[Fwd: [linux-security] amd 920824upl102 ignores the nodev option]

Milan Milan
Sre Apr 9 07:58:23 CEST 1997 

This is a multi-part message in MIME format.

--------------6783EC363AC
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Mislim, da ta mail ne bo nikomur skodiil, sam koristi lahko.

lp,
MIlan

--------------6783EC363AC
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Return-path: <owner-bugtraq na NETSPACE.ORG>
Received: from DIRECTORY-DAEMON by rcum.uni-mb.si (PMDF V5.1-4 #7554)
 id <01IHH2MCQMM80023S3 na rcum.uni-mb.si>; Tue, 8 Apr 1997 19:21:34 MET
Received: from soncek.uni-mb.si by rcum.uni-mb.si (PMDF V5.1-4 #7554)
 with SMTP id <01IHH2M1GGPC0027BW na rcum.uni-mb.si>; Tue,
 08 Apr 1997 19:21:18 +0100 (MET)
Received: from brimstone.netspace.org by soncek.uni-mb.si with SMTP using DNS
 (PP) id <02889-0 na soncek.uni-mb.si>; Tue, 08 Apr 1997 19:22:49 +0200
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
 ESMTP id <32808-20030>; Tue, 08 Apr 1997 13:19:40 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c)
 with spool id 3366424 for BUGTRAQ na NETSPACE.ORG; Tue, 08 Apr 1997 13:09:06 -0400
Received: from brimstone.netspace.org (brimstone [128.148.157.143])
 by netspace.org (8.8.5/8.8.2) with ESMTP id NAA01701 for
 <BUGTRAQ na netspace.org>; Tue, 08 Apr 1997 13:08:43 -0400
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
 ESMTP id <32982-20028>; Tue, 08 Apr 1997 13:10:42 -0400
Received: from dfw.dfw.net (aleph1 na dfw.dfw.net [198.175.15.10])
 by netspace.org (8.8.5/8.8.2) with SMTP id MAA26636 for
 <bugtraq na netspace.org>; Tue, 08 Apr 1997 12:18:43 -0400
Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA26645; Tue,
 08 Apr 1997 11:20:53 -0500 (CDT)
X-Received: from mail2.redhat.com by dfw.dfw.net (4.1/SMI-4.1) id AA10872; Tue,
 8 Apr 97 04:19:42 CDT
X-Received: (qmail 15442 invoked by uid 501); 8 Apr 1997 08:38:45 -0000
X-Resent-date: linux-security na redhat.com
Date: Tue, 08 Apr 1997 11:20:45 -0500
X-Resent-from: 2_Ald1.0.mj3.8GWIp na mail2.redhat.com
From: Aleph One <aleph1 na DFW.NET>
Subject: [linux-security] amd 920824upl102 ignores the nodev option
Sender: Bugtraq List <BUGTRAQ na NETSPACE.ORG>
X-Sender: keryan na fatale.res.cmu.edu
To: BUGTRAQ na NETSPACE.ORG
X-Resent-cc: 8 Apr 1997 08:38:44 -0000
Reply-to: linux-security na redhat.com
X-Resent-message-id: "recipient list not shown:;"@redhat.com
Message-id: <Pine.SUN.3.94.970408112045.24949A na dfw.dfw.net>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Precedence: list
Approved-By: aleph1 na UNDERGROUND.ORG
Mbox-Line: From linux-security-request na redhat.com Tue Apr 8 04:38:32 1997
X-Mailing-List: <linux-security na redhat.com> archive/latest/196
X-Loop: linux-security na redhat.com
X-Resent-Sender: linux-security-request na redhat.com
Comments: Resent-From: Aleph One <aleph1 na dfw.net>
Comments: Originally-From: Bradley M Keryan <keryan na andrew.cmu.edu>

amd from the amd-920824upl102-6.i386.rpm file distributed with RedHat
Linux 4.1 does not honor the nodev option for NFS filesystems and probably
other mount types, allowing any user access to the device files in /dev on
a system, provided that they have root access to another linux box on the
network. In addition, the default amd.conf from RH 4.1 maps /net/* to NFS
mounting, which makes the bug in amd an easily accessible security hole.

The Exploit:

A friend of mine who has an account on my machine found a major security
hole in amd when he decided to play a prank on me involving /dev/dsp at
odd hours, but found I had denied access to /dev/dsp and /dev/audio. He
assumed that I had forgotten to put the options nosuid and nodev in the
amd mapping for NFS (the default RedHat 4.1 mapping, which *does* have
opts=nosuid,nodev), so he created a char device on his machine with major
number 14 and minor 3, permissions 666, exported the directory it was in
via NFS, and logged into my machine. He used the /net/* amd mapping to
mount the directory, and then used the char device in the NFS-mounted
filesystem to play sounds, although /proc/mounts and /etc/mtab displayed
it as mounted nodev.

This exploit works for block and char devices. It could be used to do more
malicious acts than merely play sounds, such as scan /dev/mem for
passwords, change file permissions or the contents of /etc/shadow with a
raw disk editor, and sundry and various other bad things.

This bug may affect any other distributions that include amd, but both
the exploit and the bug have only been tested on RedHat 4.1.

The Fix:

A one-character typo in the linux-specific header file for amd prevents it
from actually passing the nodev option to the kernel.


--- amd-upl102/config/os-linux.h.bad    Mon Apr  7 16:41:51 1997
+++ amd-upl102/config/os-linux.h        Mon Apr  7 16:42:19 1997
@@ -252,7 +252,7 @@

 #define M_RDONLY 1 /* mount read-only */
 #define M_NOSUID 2 /* ignore suid and sgid bits */
-#define M_NONDEV 4 /* disallow access to device special files */
+#define M_NODEV 4 /* disallow access to device special files */
 #define M_NOEXEC 8 /* disallow program execution */
 #define M_SYNC  16 /* writes are synced at once */
 #define M_REMOUNT  32 /* alter flags of a mounted FS */


That's it. Evidently M_NODEV was defined to something else elsewhere,
otherwise amd shouldn't have compiled.

Brad Keryan
keryan na andrew.cmu.edu
http://fatale.res.cmu.edu/


--------------6783EC363AC--

Dodatne informacije o seznamu Starilist