Date: Thu, 3 Mar 2011 21:42:17 -0500 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: oss-security@...ts.openwall.com Subject: Suid mount helpers fail to anticipate RLIMIT_FSIZE Hi all, This was originally sent to the now-defunct vendor-sec mailing list. Seeing how it's a relatively low-severity issue and that we're currently lacking a mechanism for coordination among package maintainers and vendors, this list seems like a perfectly acceptable venue for discussing how to fix it. I discovered that essentially every suid mount helper that uses addmntent() (or invokes util-linux mount, which in turn calls addmntent()) to add entries to /etc/mtab fails to anticipate a low value for RLIMIT_FSIZE, allowing unprivileged users to corrupt /etc/mtab and possibly manipulate mountpoint options. Affected software includes at least: mount.cifs (samba) fusermount (FUSE) mount (util-linux) ncpmount (ncpfs) vmware-hgfsmounter (open-vm-tools) Also affected are all their unmount equivalents. This can be exploited by checking the current size of /etc/mtab, setting an RLIMIT_FSIZE of some small amount greater than that, and invoking a suid mount helper. The edits to /etc/mtab will be truncated to the ulimit and no newline will be appended, so multiple invocations allow near-arbitrary appending to /etc/mtab. addmntent() will octal-encode most special characters, which makes exploitation beyond simple corruption not quite as straightforward, but I'm confident that with some creativity it would be possible to perform unauthorized unmounting, for example. There are a few possible options We could patch glibc to try to raise the rlimit in addmntent(). Or we could fix every suid mount helper to raise the rlimit or have proper error handling for the case when addmntent() fails. This final option requires that mtab editing be done in a temporary file and aborted on failure, which isn't the case for all helpers. Of course, once we figure out how to fix this, we can talk about assigning CVEs, etc. Regards, Dan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ