[nas] nas: Multiple Vulnerabilities in nas 1.9.3
Jon Trulson
jon at radscan.com
Mon Aug 12 11:28:50 MDT 2013
On Mon, 12 Aug 2013, Erik Auerswald wrote:
> Hi,
>
> On Sun, Aug 11, 2013 at 10:09:13AM +0430, Hamid Zamani wrote:
>> On 08/10/2013 10:08 PM, Erik Auerswald wrote:
>>> I do not know how to determine if a given string is a valid or invalid TCP
>>> device on Minix.
>>>
>>
>> on Minix i checked the /dev/tcp :
>>
>> # ls -la /dev/tcp*
>> crw-rw-rw- ... /dev/tcp
>> crw-rw-rw- ... /dev/tcp0
>>
>> So checking validation can be done as checking the string to be a `valid
>> Character special file`.
>>
>> i think just using a stat struct does the trick. ;)
>>
>> ===
>> if (status.st_mode & S_IFCHR)
>> do so ...
>> ===
>>
>> of course a symlink may be used to attack (a little stricture ;-) )but i
>> think it is better choice than leaving it.
>
> I have searched for Minix docs and it seems to me that the TCP device name
> should always start with /dev/tcp. Using a numbered TCP device chooses the
> respective network interface, no number chooses the default network
> interface.
>
> I would suggest to check if the string in the environment variable starts
> with /dev/tcp. WDYT?
>
> Should we check that the device name does not contain any /../ parts
> as well? Possibly reject anything but digits after the initial /dev/tcp?
>
Could you just check for a number instead? Ie: Instead of TCP_DEVICE,
use something like TCP_DEVNUM, which if set, is expected to be some
(smallish) integer that can be tacked onto /dev/tcp in the code...?
--
Jon Trulson
"I was not genomed to alter reality."
- Sonmi 451
More information about the nas
mailing list