Bug 110324

Summary: rpc.mountd segfaults when it recieves mount / umount requests from a host with no forward DNS mapping.
Product: [Retired] Red Hat Linux Reporter: Frode Nordahl <frode>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: jch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-06-16 10:30:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frode Nordahl 2003-11-18 14:49:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031030

Description of problem:
If a machine with reverse dns mapping but no forward dns mapping sends
a mount request to rpc.mountd it segfaults.

Version-Release number of selected component (if applicable):
nfs-utils-1.0.5-1

How reproducible:
Always

Steps to Reproduce:
1. Set up a NFS server and export something
2. Set up a NFS client with reverse DNS mapping, but no forward mapping.
   example: host 1.2.3.4 = test.test.com
            host test.test.com = NXDOMAIN
3. Try to mount something from the client

Actual Results:  rpc.mountd dies with SIGSEGV

This is very serious.  It is a Denial of Service attack, and possible
a remote root vulnerability.

Additional info:

This is a SMP machine running kernel 2.4.20-20.9smp, all updates
(including the new glibc) installed.

The server resolv.conf:
search powertech.no no.powertech.net powertech.net
nameserver 195.159.0.100
nameserver 195.159.0.200

output from strace:
gettimeofday({1069163439, 435540}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [152])               = 0
recvfrom(5,
"\314\241\205\200\0\1\0\1\0\2\0\2\003189\0010\003159\003"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 152
close(5)                                = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 5
connect(5, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) =
-1 ENOENT (No such file or directory)
close(5)                                = 0
open("/etc/hosts", O_RDONLY)            = 5
fcntl64(5, F_GETFD)                     = 0
fcntl64(5, F_SETFD, FD_CLOEXEC)         = 0
fstat64(5, {st_mode=S_IFREG|0644, st_size=342, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x40016000
read(5, "# Do not remove the following li"..., 4096) = 342
read(5, "", 4096)                       = 0
close(5)                                = 0
munmap(0x40016000, 4096)                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\242\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 42,
0) = 42
gettimeofday({1069163439, 441632}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [94])                = 0
recvfrom(5,
"\314\242\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 94
close(5)                                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\243\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 55,
0) = 55
gettimeofday({1069163439, 446080}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [107])               = 0
recvfrom(5,
"\314\243\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 107
close(5)                                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\244\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 59,
0) = 59
gettimeofday({1069163439, 448510}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [123])               = 0
recvfrom(5,
"\314\244\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 123
close(5)                                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\245\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 56,
0) = 56
gettimeofday({1069163439, 452148}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [133])               = 0
recvfrom(5,
"\314\245\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 133
close(5)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---


I know this backtrace is not very usefull, but I was not able to
produce more debug symbols, even after installing the glibc-debug
package.  Please let me know if I should rebuild nfs-utils or do other
things to produce better debug information.

backtrace from gdb:
(gdb) bt
#0  0x0804e966 in strcpy ()
#1  0xb0009fc3 in ?? ()
#2  0x0804b3a4 in strcpy ()
#3  0x0804a3c8 in strcpy ()
#4  0x0804a327 in strcpy ()
#5  0x080519f8 in strcpy ()
#6  0x0804b076 in strcpy ()
#7  0x42102748 in svc_getreq_common_internal () from /lib/tls/libc.so.6
#8  0x421024af in svc_getreqset_internal () from /lib/tls/libc.so.6
#9  0x0804c8bf in strcpy ()
#10 0x0804ae4b in strcpy ()
#11 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6

Comment 1 John Haxby 2003-11-19 12:09:21 UTC
This also occurs in RHEL3.

This is a good remote attack on a system that exposes mountd.   All I
have to do is set up a DNS server somewhere with a broken reverse
mapping and simply ask a machine of my choice whether or not I can
mount something.  I suspect that it is possible to construct a UDP
datagram with an source IP address of my choice and crash rpc.mountd's
on any machine, whether or not there's a route from that source IP
address and whether or not I know what is exported by the server under
attack.

Comment 2 Steve Dickson 2004-06-16 10:30:06 UTC
This *seems* to be fixed in nfs-utils-1.0.6. Please reopen bug if is
is not the case