtWP9v2koS/9n8FfM4XQMxEAwBArlGjfry2urSJGry
7p3UVsjY62DF2K7XTsrd6/9+n9m1jYEQrrqTQjC7833mMztr1/c8amcJhZ5sS5E8iqTd6/Rm
IrWPh0dv53Z4Ly6j++e2R6vtWrvd3iPBuMsE3YqYrGOyrEnPmlgDssbjcc00zT3ijT+ES1fR
I1ld/E2s0WRgad43b6httfpkWq0xvXlTM7corWGupWYahzDAyRI/XZLnfycvSmiWeZ5IKIJm
L4ieyA/Jm09nmR+4sZ3OwUSQRylMeZCURvTRTvxM/oue5hElIo6SFBr9lLdm2X2a2N8UTwJm
yGU+WogO1BObxgGgE+qOJ93RpH+iTaMawbQPHtk0j2RKvqTAlyx3tqQPN2S7btIiN8J+ImCo
FBRE0UMW19wXs2dn6XzqBGHacZ4PcIVgdwYrRGUOacQuDI4ng+6eHFa5N3JzMukOK1nstYZI
Y6814jwSHR5xXGrmX/zQCTJXUF0uEZNFZ16v0WoRSt2NJc9+EJ7MfL2+J0biO6dQdhbI07MO
VAh2x6hCZHyMQvpVOJxmazgZjPMYjXbHqMq9FaPj8SpGo0HLssjkr56KUuR5LZKxcHxvWaPO
h0+oX8klLqiD33c3tTYvJlGtfR5weUdhsEQR2W47f/qWCZlKrKNUUXdXv93SYxRkKFm6mwty
hWdngSrJFEJsJeQJCBIrXlvSkwiCFiDhO3NyEEk7kICDoIWNhMC9wHcAEVRzJv0Q3QLYyC17
ojpFcepHITDS+VKHVujKJMKQKhE2Ct+BPWFqMxWDjEEaAwl+lEliPGBddjosQImsmdpZaCEn
8MHKshYRKoGBHwjYHLrk+olw0ijxhXzOWTOBd4nvpBtytqJXdXzT55pZOM1ScgOjis8qScgc
hZHtOELKmo7AAkUsidG+RGLAPhOFS4XdS8RB8/izQKhuxtuhvRDunqr35rtaAu/srnPeVQXO
Jdrro5dPuicTSzXjk90FrtjWK7tvrVX2cZ/Rj//Y1fA3DBUHGXnpk51wWJcILv5UbbCzdrik
OEviCP0wTqJH34XfipPDYM/Q08mJ4mXi389TxDf1HcG5TWCUHwq3Q/RBJVtmMbJVMKOcfYmc
+ukcTATliR3ixEBKURGsHLr9heJAydEhf+BZKiYq/iioeyQmgG4UwgKNHKnkcrGlRB1LPhN0
TfGhA0SRPmigOxDhPbQmYgEDpTLBDxXpox2g9d77jyJkGN2c372ffjz/J4peiwtQlFLJQIX6
YSq4eFXZrJ9vqHwo5F9KbBzYDg6notuWPfRvsFUkaWd+prIz6PfRls1Bf5R3Z8OZ24lhHMrA
lvMpPHQePr+/mV5eXH09xS5wkwE3WE8NCQt4LZb+NDX467TWNmCiYeDJzJ9aKgjw/1Sdhr5H
jXn7bM7SeeNz9yudvSatokn/Bonxa5yA12tcTi8+fbr+1KI6khLlYFjjVMGb0F/ll7DeIu3R
8Vh5NOgXHhkG6iJLQmpc/X552WSTi5Xv8MfN4kb9qK7Wf8CBo0MSAQoPgTMLg5VO6TfwadIv
r2nNA+trsyKyVKKtGfZa/QHMGQ5bx7qzg3aGqGKecB4mzMgacKxxsNMGS0RcW/SKw9vk2HRh
FOYOolevqIEWQa+JyaNYhPhVcDSVYUo5omiC4+fIjTxNIEdQ8FBSqoApKx3MJr7Iq8L/yhK6
ynfDUA4I8cAq8GnRBm0uBf0UOWw03Dg3i3tuztNssiltI1cGK5xFDMr2mTvl1oc66NSV2V1N
lcfkWcKCshTJ9QmdsRSZG039EBDOWfCMoxaedmQ6dcVj8zTnYCvAs5FulJ1J1kquIlPCFaEq
kXIP1fTu+o4+3KGaiiW2t5rpleGlZp0NmFsU6CoXBQEHzwnQIYvorbbUZMadIEHjnGJcaqgV
PFSIinJlyavlH/nDD42BNR/XUbAZFqR4ze2bi0/vz29u6Y+Lg39ckA4CVaKwWUu6HFKMG9sO
rdNy+Jm+uyKodislK48XSLeKuZqGeNlYZ92Rjc2U6X7R/m+ScR+hb7tCxCLZjrICnm65h6wS
lq/0n+pdbqMVVOaWmfmmpzPIwMURzaHhloFhjw8RPkzQVjUp/fknKW6uYGTvoHOQb6hOEfKa
pYn4sceritwqyAHQpmZBRkIcQpkoDfkZdJWWvwQucw1bv5TYyjeqFuQVVykys5rhVS3kkdpI
svky4MxdGTb3g818DmrmGsBWfr58ygBfz7i+cn4X3op87Ufbc5QVrJn7kFae82vRfxFfK8pt
dJn7Ir+GLNJ4ovI/QsKHjD7jOBD6KjrIL6PDciAFAA7pt/enuI2EB7jKROp6r4ZEKVI1amUx
LiuO7WCuwlUB4zmG1JwxxOiOzMU4XXG3tzGeNTtq5tI59aqAOzooChvGyXmUBS5r1NwYgB0b
E3A56R/wu4IF7mOuYoEujIc5sK/OP14A2Aqng0GR5vzU5C6h9Da3W0FeQ3lFYg8T1pSl3V1f
X15fvdOBlDMkCXANAz980NmvjFEerv04tlPRCMXT1Ju3yMvTSRx8HefhQMf5pLuK84ba87dv
L24Vk1f0vii222e69/EwxiVwVHm1gwQ4D9rbiq+oCe4NDK5Vv1+Jaj7fFFUkXooDLIDut7iA
6pmXFWCg5kRcqnc0uFt7VK/TvQgx7ecvdWZJhDsBXd8e9fKbpdxzY1PvOXbc2fTe7lub3jdu
s5DOcXvu4d41mljjSW+85+VNzrhxc+tPeieV9zbj49YJcoivMoV5wHhUzWQZpHci3bi/qm7K
V3FV2y5DGmnQSeF7ukq4mgYkT4Le3NEZPF1Pbbn+/82suaWVisn0UMZNjU/dvlRDWplxmmP7
EOuI7WsCvWkyf7kCmJ+WEtDWVi2NijbU6474PY/Z644RYRXZH7kIFvCle8BWtquR0EE423K1
/aKr7VxIA/leRFmYQrw6nlgcL+oSbVHyTaaxvqo1m0XX1N3qf+CvVMw65tvKX31QojZL8bmg
pq6s8kYFn6//jsWXgZS/L9qFpXJ7N5xKkurrUAbGyaQ33IOoFe8WqPr9CqgAKM54m4e+4hXX
Zz5I67+HPv+2A/Wu7lYpoNK4OqDxkzwj8PwHcMwxCQYYAAA=
--3MwIy2ne0vdjdPXF--
