[nas] nas: Multiple Vulnerabilities in nas 1.9.3
Hamid Zamani
me at hamidx9.ir
Sat Aug 10 09:38:21 MDT 2013
Hi,
On 08/10/2013 01:51 AM, Erik Auerswald wrote:
> See the attached patch for replacing unsafe uses of (v)sprintf and
> strc(py|at) with the respective n-versions.
>
> Anyone, please test and review the patch. Are the n-versions widely
> available? Do we care about systems not providing them? Can we use
> configure to check availability of them?
I tested the patch and updated the sources. everything looks good.
At this time it seems most of systems provide these functions, but
because of system variety in nas , i think dependency checking is
recommended.
I believe that this is completely possible in `autoconf` and i think it
should be done as a REQUIREMENT.
> If the attached patch is OK there is still one issue open from your list:
>
> --- begin quote ---
> ========================================================================
> Possible Race Condition and symlink attack:
>
> os/connection.c:
>
> tcp_dev = getenv("TCP_DEVICE"); // Need check
> if (tcp_dev == NULL)
> tcp_dev = TCP_DEVICE;
>
> fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data
> --- end quote ---
>
> The NAS clients have instances of unsafe string functions as well. That
> should be audited... any volunteers?
>
We should check the getenv output always and can't trust on this.
Erik, should we get these from env ? at least program's arg is a better
choice. of course if i knew the code correctly.
I've just started checking clients's codes and it seems there are some
other flaws. i'll send them soon.
--
Regards,
Hamid Zamani (aka HAMIDx9)
Ashiyane Digital Security Team
More information about the nas
mailing list