[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Erik Auerswald auerswal at unix-ag.uni-kl.de
Sat Aug 10 11:38:15 MDT 2013


Hi,

On 08/10/2013 05:38 PM, Hamid Zamani wrote:
> On 08/10/2013 01:51 AM, Erik Auerswald wrote:
>> See the attached patch for replacing unsafe uses of (v)sprintf and
>> strc(py|at) with the respective n-versions.
>>
>> Anyone, please test and review the patch. Are the n-versions widely
>> available? Do we care about systems not providing them? Can we use
>> configure to check availability of them?
>
> I tested the patch and updated the sources. everything looks good.

Thanks for testing!

> At this time it seems most of systems provide these functions, but
> because of system variety in nas , i think dependency checking is
> recommended.
>
> I believe that this is completely possible in `autoconf` and i think it
> should be done as a REQUIREMENT.
>
>> If the attached patch is OK there is still one issue open from your list:
>>
>> --- begin quote ---
>> ========================================================================
>> Possible Race Condition and symlink attack:
>>
>> os/connection.c:
>>
>>      tcp_dev = getenv("TCP_DEVICE"); // Need check
>>      if (tcp_dev == NULL)
>>          tcp_dev = TCP_DEVICE;
>>
>>      fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data
>> --- end quote ---
>>
>> The NAS clients have instances of unsafe string functions as well. That
>> should be audited... any volunteers?
>>
>
> We should check the getenv output always and can't trust on this.
>
> Erik, should we get these from env ? at least program's arg is a better
> choice. of course if i knew the code correctly.

Well, that is a bit tricky...

The code in question is used on Minix only. This seems to be a Minix 
idiom for opening a TCP connection (see 
http://www.cise.ufl.edu/~cop4600/cgi-bin/lxr/http/ident.cgi?i=tcp_device 
or http://users.sosdg.org/~qiyong/mxr/ident?i=TCP_DEVICE).

On Minix, TCP_DEVICE is #defined to "/dev/tcp" (see 
http://users.sosdg.org/~qiyong/mxr/source/include/net/netlib.h#L11). I 
do not know how to determine if a given string is a valid or invalid TCP 
device on Minix.

I am inclined to either leave this as is, or comment out the getenv() 
call and always use 'tcp_dev = TCP_DEVICE'. The latter is safe, but 
might break some usage. The former might be a risk every Minix user is 
aware of and willing to take.

Is there anybody using NAS on Minix out there? If so, please speak up!

> I've just started checking clients's codes and it seems there are some
> other flaws. i'll send them soon.

Thanks,
Erik



More information about the nas mailing list