Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16421
HistoryMar 22, 2007 - 12:00 a.m.

[NEWS] Multiple Vulnerabilities In NAS

2007-03-2200:00:00
vulners.com
9

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


Multiple Vulnerabilities In NAS

SUMMARY

<http://www.radscan.com/nas.html&gt; Network Audio System (NAS), as
suggested by the name, is a network transparent audio system which works
very similarly to the X server. The server daemon runs as root and listens
on both Unix and TCP sockets.

Multiple vulnerabilities have been discovered in NAS 1.8a (svn 231).

DETAILS

Vulnerable Systems:

  • NAS version 1.8a (svn 231)

Accept_att_local buffer overflow through USL connection:
A stack based buffer-overflow is located in the function which receives
the connection over the USL socket allowing the writing of 255 bytes in
the path buffer of 64. Note that this socket is not enabled by default and
I don't know in what occasions or on what platforms it runs.

from server/os/connection.c:
static int
accept_att_local(void)
{
int newconn;
int read_in;
char length;
char path[64];

/*
 * first get device-name
 */
if &#40;&#40;read_in = read&#40;ptsFd, &amp;length, 1&#41;&#41; &lt;= 0&#41; {
    Error&#40;&quot;audio server: Can&#39;t read slave name length from USL client 

connection");
return (-1);
}

if &#40;&#40;read_in = read&#40;ptsFd, path, length&#41;&#41; &lt;= 0&#41; {
    Error&#40;&quot;audio server: Can&#39;t read slave name from USL client 

connection");
return (-1);
}

path[length] = &#39;&#92;0&#39;;
...

Server termination through unexistent ID in AddResource:
An unexistent client ID forces the termination of the server.

from server/dia/resource.c:
Bool
AddResource(AuID id, RESTYPE type, pointer value)
{
int client;
register ClientResourceRec *rrec;
register ResourcePtr res, *head;

client = CLIENT_ID&#40;id&#41;;
rrec = &amp;clientTable[client];
if &#40;!rrec-&gt;buckets&#41; {
    ErrorF&#40;&quot;AddResource&#40;&#37;x, &#37;x, &#37;x&#41;, client=&#37;d &#92;n&quot;,
           id, type, &#40;unsigned long&#41; value, client&#41;;
    FatalError&#40;&quot;client not in use&#92;n&quot;&#41;;
}
...

bcopy crash caused by integer overflow in ProcAuWriteElement:
An integer overflow in ProcAuWriteElement allows the crash of the NAS
server through a too long max_samples value set by the client during the
connection and the subsequent writing of too much bytes in the destination
buffer. In my tests wasn't possible to cause damages worst than a crash
since it's not possible to control the amount of bytes to write.

from server/dia/audispatch.c:

int
ProcAuWriteElement(ClientPtr client)
{

if (stuff->num_bytes > c->dataSize - currentSize)
AU_ERROR(AuBadValue, stuff->num_bytes);

if &#40;stuff-&gt;num_bytes&#41; {
    s = &#40;AuUint8 *&#41; &amp; stuff[1];
    d = c-&gt;write;
    n = aumin&#40;stuff-&gt;num_bytes, c-&gt;dataEnd - d&#41;;
    bcopy&#40;s, d, n&#41;;

    /* wrap if necessary */
    if &#40;n != stuff-&gt;num_bytes&#41;
        bcopy&#40;s + n, c-&gt;data, stuff-&gt;num_bytes - n&#41;;
        ...

Invalid memory pointer through big num_actions in ProcAuSetElements:
In ProcAuSetElements num_actions is used for incrementing the pointer of
the el structure which is located in the stuff buffer (the buffer
containing the data of the client). If a client sends one or more big
num_action values will force the server to use (through el) the data
outside the stuff buffer causing a crash.

from server/dia/audispatch.c:

#define ADD_VAR(n)
\
{
\
AuUint8 *_t = (AuUint8 *) el;
\

\
varLen += (n);
\
_t += (n);
\
el = (auElement *) _t;
\
}

#define COMP_ACTIONS(num)
\
{
\
numActions += (num) ? (num) : numDefaultActions[el->type];
\
ADD_VAR((num) * sizeof(auElementAction));
\
}

int
ProcAuSetElements(ClientPtr client)
{
fprintf(stderr, "XXX ProcAuSetElements\n");
REQUEST(auSetElementsReq);
FlowPtr flow;
int len, i, varLen, numActions, status;
auElement *el;

...

el = &#40;auElement *&#41; &amp; stuff[1];
/* compute length of variable data and do some error checking */
for &#40;i = varLen = numActions = 0; i &lt; stuff-&gt;numElements; i++, el++&#41;
    switch &#40;el-&gt;type&#41; {
    case AuElementTypeImportClient:
        COMP_ACTIONS&#40;el-&gt;importclient.actions.num_actions&#41;;
        ...

Invalid memory pointer in compileInputs:
Another crash is possible through an invalid memory pointer caused by the
AuCompileFlow function using a too big input value (then passed to
compileInputs as inputNum).

from server/dia/auutil.c:

static int
compileInputs(ClientPtr client, FlowElementPtr elements,
CompiledFlowOutputPtr output, AuUint32 inputNum,
AuFixedPoint multiplyConstant, AuFixedPoint addConstant,
AuUint8 numTracks, AuUint8 * inTracks, AuUint8
firstOutTrack,
AuBool recompile, AuUint32 * inputCnt)
{
auElement *el = elements[inputNum].raw;
int status = AuSuccess;
AuBool compiled = elements[inputNum].compiled, compileInput = AuFalse;
AuUint32 nextInput;
AuUint8 inputTracks[auMaxTracks];

/* XXX - need to check for loops */

/* indicate that we&#39;ve compiled this element */
elements[inputNum].compiled = AuTrue;
...

NULL pointer caused by too much connections:
A NULL pointer crash can be exploited very easily and without any type of
authentication from both local and remote sockets through many
simultaneous connections (at least 120).

from server/os/io.c:

int
ReadRequestFromClient(client)
ClientPtr client;
{
OsCommPtr oc = (OsCommPtr) client->osPrivate;
register ConnectionInputPtr oci = oc->input;

Proof of concept:
<http://aluigi.org/poc/nasbugs.zip&gt; http://aluigi.org/poc/nasbugs.zip

Fix:
Use NAC version SVN 237

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> Luigi
Auriemma.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.