[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Hamid Zamani me at hamidx9.ir
Sat Aug 10 09:38:21 MDT 2013


On 08/10/2013 01:51 AM, Erik Auerswald wrote:
> See the attached patch for replacing unsafe uses of (v)sprintf and
> strc(py|at) with the respective n-versions.
> Anyone, please test and review the patch. Are the n-versions widely
> available? Do we care about systems not providing them? Can we use
> configure to check availability of them?

I tested the patch and updated the sources. everything looks good.

At this time it seems most of systems provide these functions, but
because of system variety in nas , i think dependency checking is

I believe that this is completely possible in `autoconf` and i think it
should be done as a REQUIREMENT.

> If the attached patch is OK there is still one issue open from your list:
> --- begin quote ---
> ========================================================================    
> Possible Race Condition and symlink attack:
> os/connection.c:
>     tcp_dev = getenv("TCP_DEVICE"); // Need check 
>     if (tcp_dev == NULL)
>         tcp_dev = TCP_DEVICE;
>     fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data 
> --- end quote ---
> The NAS clients have instances of unsafe string functions as well. That
> should be audited... any volunteers?

We should check the getenv output always and can't trust on this.

Erik, should we get these from env ? at least program's arg is a better
choice. of course if i knew the code correctly.

I've just started checking clients's codes and it seems there are some
other flaws. i'll send them soon.

Hamid Zamani (aka HAMIDx9)
Ashiyane Digital Security Team

More information about the nas mailing list