[nas] commit: fixes for several DOS attacks against nasd

Jon Trulson jon at radscan.com
Sun Mar 18 12:55:55 MDT 2007


     Luigi Auriemma sent an analysis and proof-of-concept code to me a
     couple weeks ago, outlining several denial of service attacks
     (DOS) that could be carried out against a nasd server, causing it
     to crash.

     I have committed a patch to trunk that should resolve these
     issues.  I will make an 1.8b devel version soon, and then head
     toward a stable release in a few weeks.

     I have also attached a patch outlining the fixes - it *should*
     apply cleanly to 1.8a, just FYI.  Of course if you have a copy of
     the svn repo, just update :)

     Here is the relevant HISTORY snippet.

     - fix a variety of problems that could result in a denial of
       service by crashing the nasd server.  These attacks were
       researched by Luigi Auriemma, who also provided a description of
       the attacks and an exploit program, 'nasbugs'.

       I have added his emailed report and the test attack code to the
       nas repository in contrib/nasbugs if you are interested.  Thanks
       to Luigi for finding these problems.  It sucked fixing them :)

       Here is a list of the bugs tested as output by the nasbugs
       program:

       1 = accept_att_local buffer overflow through USL connection
       2 = server termination through unexistent ID in AddResource
       3 = bcopy crash caused by integer overflow in ProcAuWriteElement
       4 = invalid memory pointer caused by big num_actions in ProcAuSetElements
       5 = another invalid memory pointer caused by big num_actions in
           ProcAuSetElements
       6 = invalid memory pointer in compileInputs
       7 = exploits bug 3 in read mode (requires something playing on
           the server)
       8 = NULL pointer caused by too much connections

       Note on bug #2, X11 display servers should be vulnerable to a
       DOS of this type as well (causing fatal 'client not in use'
       errors in AddResource()).

       Note on bug #8, the nasd server will not be able to accept
       further client connections when the client table is full, until
       the rejected clients disconnect their end of the socket and the
       neccessary fd's are freed up.  It's better than coring though.



-- 
Jon Trulson
mailto:jon at radscan.com 
#include <std/disclaimer.h>
"No Kill I" -Horta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nasbugs_fixes.patch
Type: text/x-diff
Size: 11655 bytes
Desc: 
URL: <http://radscan.com/pipermail/nas/attachments/20070318/db368cf9/attachment.patch>


More information about the Nas mailing list