J-Security Center

Title: NFS-Utils Xlog Remote Buffer Overrun Vulnerability

Severity: CRITICAL

Description:

nfs-utils provides various NFS tools, including a daemon for handling RPC requests. It is available for Unix and Linux variants.

A remote buffer overrun vulnerability has been reported in xlog, which is a logging facility for nfs-utils. It is possible to exploit this issue via mountd. It has been reported that exploitation of this issue will most likely result in a denial of service. There is a likelihood that this issue could be exploited to run arbitrary code in the context of mountd, which runs as root.

This vulnerability is an off-by-one boundary condition error in the xlog.c source file, which contains code for handling logging of RPC requests. The xlog() function is prone to this issue when a buffer equal to or longer than 1023 bytes is supplied, causing one byte of memory to be overrun with attacker-supplied data.

It has been reported that an attacker may exploit this vulnerability using three attack vectors, as follows: A mount request with a path name of excessive length prepended with '?/?' handled by the internal mount_mnt_1_svc() function call, will trigger this issue. It has also been reported that an umount request with a path name of excessive length handled by mount_umnt_1_svc(), will also trigger this issue. Additionally when mount_pathconf_2_svc(), handles a pathconf request containing a path name of excessive length, this issue may be triggered. All of these functions make a call to the vulnerable xlog() function either directly or indirectly.

It should be noted that due to the nature of this vulnerability, successful exploitation of this issue would depend highly on memory layout, compiler optimizations and system architecture. Taking these factors into account, it is likely that this vulnerability will only be exploitable on affected systems harnessing GCC <= 2.95.

The issue could also occur in other nfs-utils components that call xlog with externally-supplied data.

Affected Products:

  • Conectiva Linux 7.0.0
  • Conectiva Linux 8.0.0
  • Conectiva Linux 9.0.0
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • S.u.S.E. Linux 7.2.0
  • S.u.S.E. Linux 7.3.0
  • S.u.S.E. Linux 7.3.0 i386
  • S.u.S.E. Linux 7.3.0 ppc
  • S.u.S.E. Linux 7.3.0 sparc
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.1.0
  • S.u.S.E. Linux Personal 8.2.0
  • SCO OpenLinux Server 3.1.1
  • SCO OpenLinux Workstation 3.1.1
  • Slackware Linux -current
  • Slackware Linux 8.1.0
  • Slackware Linux 9.0.0
  • Sun Cobalt RaQ XTR
  • Sun Cobalt RaQ4 3001R
  • Sun Linux 5.0.0
  • Terra Soft Solutions Yellow Dog Linux 3.0.0
  • Trustix Secure Linux 1.2.0
  • Trustix Secure Linux 1.5.0
  • Trustix Secure Linux 2.0.0
  • nfs nfs-utils 0.2.0
  • nfs nfs-utils 0.2.1
  • nfs nfs-utils 0.3.1
  • nfs nfs-utils 0.3.3
  • nfs nfs-utils 1.0.0
  • nfs nfs-utils 1.0.1
  • nfs nfs-utils 1.0.3

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.