QEMU - NBD Server Long Export Name Stack Buffer Overflow

🗓️ 29 Nov 2017 00:00:00Reported by Eric BlakeType

zdt🔗 0day.today👁 39 Views

QEMU NBD Server Buffer Overflow Vulnerabilit

Reporter	Title	Published	Views	Family All 42
Circl	CVE-2017-15118	29 Nov 201700:00	–	circl
CNVD	QEMU 'b/nbd/server.c' stack buffer overflow vulnerability	30 Nov 201700:00	–	cnvd
CVE	CVE-2017-15118	27 Jul 201821:00	–	cve
Cvelist	CVE-2017-15118	27 Jul 201821:00	–	cvelist
Debian CVE	CVE-2017-15118	27 Jul 201821:00	–	debiancve
EUVD	EUVD-2017-6579	7 Oct 202500:30	–	euvd
F5 Networks	K31501591: QEMU vulnerability CVE-2017-15118	21 Feb 202318:54	–	f5
Fedora	[SECURITY] Fedora 27 Update: qemu-2.10.2-1.fc27	24 Aug 201807:15	–	fedora
NVD	CVE-2017-15118	27 Jul 201821:29	–	nvd
OpenVAS	Ubuntu: Security Advisory (USN-3575-1)	21 Feb 201800:00	–	openvas

Introduced in commit f37708f6b8 (2.10).  The NBD spec says a client
can request export names up to 4096 bytes in length, even though
they should not expect success on names longer than 256.  However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu
process.
 
The smash can be easily demonstrated with this client:
 
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
 
If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs).  Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.

#  0day.today [2018-03-14]  #

29 Nov 2017 00:00Current

9.2High risk

Vulners AI Score9.2

EPSS0.01606