vendor:
QEMU NBD Server
by:
N/A
7,5
CVSS
HIGH
Stack Overflow
119
CWE
Product Name: QEMU NBD Server
Affected Version From: 2.10
Affected Version To: 2.10
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2018
Stack Smash in QEMU NBD Server
The NBD spec says a client can request export names up to 4096 bytes in length, even though they should not expect success on names longer than 256. However, qemu hard-codes the limit of 256, and fails to filter out a client that probes for a longer name; the result is a stack smash that can potentially give an attacker arbitrary control over the qemu process. The smash can be easily demonstrated with a client command. If the qemu NBD server binary was compiled with -fstack-protector-strong, the ability to exploit the stack smash into arbitrary execution is a lot more difficult, but still theoretically possible to a determined attacker.
Mitigation:
Compile the qemu NBD server binary with -fstack-protector-strong to make it more difficult for an attacker to exploit the stack smash.
