[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Jon Trulson jon at radscan.com
Tue Aug 13 12:45:33 MDT 2013

On Tue, 13 Aug 2013, Erik Auerswald wrote:

> Hi,
> On Tue, Aug 13, 2013 at 04:07:33PM +0200, Erik Auerswald wrote:
>> On Mon, Aug 12, 2013 at 11:28:50AM -0600, Jon Trulson wrote:
>>> On Mon, 12 Aug 2013, Erik Auerswald wrote:
>>>> On Sun, Aug 11, 2013 at 10:09:13AM +0430, Hamid Zamani wrote:
>>>>> On 08/10/2013 10:08 PM, Erik Auerswald wrote:
>>>>>> I do not know how to determine if a given string is a valid or invalid TCP
>>>>>> device on Minix.
>>>>> on Minix i checked the /dev/tcp :
>>> Could you just check for a number instead?  Ie: Instead of TCP_DEVICE,
>>> use something like TCP_DEVNUM, which if set, is expected to be some
>>> (smallish) integer that can be tacked onto /dev/tcp in the code...?
>> Do you have any references to TCP_DEVNUM? Quick googling did not turn
>> up anything. I suppose that would be new, special environment variable
>> just for nasd on Minix.

No, it was something I just made up - I should have read that page in
more detail - TCP_DEVICE is actually needed.  As you can see, I don't
use Minix :)

>> I do not like to change from the usual TCP_DEVICE (see
>> http://www.minix3.org/manpages/html4/ip.html) to something
>> special just for NAS. I do not know if anybody at all uses NAS on Minix and
>> I don't even compile the code in question (because of #ifdef).
>> My research so far hints at TCP/IP devices having major 7
>> (http://www.minix-vmd.org/pub/Minix-vmd/1.7.0/cat/cat4/dev.4), which could
>> be checked as well if it still holds.
>> Currently, Minix seems to be restricted to a maximum of 16 network devices,
>> so /dev/tcp{,{0..15}} should describe the legal values for TCP_DEVICE.
>> (see http://www.minix3.org/manpages/html8/inet.html)
>> Anyway, the first the current code tries to do with the opened TCP_DEVICE
>> is to an ioctl() call. If that fails, the file descriptor is closed. As
>> long as ioctl() is not exploitable, this does not constitute a
>> vulnerability.
>> A sanity check of program input, in this case from an environment variable,
>> is prudent. Verifying a prefix of "/dev/tcp" would go a long way.
> How about the following patch?

I think this patch should be fine.  If someone can play a symlink
attack here, then they already have root access and all is lost
already :)

> ---8<---
> Index: server/os/connection.c
> ===================================================================

Jon Trulson

   "I was not genomed to alter reality."
       - Sonmi 451

More information about the nas mailing list