[nas] nas: Multiple Vulnerabilities in nas 1.9.3
Erik Auerswald
auerswal at unix-ag.uni-kl.de
Fri Aug 9 15:21:37 MDT 2013
Hi,
On Fri, Aug 09, 2013 at 03:52:56AM +0430, Hamid Zamani wrote:
> On 08/09/2013 01:03 AM, Erik Auerswald wrote:
> > I have a first step in tackling the first reported problem, i.e. buffer
> > overflow with illegal ':listen port offset' argument. Nasd should ignore
> > obviously wrong listen port offset values. See the attached patch.
That is commited to svn (extended to ignore negative values).
> > The various string functions should still be changed to not overflow the
> > given buffers irrespective of input.
See the attached patch for replacing unsafe uses of (v)sprintf and
strc(py|at) with the respective n-versions.
Anyone, please test and review the patch. Are the n-versions widely
available? Do we care about systems not providing them? Can we use
configure to check availability of them?
> [...]
> > This has been fixed already in svn revision r285 on 2012-01-22. There has
> > been no NAS release with this fix yet.
>
> Yes, you are right. sorry for that.
It was correct to report the problem, because it is not fixed in any
released version yet. I have just mentioned this so we can track the open
issues.
If the attached patch is OK there is still one issue open from your list:
--- begin quote ---
========================================================================
Possible Race Condition and symlink attack:
os/connection.c:
tcp_dev = getenv("TCP_DEVICE"); // Need check
if (tcp_dev == NULL)
tcp_dev = TCP_DEVICE;
fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data
--- end quote ---
The NAS clients have instances of unsafe string functions as well. That
should be audited... any volunteers?
Thanks,
Erik
--
http://www.unix-ag.uni-kl.de/~auerswal/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nasd-use_snprintf_strncpy_strncat.patch
Type: text/x-diff
Size: 11832 bytes
Desc: not available
URL: <http://radscan.com/pipermail/nas/attachments/20130809/c99571f2/attachment.patch>
More information about the nas
mailing list