[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Hamid Zamani me at hamidx9.ir
Wed Aug 7 03:44:44 MDT 2013


Subject: nas: Multiple Vulnerabilities in nas 1.9.3
Package: nas
Version: 1.9.3-5

Dear Maintainer,

Recently i found some vulnerabilities that described below.
Some of them maybe are not so effective but it's better to be fixed.
information, i'll send you at this bugreport
If i can help in the process please let me know.


NAS Multiple Vulnerabilities

========================================================================
Buffer OverFlow can be happend at wrong display command  argument

File : server/os/utils.c
Function : ProcessCommandLine

    for (i = 1; i < argc; i++) {
        if (argv[i][0] == ':') {
            display = argv[i];
            display++;

PoC$ nasd :$(python -c 'print "A"*200')
=> overflow ...

---------------------------

File : server/os/access.c
Function : ResetHosts

...
    char fname[32];
...
    strcpy(fname, "/etc/X");
    strcat(fname, display);
    strcat(fname, ".hosts");

---------------------------

File : server/os/connection.c
Function : open_unix_socket

...
        struct utsname systemName;
        static char oldLinkName[256];
...
        uname(&systemName);
        strcpy(oldLinkName, OLD_UNIX_DIR);
        if (!mkdir(oldLinkName, 0777))
            chown(oldLinkName, 2, 3);
        strcat(oldLinkName, "/");
        strcat(oldLinkName, systemName.nodename); // strcat is not safe
        strcat(oldLinkName, display);  // strcat is not safe
        unlink(oldLinkName);
        symlink(unsock.sun_path, oldLinkName);

---------------------------

Function :  open_isc_local

..
    char path[64];
..
    strcat(path, display);

---------------------------

Function :  open_xsight_local

...
    char pathS[64], pathR[64];
...
    sprintf(pathS, "%s%sS", AUDIO_XSIGHT_PATH, display);
    sprintf(pathR, "%s%sR", AUDIO_XSIGHT_PATH, display);

---------------------------

Function : open_att_local
...
    char path[64];
...
    strcpy(path, AUDIO_STREAMS_PATH);
    strcat(path, display);

---------------------------

Function : open_att_svr4_local
...
        char path[64];
...
    strcpy(path, AUDIO_NSTREAMS_PATH);
    strcat(path, display);

========================================================================
Buffer OverFlow can be happend at using getenv and not checking its size

File : server/os/connection.c
Function : CreateWellKnownSockets
...
    char host[100];
...
        if (AuServerHostName == NULL)
            AuServerHostName = getenv("AUDIOHOST");
...
        sprintf(host, "%s/%s:%s", DEF_AUSVRDIR, AuServerHostName,
                0 /* port */ );

---------------------------

Function : AmoebaTCPConnectorThread
...
    char name[BUFSIZ];
...
        sprintf(name, "%s/%s", TCP_SVR_NAME, AuTcpServerName);

========================================================================
Heap OverFlow may happen at using getenv and not checking its size

File : server/os/connection.c
Function : AmoebaConnectorThread

...
    if ((repb = (char *) malloc(REPLY_BUFSIZE)) == NULL)
...
        case STD_INFO:
            rep.h_status = STD_OK;
            sprintf(repb, "audio server on %s", AuServerHostName);
...

========================================================================
Format String Vulnerability may occur at misusing functions like syslog

File : server/os/aulog.c: +40
Function : osLogMsg
...
        openlog("nas", LOG_PID, LOG_DAEMON);
        syslog(LOG_DEBUG, buf); // possible format string vulnerability  ,
syslog(LOG_DEBUG, %s, buf)
        closelog();

========================================================================
Possible Buffer OverFlow may occur when the size of buffer is not checked.

File : server/os/aulog.c:: +27
Function : osLogMsg

 ...
     static char buf[LOG_BUFSIZE];
...
    (void) vsprintf(buf, fmt, ap); // it's highly recomended to use
functions
like vsnprintf

========================================================================
Possible Race Condition and symlink attack:

File : server/os/connection.c:

    tcp_dev = getenv("TCP_DEVICE"); // Need check
    if (tcp_dev == NULL)
        tcp_dev = TCP_DEVICE;

    fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data


========================================================================


---
Regards,
Hamid Zamani (a.k.a HAMIDx9)
Ashiyane Digital Security Team



-------------- next part --------------
NAS Multiple Vulnerability 

nas : Network Audio System

========================================================================
Buffer OverFlow can be happend at wrong display command  argument

File : os/utils.c
Function : ProcessCommandLine

    for (i = 1; i < argc; i++) {
        if (argv[i][0] == ':') {
            display = argv[i];
            display++;

---------------------------

File : os/access.c
Function : ResetHosts

...
    char fname[32];
...
    strcpy(fname, "/etc/X");
    strcat(fname, display);
    strcat(fname, ".hosts");

---------------------------

File : os/connection.c
Function : open_unix_socket

...
        struct utsname systemName;
        static char oldLinkName[256];
...
        uname(&systemName);
        strcpy(oldLinkName, OLD_UNIX_DIR);
        if (!mkdir(oldLinkName, 0777))
            chown(oldLinkName, 2, 3);
        strcat(oldLinkName, "/");
        strcat(oldLinkName, systemName.nodename); // strcat is not safe 
        strcat(oldLinkName, display);  // strcat is not safe 
        unlink(oldLinkName);
        symlink(unsock.sun_path, oldLinkName);

---------------------------

Function :  open_isc_local

..
    char path[64];
..
    strcat(path, display);

---------------------------

Function :  open_xsight_local

...
    char pathS[64], pathR[64];
...
    sprintf(pathS, "%s%sS", AUDIO_XSIGHT_PATH, display);
    sprintf(pathR, "%s%sR", AUDIO_XSIGHT_PATH, display);

---------------------------

Function : open_att_local
...
    char path[64];
...
    strcpy(path, AUDIO_STREAMS_PATH);
    strcat(path, display);

---------------------------

Function : open_att_svr4_local
...
	char path[64];
...
    strcpy(path, AUDIO_NSTREAMS_PATH);
    strcat(path, display);

========================================================================
Buffer OverFlow can be happend at using getenv and not checking its size 

File : os/connection.c
Function : CreateWellKnownSockets
...
    char host[100];
...
        if (AuServerHostName == NULL)
            AuServerHostName = getenv("AUDIOHOST");
...
        sprintf(host, "%s/%s:%s", DEF_AUSVRDIR, AuServerHostName,
                0 /* port */ );
                
---------------------------

Function : AmoebaTCPConnectorThread
...
    char name[BUFSIZ];
...
	sprintf(name, "%s/%s", TCP_SVR_NAME, AuTcpServerName);

========================================================================
Heap OverFlow may happen at using getenv and not checking its size

File : os/connection.c
Function : AmoebaConnectorThread

...
    if ((repb = (char *) malloc(REPLY_BUFSIZE)) == NULL)
...
        case STD_INFO:
            rep.h_status = STD_OK;
            sprintf(repb, "audio server on %s", AuServerHostName); 
...

========================================================================
Format String Vulnerability may occur at misusing functions like syslog

File : os/aulog.c: +40
Function : osLogMsg
...
        openlog("nas", LOG_PID, LOG_DAEMON);
        syslog(LOG_DEBUG, buf); // possible format string vulnerability  , syslog(LOG_DEBUG, %s, buf)
        closelog();

========================================================================    
Possible Buffer OverFlow may occur when the size of buffer is not checked.
 
File : os/aulog.c:: +27
Function : osLogMsg
 
 ...
     static char buf[LOG_BUFSIZE];
...
    (void) vsprintf(buf, fmt, ap); // it's highly recomended to use functions like vsnprintf
       
========================================================================    
Possible Race Condition and symlink attack:

os/connection.c:

    tcp_dev = getenv("TCP_DEVICE"); // Need check 
    if (tcp_dev == NULL)
        tcp_dev = TCP_DEVICE;

    fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data 









-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://radscan.com/pipermail/nas/attachments/20130807/1cc18f03/attachment.pgp>


More information about the nas mailing list