[nas] nas: Multiple Vulnerabilities in nas 1.9.3
Erik Auerswald
auerswal at unix-ag.uni-kl.de
Tue Aug 13 08:07:33 MDT 2013
Hi,
On Mon, Aug 12, 2013 at 11:28:50AM -0600, Jon Trulson wrote:
> On Mon, 12 Aug 2013, Erik Auerswald wrote:
>> On Sun, Aug 11, 2013 at 10:09:13AM +0430, Hamid Zamani wrote:
>>> On 08/10/2013 10:08 PM, Erik Auerswald wrote:
>>>> I do not know how to determine if a given string is a valid or invalid TCP
>>>> device on Minix.
>>>
>>> on Minix i checked the /dev/tcp :
>>>
>>> # ls -la /dev/tcp*
>>> crw-rw-rw- ... /dev/tcp
>>> crw-rw-rw- ... /dev/tcp0
>>>
>>> So checking validation can be done as checking the string to be a `valid
>>> Character special file`.
>>>
>>> i think just using a stat struct does the trick. ;)
>>>
>>> ===
>>> if (status.st_mode & S_IFCHR)
>>> do so ...
>>> ===
>>>
>>> of course a symlink may be used to attack (a little stricture ;-) )but i
>>> think it is better choice than leaving it.
>>
>> I have searched for Minix docs and it seems to me that the TCP device name
>> should always start with /dev/tcp. Using a numbered TCP device chooses the
>> respective network interface, no number chooses the default network
>> interface.
>>
>> I would suggest to check if the string in the environment variable starts
>> with /dev/tcp. WDYT?
>>
>> Should we check that the device name does not contain any /../ parts
>> as well? Possibly reject anything but digits after the initial /dev/tcp?
>
> Could you just check for a number instead? Ie: Instead of TCP_DEVICE,
> use something like TCP_DEVNUM, which if set, is expected to be some
> (smallish) integer that can be tacked onto /dev/tcp in the code...?
Do you have any references to TCP_DEVNUM? Quick googling did not turn
up anything. I suppose that would be new, special environment variable
just for nasd on Minix.
I do not like to change from the usual TCP_DEVICE (see
http://www.minix3.org/manpages/html4/ip.html) to something
special just for NAS. I do not know if anybody at all uses NAS on Minix and
I don't even compile the code in question (because of #ifdef).
My research so far hints at TCP/IP devices having major 7
(http://www.minix-vmd.org/pub/Minix-vmd/1.7.0/cat/cat4/dev.4), which could
be checked as well if it still holds.
Currently, Minix seems to be restricted to a maximum of 16 network devices,
so /dev/tcp{,{0..15}} should describe the legal values for TCP_DEVICE.
(see http://www.minix3.org/manpages/html8/inet.html)
Anyway, the first the current code tries to do with the opened TCP_DEVICE
is to an ioctl() call. If that fails, the file descriptor is closed. As
long as ioctl() is not exploitable, this does not constitute a
vulnerability.
A sanity check of program input, in this case from an environment variable,
is prudent. Verifying a prefix of "/dev/tcp" would go a long way.
Thanks,
Erik
--
If it ain't broke, don't fix it.
More information about the nas
mailing list