Vulnerability Note VU#635811

Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters

Original Release date: 06 May 2002 | Last revised: 14 May 2002

Overview

Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists in cachefsd that could permit a remote attacker to execute arbitrary code with the privileges of the cachefsd, typically root.

Description

A remotely exploitable heap overflow exists in the cachefsd program shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). A remote attacker can send a crafted RPC request to the cachefsd program to remotely exploit the vulnerability.

Logs of exploitation attempts may resemble the following:

    May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
    May 16 22:46:21 victim-host last message repeated 7 times
    May 16 22:46:22 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
    May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
    May 16 22:46:56 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Bus Error - core dumped
    May 16 22:46:59 victim-host last message repeated 1 time
    May 16 22:47:02 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped
    May 16 22:47:07 victim-host last message repeated 3 times
    May 16 22:47:09 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Hangup
    May 16 22:47:11 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped


Sun Microsystems has released a Sun Alert Notification which addresses this issue as well as the issue described in VU#161931.

According to the Sun Alert Notification, failed attempts to exploit this vulnerability will leave core dumps in the root directory. The presence of the core file does not preclude the success of subsequent attacks. Additionally, if the file /etc/cachefstab exists, it may contain unusual entries.

This issue is also being referenced as CAN-2002-0033:

Impact

A remote attacker can execute code with the privileges of the cachefsd process, typically root.

Solution

The CERT/CC is currently unaware of patches for this problem.

According to a Sun Alert Notification a workaround is as follows:

    Comment out cachefsd in /etc/inetd.conf as shown below:

    #100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

    Once the line is commented out either:

    - reboot, or
    - send a HUP signal to inetd(1M) and kill existing cachefsd processes, for example,
    on Solaris 2.5.1 and 2.6 do the following:
    $ kill -HUP <PID of inetd>
    $ kill <PIDs of any cachefsd processes>

    Solaris 7 and 8 do the following:
    $ pkill -HUP inetd
    $ pkill cachefsd

    The possible side effects of the workaround are:

    - for systems not using cachefs:

    There is no impact.

    - for systems using cachefs:

    Only a "disconnected" operation is known to be affected by
    disabling cachefsd. This feature is rarely used outside of AutoClient.

    Mounts and unmounts should still succeed though an error message
    may be seen, "mount -F cachefs: cachefsd is not running".

    There is no performance impact.

    - for systems using AutoClient:

    The impact is unknown. Again, only "disconnected" mode is likely
    to be affected.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SunAffected06 May 200206 May 2002
CrayNot Affected-13 May 2002
FujitsuNot Affected-14 May 2002
Hewlett PackardNot Affected06 May 200207 May 2002
IBMNot Affected06 May 200206 May 2002
Nortel NetworksNot Affected-13 May 2002
OpenBSDNot Affected06 May 200206 May 2002
SGINot Affected06 May 200206 May 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC acknowledges the Last Stage of Delirium Team for discovering and reporting on this vulnerability and thanks Sun Microsystems for their technical assistance.

This document was written by Jason Rafail and Jeffrey Havrilla.

Other Information

  • CVE IDs: CAN-2002-0033
  • CERT Advisory: CA-2002-11
  • Date Public: 05 May 2002
  • Date First Published: 06 May 2002
  • Date Last Updated: 14 May 2002
  • Severity Metric: 52.92
  • Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.