Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters

Overview

Sun’s NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.

Description

A remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.

Logs of exploitation attempts may resemble the following:

May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:46:21 victim-host last message repeated 7 times May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped May 16 22:46:59 victim-host last message repeated 1 time May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped May 16 22:47:07 victim-host last message repeated 3 times May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped

Sun Microsystems has released a Sun Alert Notification which addresses this issue as well as the issue described in VU#161931.

According to the Sun Alert Notification, failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries.

This issue is also being referenced as CAN-2002-0033:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0033&gt;

Impact

A remote attacker can execute code with the privileges of the cachefsd process, typically root.

---

Solution

The CERT/CC is currently unaware of patches for this problem.

---

According to a Sun Alert Notification a workaround is as follows:

_Comment out cachefsd in /etc/inetd.conf as shown below: _

_ #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd _

_ Once the line is commented out either: _

_ - reboot, or_
_ - send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,_
_ on Solaris 2.5.1 and 2.6 do the following:_
_ $ kill -HUP <PID of inetd>_
_ $ kill <PIDs of any cachefsd processes>_

_ Solaris 7 and 8 do the following:_
_ $ pkill -HUP inetd_
_ $ pkill cachefsd _

_ The possible side effects of the workaround are: _

_ - for systems not using cachefs:_

_ There is no impact._

_ - for systems using cachefs:_

_ Only a “disconnected” operation is known to be affected by _
_ disabling cachefsd. This feature is rarely used outside of AutoClient._

_ Mounts and unmounts should still succeed though an error message _
_ may be seen, “mount -F cachefs: cachefsd is not running”._

_ There is no performance impact._

_ - for systems using AutoClient:_

_ The impact is unknown. Again, only “disconnected” mode is likely _
_ to be affected. _

---

Vendor Information

635811

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun __ Affected

Notified: May 06, 2002 Updated: May 06, 2002

Status

Affected

Vendor Statement

See, <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

Cray __ Not Affected

Updated: May 13, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. is not vulnerable since cachefs is not supported under Unicos and Unicos/mk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

Fujitsu __ Not Affected

Updated: May 14, 2002

Status

Not Affected

Vendor Statement

UXP/V is not vulnerable, because it does not have Cachefs and similar functionalities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

Hewlett Packard __ Not Affected

Notified: May 06, 2002 Updated: May 07, 2002

Status

Not Affected

Vendor Statement

HP-UX is not vulnerable because it does not use cachefsd.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

IBM __ Not Affected

Notified: May 06, 2002 Updated: May 06, 2002

Status

Not Affected

Vendor Statement

IBM’s AIX operating system, all versions, is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

Nortel Networks __ Not Affected

Updated: May 13, 2002

Status

Not Affected

Vendor Statement

Nortel Networks products and solutions using the affected Sun Solaris operating systems do not utilize the NFS/RPC file system cachefs daemon. Nortel Networks recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.; this will not impact these Nortel Networks products and solutions.

For more information please contact Nortel at:

North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009

Contacts for other regions are available at

www.nortelnetworks.com/help/contact/global/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

OpenBSD Not Affected

Notified: May 06, 2002 Updated: May 06, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

SGI __ Not Affected

Notified: May 06, 2002 Updated: May 06, 2002

Status

Not Affected

Vendor Statement

SGI does not ship with SUN cachefsd, so IRIX is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23635811 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309&gt;
• <http://archives.neohapsis.com/archives/bugtraq/2002-05/0026.html&gt;

Acknowledgements

The CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.

This document was written by Jason Rafail and Jeffrey Havrilla.

Other Information

CVE IDs:	CVE-2002-0033
CERT Advisory:	CA-2002-11 Severity Metric: