Advisory: FreeBSD kernel NFS client local vulnerabilities
Note: The original advisory can be found here.
|Affected products:||FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE|
|Class:||Improper Input Validation (CWE-20)|
|Discovered by:||Patroklos Argyroudis|
We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.
FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE employ an improper input
validation method in the kernel’s NFS client-side implementation. Specifically,
the first vulnerability is in function
src/sys/nfsclient/nfs_vfsops.c) which is reachable from the
nmount(2) system calls. In order for them to be enabled for unprivileged
vfs.usermount must be set to a non-zero value.
nfs_mount() employs an insufficient input validation method for
copying data passed in a structure of type
nfs_args from userspace to kernel.
Specifically, the file handle buffer to be mounted (
args.fh) and its size
args.fhsize) are completely user-controllable. The unbounded copy operation
is in file
src/sys/nfsclient/nfs_vfsops.c (the excerpts are from 8.0-RELEASE):
The declaration of the variables
nfh is at:
This vulnerability can cause a kernel stack overflow which leads to privilege escalation on FreeBSD 7.3-RELEASE and 7.2-RELEASE. On FreeBSD 8.0-RELEASE the result is a kernel crash/denial of service due to the SSP/ProPolice kernel stack-smashing protection which is enabled by default. Versions 7.1-RELEASE and earlier do not appear to be vulnerable since the bug was introduced in 7.2-RELEASE. In order to demonstrate the impact of the vulnerability we have developed a proof-of-concept privilege escalation exploit. A sample run of the exploit follows:
The second vulnerability exists in the function
mountnfs() that is called
mountnfs() is reachable from the
system calls by unprivileged users. As with the
nfs_mount() case above, this
vfs.usermount to be set to a non-zero value.
The file handle to be mounted (
argp->fh) and its size (
passed to function
mountnfs() from function
nfs_mount() and are
user-controllable. These are subsequently used in an unbounded
The above can cause a kernel heap overflow when
argp->fh is bigger than 128
bytes (the size of
nmp is an allocated item on the
Universal Memory Allocator (UMA, the FreeBSD kernel’s heap allocator)
nfsmount_zone (again from
This kernel heap overflow can lead on FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE to privilege escalation and/or a kernel crash/denial of service attack. Similarly to the first vulnerability, FreeBSD 7.1-RELEASE and earlier versions do not appear to be vulnerable. We have developed a proof-of-concept DoS exploit to demonstrate the vulnerability. Furthermore, we have also developed a privilege escalation exploit for this second vulnerability which will not be released at this point.
FreeBSD has released an official advisory and a patch to address both vulnerabilities. All affected parties are advised to follow the upgrade instructions included in the advisory and patch their systems.