Buffer overflows in macOS NFS client (CVE-2018-4259, CVE-2018-4286, CVE-2018-4287, CVE-2018-4288, CVE-2018-4291)

This directory contains a minimal NFS server. It only implements a very small subset of the NFS protocol: just enough to trigger one of the buffer overflow vulnerabilities in the macOS XNU operating system kernel. The vulnerabilities were fixed in macOS version 10.13.6.

For more details about the vulnerabilities, see the blog post on lgtm.com.

To compile and run (on Linux):

$ make
$ ./kevfs

To trigger the exploit, you need to attempt to mount a folder on the Mac. Suppose the IP address of the server is 192.168.0.15:

$ mkdir ~/mnt
$ mount -t nfs 192.168.0.15:/export ~/mnt

Note that sudo access is not required to trigger the bug on the Mac, because we are only attempting to mount to ~/mnt.

There is a second vulnerability which can be triggered with a small modification to the server: it should return an fhandle3 with size 0xFFFFFFFF. This requires a change to the code, because we don't want to send a 4GB payload with the message. The simplest way to do this is to change the definition of fhandle3 in nfs.x so that it contains a uint32, rather than an opaque. The uint needs to be initialized to 0xFFFFFFFF in kevfs.c.