[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Erik Auerswald auerswal at unix-ag.uni-kl.de
Mon Aug 12 05:20:36 MDT 2013


Hi,

On Sun, Aug 11, 2013 at 10:09:13AM +0430, Hamid Zamani wrote:
> On 08/10/2013 10:08 PM, Erik Auerswald wrote:
> > I do not know how to determine if a given string is a valid or invalid TCP
> > device on Minix.
> > 
> 
> on Minix i checked the /dev/tcp :
> 
> # ls -la /dev/tcp*
> crw-rw-rw- ... /dev/tcp
> crw-rw-rw- ... /dev/tcp0
> 
> So checking validation can be done as checking the string to be a `valid
> Character special file`.
> 
> i think just using a stat struct does the trick. ;)
> 
> ===
>      if (status.st_mode & S_IFCHR)
>          do so ...
> ===
> 
> of course a symlink may be used to attack (a little stricture ;-) )but i
> think it is better choice than leaving it.

I have searched for Minix docs and it seems to me that the TCP device name
should always start with /dev/tcp. Using a numbered TCP device chooses the
respective network interface, no number chooses the default network
interface.

I would suggest to check if the string in the environment variable starts
with /dev/tcp. WDYT?

Should we check that the device name does not contain any /../ parts
as well? Possibly reject anything but digits after the initial /dev/tcp?

Links:
http://www.minix3.org/manpages/html4/ip.html
http://www.minix-vmd.org/pub/minix/2.0.0/manuals/CAT8/S_N_D.8
http://www.minix3.org/manpages/html8/inet.html

Thanks,
Erik
-- 
Anyone can do any amount of work provided it isn't the work he is supposed
to be doing at the moment.
                        -- Robert Benchley


More information about the nas mailing list