Bug 110324 - rpc.mountd segfaults when it recieves mount / umount requests from a host with no forward DNS mapping.
rpc.mountd segfaults when it recieves mount / umount requests from a host wit...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: nfs-utils (Show other bugs)
9
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Dickson
Ben Levenson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-18 09:49 EST by Frode Nordahl
Modified: 2007-04-18 12:59 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-06-16 06:30:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frode Nordahl 2003-11-18 09:49:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031030

Description of problem:
If a machine with reverse dns mapping but no forward dns mapping sends
a mount request to rpc.mountd it segfaults.

Version-Release number of selected component (if applicable):
nfs-utils-1.0.5-1

How reproducible:
Always

Steps to Reproduce:
1. Set up a NFS server and export something
2. Set up a NFS client with reverse DNS mapping, but no forward mapping.
   example: host 1.2.3.4 = test.test.com
            host test.test.com = NXDOMAIN
3. Try to mount something from the client

Actual Results:  rpc.mountd dies with SIGSEGV

This is very serious.  It is a Denial of Service attack, and possible
a remote root vulnerability.

Additional info:

This is a SMP machine running kernel 2.4.20-20.9smp, all updates
(including the new glibc) installed.

The server resolv.conf:
search powertech.no no.powertech.net powertech.net
nameserver 195.159.0.100
nameserver 195.159.0.200

output from strace:
gettimeofday({1069163439, 435540}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [152])               = 0
recvfrom(5,
"\314\241\205\200\0\1\0\1\0\2\0\2\003189\0010\003159\003"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 152
close(5)                                = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 5
connect(5, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) =
-1 ENOENT (No such file or directory)
close(5)                                = 0
open("/etc/hosts", O_RDONLY)            = 5
fcntl64(5, F_GETFD)                     = 0
fcntl64(5, F_SETFD, FD_CLOEXEC)         = 0
fstat64(5, {st_mode=S_IFREG|0644, st_size=342, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x40016000
read(5, "# Do not remove the following li"..., 4096) = 342
read(5, "", 4096)                       = 0
close(5)                                = 0
munmap(0x40016000, 4096)                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\242\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 42,
0) = 42
gettimeofday({1069163439, 441632}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [94])                = 0
recvfrom(5,
"\314\242\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 94
close(5)                                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\243\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 55,
0) = 55
gettimeofday({1069163439, 446080}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [107])               = 0
recvfrom(5,
"\314\243\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 107
close(5)                                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\244\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 59,
0) = 59
gettimeofday({1069163439, 448510}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [123])               = 0
recvfrom(5,
"\314\244\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 123
close(5)                                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, 28) = 0
send(5, "\314\245\1\0\0\1\0\0\0\0\0\0\vtemp-router\tpowerte"..., 56,
0) = 56
gettimeofday({1069163439, 452148}, NULL) = 0
poll([{fd=5, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(5, FIONREAD, [133])               = 0
recvfrom(5,
"\314\245\205\203\0\1\0\0\0\1\0\0\vtemp-router\tpowerte"..., 1024, 0,
{sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("195.159.0.100")}, [16]) = 133
close(5)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---


I know this backtrace is not very usefull, but I was not able to
produce more debug symbols, even after installing the glibc-debug
package.  Please let me know if I should rebuild nfs-utils or do other
things to produce better debug information.

backtrace from gdb:
(gdb) bt
#0  0x0804e966 in strcpy ()
#1  0xb0009fc3 in ?? ()
#2  0x0804b3a4 in strcpy ()
#3  0x0804a3c8 in strcpy ()
#4  0x0804a327 in strcpy ()
#5  0x080519f8 in strcpy ()
#6  0x0804b076 in strcpy ()
#7  0x42102748 in svc_getreq_common_internal () from /lib/tls/libc.so.6
#8  0x421024af in svc_getreqset_internal () from /lib/tls/libc.so.6
#9  0x0804c8bf in strcpy ()
#10 0x0804ae4b in strcpy ()
#11 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6
Comment 1 John Haxby 2003-11-19 07:09:21 EST
This also occurs in RHEL3.

This is a good remote attack on a system that exposes mountd.   All I
have to do is set up a DNS server somewhere with a broken reverse
mapping and simply ask a machine of my choice whether or not I can
mount something.  I suspect that it is possible to construct a UDP
datagram with an source IP address of my choice and crash rpc.mountd's
on any machine, whether or not there's a route from that source IP
address and whether or not I know what is exported by the server under
attack.
Comment 2 Steve Dickson 2004-06-16 06:30:06 EDT
This *seems* to be fixed in nfs-utils-1.0.6. Please reopen bug if is
is not the case

Note You need to log in before you can comment on or make changes to this bug.