Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 72820 - net-fs/ncpfs: buffer overflow
Summary: net-fs/ncpfs: buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://lists.netsys.com/pipermail/ful...
Whiteboard: B1 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-29 07:55 UTC by Matthias Geerdsen (RETIRED)
Modified: 2004-12-15 01:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Access violation output (ncpfs-output,3.95 KB, text/plain)
2004-12-01 22:23 UTC, Markus Rothe (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-11-29 07:55:24 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is buffer overflow in ncplogin and ncpmap in nwclient.c.


static void strcpy_cw(wchar_t *w, const char* s) {
~        while ((*w++ = *(const nuint8*)s++) != 0);
}

NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];

~  if (!treeName)
~      return ERR_NULL_POINTER;

~  strcpy_cw (wc_treeName,treeName);

Currently i have not managed to successfully exploit this bug on x86.

How to reproduce :

ncplogin -T `perl -e '{print"a"x"330"}'`
ncpmap -T `perl -e '{print"a"x"330"}'` /

Tested on ncpfs-2.2.4-1 from fedora core 2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBqxzaFTSet8AbQUQRAiycAJ4+5YDHawXMrXiu2wPHt6IRN2Xx0wCeM7vm
LpGHtO/7DHkoRO18OQwve4M=
=YwvU
-----END PGP SIGNATURE-----
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-11-29 14:01:52 UTC
Pulling net-fs for advice...

I don't know ncpfs so I can't tell if it's a real vulnerability or just an overflow in command-line argument that can be exploited by local users to execute code with their own rights (i.e. a bug, but not a vulnerability). Is ncplogin/ncpmap suid root ? Is the "-T" option argument directly under the control of a remote attacker ?
Comment 2 Maurice van der Pot (RETIRED) gentoo-dev 2004-11-29 14:20:42 UTC
-rws--x--x  1 root root 2529574 Nov 29 23:19 /usr/bin/ncplogin
-rws--x--x  1 root root 2424639 Nov 29 23:19 /usr/bin/ncpmap

All I have time for right now.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-30 01:00:03 UTC
Hmm interesting.
So it's a potential local root through overflow on a SUID root binary.

No fixed version yet. Upstream should be contacted for a fixed version, if they don't react it looks like an easy patch.
Comment 4 Maurice van der Pot (RETIRED) gentoo-dev 2004-11-30 10:50:33 UTC
Upstream has just released a 2.2.5 version (ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.5)
From the changelog:

ChangeSet@1.294, 2004-11-30 16:42:25+01:00
  Fix bad buffer overflow in NWDSCreateContextHandleMnt.  Plus fix
  bogus interpretation of treeName.  And split 
  NWDSCreateContextHandleMnt into two functions, anything taking string
  as argument must take context, as string's encoding is defined by 
  context settings...

strcpy_cw is still present in the source, but it is no longer called. The 
treename input is now handled in a completely different way.

!!! NOTE: I'm not saying that it fixes the problem, I'm just saying that it
looks like they have worked on it !!!
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-30 12:13:35 UTC
Please provide an ebuild for that version, we'll test that the vulnerability is gone there.
Comment 6 Maurice van der Pot (RETIRED) gentoo-dev 2004-11-30 13:54:48 UTC
It'll take another 20 hours or so before I get a chance to do the ebuild.
If anyone else can do it sooner, go right ahead. I'm not the maintainer anyway.
Comment 7 Maurice van der Pot (RETIRED) gentoo-dev 2004-12-01 13:40:45 UTC
Version 2.2.5 is now in portage. The build succeeds, but that is all I can test.
All keywords have been reverted to "~arch", only x86 and ppc64 have ever been 
"arch". They should test this and mark it stable if it works.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-01 13:53:44 UTC
Thx Maurice.

Arches please mark 2.2.5 stable asap.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2004-12-01 22:23:01 UTC
Created attachment 45113 [details]
Access violation output

Hi. I'm getting an access violation with 2.2.5. I don't get this with latest
stable marked version (2.2.3).
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-01 23:29:50 UTC
Back to ebuild status. Maurice please look into this.
Comment 11 Maurice van der Pot (RETIRED) gentoo-dev 2004-12-02 15:20:58 UTC
I'm unable to reproduce this, though I am using the sandbox.
Corsair, can you do some debugging yourself and/or provide more info, such as emerge --info?
Comment 12 Maurice van der Pot (RETIRED) gentoo-dev 2004-12-02 23:41:17 UTC
The most likely candidate for a sandbox violation is the chmod a+r that I do on
the directory to which the source is extracted. I have to do that because the 
directory does not have the +r bits set in the tarball. 

If someone could contact upstream to see if they can make another tarball with the
right permissions, then we can use the same ebuild as for 2.2.3 and we shouldn't
encounter any problems.
Comment 13 Maurice van der Pot (RETIRED) gentoo-dev 2004-12-03 14:57:36 UTC
I wasn't paying attention before; somehow I overlooked Markus' log file.

The problem is not the absence of the +r bit in the tarball, it's the 
installation of a php extension. This extension is only built if php is 
installed when ncpfs is merged.

It would help if someone familiar with php extensions (and the eclasses) could 
take a look at this. Besides, I will be away this weekend.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-08 00:54:51 UTC
Stuart/php please advise.
Comment 15 Stuart Herbert (RETIRED) gentoo-dev 2004-12-09 07:29:15 UTC
I've committed an updated ebuild which no longer causes a sandbox violation.  I've also added support for the php USE flag.

Best regards,
Stu
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-12-09 08:27:11 UTC
Thx Stuart.
x86, ppc64 : please retest the updated ncpfs-2.2.5...
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2004-12-11 00:15:06 UTC
stable on ppc64
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-12-14 06:43:28 UTC
GLSA drafted. 

x86, we are waiting for you to release... If someone else (net-fs / Stuart) can test and mark stable on x86, I'll take it :)
Comment 19 Peter Johanson (RETIRED) gentoo-dev 2004-12-14 08:00:44 UTC
Marked this x86 per jaervosz's request. Been using 2.2.5 since it was added, with no problems.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2004-12-15 01:45:38 UTC
GLSA 200412-09