From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031030 Description of problem: If a machine with reverse dns mapping but no forward dns mapping sends a mount request to rpc.mountd it segfaults. Version-Release number of selected component (if applicable): nfs-utils-1.0.5-1 How reproducible: Always Steps to Reproduce: 1. Set up a NFS server and export something 2. Set up a NFS client with reverse DNS mapping, but no forward mapping. example: host 1.2.3.4 = test.test.com host test.test.com = NXDOMAIN 3. Try to mount something from the client Actual Results: rpc.mountd dies with SIGSEGV This is very serious. It is a Denial of Service attack, and possible a remote root vulnerability. Additional info: This is a SMP machine running kernel 2.4.20-20.9smp, all updates (including the new glibc) installed. The server resolv.conf: search powertech.no no.powertech.net powertech.net nameserver 195.159.0.100 nameserver 195.159.0.200 output from strace: gettimeofday({1069163439, 435540}, NULL) = 0 poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1 ioctl(5, FIONREAD, [152]) = 0 recvfrom(5, "\314\241\205\200\0\1\0\1\0\2\0\2\003189\0010\003159\003"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, [16]) = 152 close(5) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 5 connect(5, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1 ENOENT (No such file or directory) close(5) = 0 open("/etc/hosts", O_RDONLY) = 5 fcntl64(5, F_GETFD) = 0 fcntl64(5, F_SETFD, FD_CLOEXEC) = 0 fstat64(5, {st_mode=S_IFREG|0644, st_size=342, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000 read(5, "# Do not remove the following li"..., 4096) = 342 read(5, "", 4096) = 0 close(5) = 0 munmap(0x40016000, 4096) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, 28) = 0 send(5, "\314\242\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 42, 0) = 42 gettimeofday({1069163439, 441632}, NULL) = 0 poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1 ioctl(5, FIONREAD, [94]) = 0 recvfrom(5, "\314\242\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, [16]) = 94 close(5) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, 28) = 0 send(5, "\314\243\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 55, 0) = 55 gettimeofday({1069163439, 446080}, NULL) = 0 poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1 ioctl(5, FIONREAD, [107]) = 0 recvfrom(5, "\314\243\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, [16]) = 107 close(5) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, 28) = 0 send(5, "\314\244\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 59, 0) = 59 gettimeofday({1069163439, 448510}, NULL) = 0 poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1 ioctl(5, FIONREAD, [123]) = 0 recvfrom(5, "\314\244\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, [16]) = 123 close(5) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, 28) = 0 send(5, "\314\245\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 56, 0) = 56 gettimeofday({1069163439, 452148}, NULL) = 0 poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1 ioctl(5, FIONREAD, [133]) = 0 recvfrom(5, "\314\245\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("195.159.0.100")}, [16]) = 133 close(5) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- I know this backtrace is not very usefull, but I was not able to produce more debug symbols, even after installing the glibc-debug package. Please let me know if I should rebuild nfs-utils or do other things to produce better debug information. backtrace from gdb: (gdb) bt #0 0x0804e966 in strcpy () #1 0xb0009fc3 in ?? () #2 0x0804b3a4 in strcpy () #3 0x0804a3c8 in strcpy () #4 0x0804a327 in strcpy () #5 0x080519f8 in strcpy () #6 0x0804b076 in strcpy () #7 0x42102748 in svc_getreq_common_internal () from /lib/tls/libc.so.6 #8 0x421024af in svc_getreqset_internal () from /lib/tls/libc.so.6 #9 0x0804c8bf in strcpy () #10 0x0804ae4b in strcpy () #11 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6
This also occurs in RHEL3. This is a good remote attack on a system that exposes mountd. All I have to do is set up a DNS server somewhere with a broken reverse mapping and simply ask a machine of my choice whether or not I can mount something. I suspect that it is possible to construct a UDP datagram with an source IP address of my choice and crash rpc.mountd's on any machine, whether or not there's a route from that source IP address and whether or not I know what is exported by the server under attack.
This *seems* to be fixed in nfs-utils-1.0.6. Please reopen bug if is is not the case