Vigil@nce: Linux kernel, buffer overflow of NFSv4 ACLs
September 2008 by Vigil@nce
A local attacker can create an overflow in the nfsd service in order to elevate his privileges.
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 05/09/2008
Linux kernel [confidential versions]
The Linux kernel implements a NFS service.
POSIX ACLs of shared files are converted to NFS ACLs, represented as ACEs (Access Control Entries). The init_state() function of fs/nfsd/nfs4acl.c allocates memories areas which contain ACEs of users and groups. However, the allocated size is short of 4*numberacl bytes (size difference between posix_user_ace_state and posix_ace_state structures).
A local attacker, allowed to change POSIX ACLs of files shared by NFS, can therefore define several ACLs, in order to generate an overflow. This overflow leads to code execution in the kernel.
Identifiers: CVE-2008-3915, VIGILANCE-VUL-8093