[nas] nas: Multiple Vulnerabilities in nas 1.9.3

Hamid Zamani me at hamidx9.ir
Sat Aug 10 09:38:21 MDT 2013


Hi,

On 08/10/2013 01:51 AM, Erik Auerswald wrote:
> See the attached patch for replacing unsafe uses of (v)sprintf and
> strc(py|at) with the respective n-versions.
> 
> Anyone, please test and review the patch. Are the n-versions widely
> available? Do we care about systems not providing them? Can we use
> configure to check availability of them?

I tested the patch and updated the sources. everything looks good.

At this time it seems most of systems provide these functions, but
because of system variety in nas , i think dependency checking is
recommended.

I believe that this is completely possible in `autoconf` and i think it
should be done as a REQUIREMENT.

> If the attached patch is OK there is still one issue open from your list:
> 
> --- begin quote ---
> ========================================================================    
> Possible Race Condition and symlink attack:
> 
> os/connection.c:
> 
>     tcp_dev = getenv("TCP_DEVICE"); // Need check 
>     if (tcp_dev == NULL)
>         tcp_dev = TCP_DEVICE;
> 
>     fd = open(tcp_dev, O_RDWR); // O_RDWR => results corrupting data 
> --- end quote ---
> 
> The NAS clients have instances of unsafe string functions as well. That
> should be audited... any volunteers?
> 

We should check the getenv output always and can't trust on this.

Erik, should we get these from env ? at least program's arg is a better
choice. of course if i knew the code correctly.

I've just started checking clients's codes and it seems there are some
other flaws. i'll send them soon.


-- 
Regards,
Hamid Zamani (aka HAMIDx9)
Ashiyane Digital Security Team


More information about the nas mailing list