Re: SECURITY: new nfs-server packages available (fwd)

From: Paul Boehm (paulat_private)
Date: Thu Aug 27 1998 - 21:38:50 PDT

Next message: A Mennucc1: "Re: [linux-security] Linux UNFSD Security Problems"

Previous message: Mark (Mookie): "Re: Security Hole in Axent ESM"
Maybe in reply to: Alan Cox: "SECURITY: new nfs-server packages available (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 28, 1998 at 03:53:07AM +0100, Alan Cox wrote:
> Expect similar announces from other Linux vendors to follow this one. The
> bug is in code that as far as I can tell in Linux specific portmap code
> so this is unlikely to affect non Linux portmappers. I'll post an explanation
> once the other vendor announcements are out.

i've looked through the code...
I assume that everyone interested in this with a bit of
C and english knowledge should be able to find out, by looking at the diffs,
where in the code the mentioned problems are located and of what kind they
are. To understand the following, look at the diff from the new source rpm.

currently i see no way to exploit this in the way the nfs package is shipped
with redhat linux(as far as i can see from the source rpm) unless the nfs
or mountd get a SIGUSR1 (kill -10) signal while running. the only messages
that still get logged without this are: L_WARNING L_FATAL L_ERROR.
CALL_PROFILING isn't defined by default so i didn't look through what
would happen if it were defined. i looked through every call to Dprintf
that reaches the vulnerable code parts and found nothing dangerous(hope
i didn't miss something)

just as a sidenote:
if CALL_PROFILING were defined we would encounter this nice goodie:
nfs_dispatch.c:#define PATH_PROFILE     "/tmp/nfsd.profile"
(bad idea for a default)

WANT_LOG_MOUNTS isn't defined by default, i didn't look through what
happens when defined.

i hope i didn't miss anything.. if i did, please correct me!

i guess, from what i've seen, people using the binary
supplied by redhat and which didn't toy around with signal's are safe
from this.

Ah yes, _maybe_ there's a problem when logging stuff with
path's > 1024... didn't look further into it.
shouldn't make problems unless the attacker gets
writeable access to your filesystem...

(maybe if you have a very long
directory structure on your sys this could result in a DoS attack without
write access.. but.. who has that big paths, and who cares?)

bye,
     paul

--

[ Paul S. Boehm | paulat_private | http://paul.boehm.org/ | infected@irc ]

Money is what gives a programmer his resources. It's an exchange system created
by human beings. It surrounds us. Works for us, binds the economy together.

Next message: A Mennucc1: "Re: [linux-security] Linux UNFSD Security Problems"
Previous message: Mark (Mookie): "Re: Security Hole in Axent ESM"
Maybe in reply to: Alan Cox: "SECURITY: new nfs-server packages available (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:58 PDT