[nas] nas: Multiple Vulnerabilities in nas 1.9.3
Hamid Zamani
me at hamidx9.ir
Wed Aug 7 03:44:44 MDT 2013
Subject: nas: Multiple Vulnerabilities in nas 1.9.3
Package: nas
Version: 1.9.3-5
Dear Maintainer,
Recently i found some vulnerabilities that described below.
Some of them maybe are not so effective but it's better to be fixed.
information, i'll send you at this bugreport
If i can help in the process please let me know.
NAS Multiple Vulnerabilities
========================================================================
Buffer OverFlow can be happend at wrong display command argument
File : server/os/utils.c
Function : ProcessCommandLine
for (i = 1; i < argc; i++) {
if (argv[i][0] == ':') {
display = argv[i];
display++;
PoC$ nasd :$(python -c 'print "A"*200')
=> overflow ...
---------------------------
File : server/os/access.c
Function : ResetHosts
...
char fname[32];
...
strcpy(fname, "/etc/X");
strcat(fname, display);
strcat(fname, ".hosts");
---------------------------
File : server/os/connection.c
Function : open_unix_socket
...
struct utsname systemName;
static char oldLinkName[256];
...
uname(&systemName);
strcpy(oldLinkName, OLD_UNIX_DIR);
if (!mkdir(oldLinkName, 0777))
chown(oldLinkName, 2, 3);
strcat(oldLinkName, "/");
strcat(oldLinkName, systemName.nodename); // strcat is not safe
strcat(oldLinkName, display); // strcat is not safe
unlink(oldLinkName);
symlink(unsock.sun_path, oldLinkName);
---------------------------
Function : open_isc_local
..
char path[64];
..
strcat(path, display);
---------------------------
Function : open_xsight_local
...
char pathS[64], pathR[64];
...
sprintf(pathS, "%s%sS", AUDIO_XSIGHT_PATH, display);
sprintf(pathR, "%s%sR", AUDIO_XSIGHT_PATH, display);
---------------------------
Function : open_att_local
...
char path[64];
...
strcpy(path, AUDIO_STREAMS_PATH);
strcat(path, display);
---------------------------
Function : open_att_svr4_local
...
char path[64];
...
strcpy(path, AUDIO_NSTREAMS_PATH);
strcat(path, display);
========================================================================
Buffer OverFlow can be happend at using getenv and not checking its size
File : server/os/connection.c
Function : CreateWellKnownSockets
...
char host[100];
...
if (AuServerHostName == NULL)
AuServerHostName = getenv("AUDIOHOST");
...
sprintf(host, "%s/%s:%s", DEF_AUSVRDIR, AuServerHostName,
0 /* port */ );
---------------------------
Function : AmoebaTCPConnectorThread
...
char name[BUFSIZ];
...
sprintf(name, "%s/%s", TCP_SVR_NAME, AuTcpServerName);
========================================================================
Heap OverFlow may happen at using getenv and not checking its size
File : server/os/connection.c
Function : AmoebaConnectorThread
...
if ((repb = (char *) malloc(REPLY_BUFSIZE)) == NULL)
...
case STD_INFO:
rep.h_status = STD_OK;
sprintf(repb, "audio server on %s", AuServerHostName);
...
========================================================================
Format String Vulnerability may occur at misusing functions like syslog
File : server/os/aulog.c: +40
Function : osLogMsg
...
openlog("nas", LOG_PID, LOG_DAEMON);
syslog(LOG_DEBUG, buf); // possible format string vulnerability ,
syslog(LOG_DEBUG, %s, buf)
closelog();
========================================================================
Possible Buffer OverFlow may occur when the size of buffer is not checked.
File : server/os/aulog.c:: +27
Function : osLogMsg
...
static char buf[LOG_BUFSIZE];
...
(void) vsprintf(buf, fmt, ap); // it's highly recomended to use
functions
like vsnprintf
========================================================================
Possible Race Condition and symlink attack:
File : server/os/connection.c:
tcp_dev = getenv("TCP_DEVICE"); // Need check
if (tcp_dev == NULL)
tcp_dev = TCP_DEVICE;
fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data
========================================================================
---
Regards,
Hamid Zamani (a.k.a HAMIDx9)
Ashiyane Digital Security Team
-------------- next part --------------
NAS Multiple Vulnerability
nas : Network Audio System
========================================================================
Buffer OverFlow can be happend at wrong display command argument
File : os/utils.c
Function : ProcessCommandLine
for (i = 1; i < argc; i++) {
if (argv[i][0] == ':') {
display = argv[i];
display++;
---------------------------
File : os/access.c
Function : ResetHosts
...
char fname[32];
...
strcpy(fname, "/etc/X");
strcat(fname, display);
strcat(fname, ".hosts");
---------------------------
File : os/connection.c
Function : open_unix_socket
...
struct utsname systemName;
static char oldLinkName[256];
...
uname(&systemName);
strcpy(oldLinkName, OLD_UNIX_DIR);
if (!mkdir(oldLinkName, 0777))
chown(oldLinkName, 2, 3);
strcat(oldLinkName, "/");
strcat(oldLinkName, systemName.nodename); // strcat is not safe
strcat(oldLinkName, display); // strcat is not safe
unlink(oldLinkName);
symlink(unsock.sun_path, oldLinkName);
---------------------------
Function : open_isc_local
..
char path[64];
..
strcat(path, display);
---------------------------
Function : open_xsight_local
...
char pathS[64], pathR[64];
...
sprintf(pathS, "%s%sS", AUDIO_XSIGHT_PATH, display);
sprintf(pathR, "%s%sR", AUDIO_XSIGHT_PATH, display);
---------------------------
Function : open_att_local
...
char path[64];
...
strcpy(path, AUDIO_STREAMS_PATH);
strcat(path, display);
---------------------------
Function : open_att_svr4_local
...
char path[64];
...
strcpy(path, AUDIO_NSTREAMS_PATH);
strcat(path, display);
========================================================================
Buffer OverFlow can be happend at using getenv and not checking its size
File : os/connection.c
Function : CreateWellKnownSockets
...
char host[100];
...
if (AuServerHostName == NULL)
AuServerHostName = getenv("AUDIOHOST");
...
sprintf(host, "%s/%s:%s", DEF_AUSVRDIR, AuServerHostName,
0 /* port */ );
---------------------------
Function : AmoebaTCPConnectorThread
...
char name[BUFSIZ];
...
sprintf(name, "%s/%s", TCP_SVR_NAME, AuTcpServerName);
========================================================================
Heap OverFlow may happen at using getenv and not checking its size
File : os/connection.c
Function : AmoebaConnectorThread
...
if ((repb = (char *) malloc(REPLY_BUFSIZE)) == NULL)
...
case STD_INFO:
rep.h_status = STD_OK;
sprintf(repb, "audio server on %s", AuServerHostName);
...
========================================================================
Format String Vulnerability may occur at misusing functions like syslog
File : os/aulog.c: +40
Function : osLogMsg
...
openlog("nas", LOG_PID, LOG_DAEMON);
syslog(LOG_DEBUG, buf); // possible format string vulnerability , syslog(LOG_DEBUG, %s, buf)
closelog();
========================================================================
Possible Buffer OverFlow may occur when the size of buffer is not checked.
File : os/aulog.c:: +27
Function : osLogMsg
...
static char buf[LOG_BUFSIZE];
...
(void) vsprintf(buf, fmt, ap); // it's highly recomended to use functions like vsnprintf
========================================================================
Possible Race Condition and symlink attack:
os/connection.c:
tcp_dev = getenv("TCP_DEVICE"); // Need check
if (tcp_dev == NULL)
tcp_dev = TCP_DEVICE;
fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://radscan.com/pipermail/nas/attachments/20130807/1cc18f03/attachment.pgp>
More information about the nas
mailing list