Vigil@nce: Linux kernel, buffer overflow of NFSv4 ACLs
September 2008 by Vigil@nce
SYNTHESIS
A local attacker can create an overflow in the nfsd service in
order to elevate his privileges.
Gravity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 05/09/2008
Identifier: VIGILANCE-VUL-8093
IMPACTED PRODUCTS
– Linux kernel [confidential versions]
DESCRIPTION
The Linux kernel implements a NFS service.
POSIX ACLs of shared files are converted to NFS ACLs, represented
as ACEs (Access Control Entries). The init_state() function of
fs/nfsd/nfs4acl.c allocates memories areas which contain ACEs of
users and groups. However, the allocated size is short of
4*numberacl bytes (size difference between posix_user_ace_state
and posix_ace_state structures).
A local attacker, allowed to change POSIX ACLs of files shared by
NFS, can therefore define several ACLs, in order to generate an
overflow. This overflow leads to code execution in the kernel.
CHARACTERISTICS
Identifiers: CVE-2008-3915, VIGILANCE-VUL-8093