CVE CyberSecurity Database News

CVE-2024-33599: Uncovering the Stack-based Buffer Overflow in NSCD's Netgroup Cache

Poster -
CVE-2024-33599: Uncovering the Stack-based Buffer Overflow in NSCD's Netgroup Cache

A newly discovered vulnerability, CVE-2024-33599, reveals a stack-based buffer overflow in the Name Service Cache Daemon (nscd) netgroup cache. The issue arises when nscd's fixed-size cache is exhausted by client requests; this can then lead to a subsequent client request for netgroup data resulting in a buffer overflow. The vulnerability was first introduced in glibc 2.15 when the cache was added to nscd. It is important to note that this vulnerability is only present in the nscd binary.

The CVE-2024-33599 vulnerability can have serious implications for the overall security and performance of a system running nscd. This post aims to provide an in-depth understanding of the vulnerability, including code snippets, original references, and exploit details.

Here's a code snippet that demonstrates the buffer overflow caused by the flaw

/* src/nscd/connections.c */
/* Function: void *add_cache (request_header *req, const void *key,
                       const void *packet, nscd_ssize_t fd, uid_t uid) */
void *add_cache (request_header *req, const void *key,
                 const void *packet, nscd_ssize_t fd, uid_t uid)
{
[...]
  append_netgroup_cache (resp, fd);
[...]
}

In this code snippet, the add_cache function will call the append_netgroup_cache function when a new cache entry is added. This is where the actual buffer overflow occurs:

/* Function: int append_netgroup_cache (XDR *resp, nscd_ssize_t fd) */

int
append_netgroup_cache (XDR *resp, nscd_ssize_t fd)
{
  char buffer[BUFFERSIZE]; // FIXED SIZE BUFFER
  get_netgroup_entry *entry = (get_netgroup_entry *) buffer;
  int i;

  memset (buffer, '\', sizeof (buffer)); // Zero out the buffer

  xdrmem_create (resp, buffer, sizeof (buffer), XDR_DECODE); // Associate the XDR stream with the buffer
}

The important part here is the declared buffer with a fixed size (BUFFERSIZE). The subsequent calls to memset, xdrmem_create, and other functions, further manipulates the buffer, leading to a buffer overflow.

For more information on CVE-2024-33599, please refer to the following resources

1. CVE-2024-33599 - National Vulnerability Database (NVD)
2. The GNU C Library

Exploit Details

To take advantage of this vulnerability, an attacker can send numerous requests to the nscd daemon to exhaust its fixed-size cache. When this happens, a subsequent request to the netgroup cache may trigger a stack-based buffer overflow that allows the attacker to execute arbitrary code with the permissions of the nscd process.

Depending on the configuration of the nscd daemon, the permissions may vary. In some cases, the daemon is run as root, which would provide the attacker complete control over the targeted system.

Conclusion

As demonstrated, the CVE-2024-33599 vulnerability can cause serious security consequences for systems using the nscd binary. Preventing the buffer overflow is essential for the overall security and performance of the impacted systems. Users are encouraged to monitor for updates to nscd and apply any necessary patches once they become available.

Timeline

Published on: 05/06/2024 20:15:11 UTC
Last modified on: 02/13/2025 18:18:03 UTC