[1260] in linux-security and linux-alert archive
Re: [linux-security] ncpmount/ncpumount
daemon@ATHENA.MIT.EDU (David Holland)
Thu Oct 24 20:02:50 1996
From: David Holland <dholland@eecs.harvard.edu>
To: zarq@1stnet.com (Runar Jensen)
Date: Mon, 21 Oct 1996 07:02:11 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610140007.TAA32256@dancer.1stnet.com> from "Runar Jensen" at Oct 13, 96 07:07:32 pm
> I haven't had a chance to look at the source code yet, but it appears that
> ncpmount and ncpumount suffer from exactly the same problem that mount and
> umount did. In fact, the mount exploit that was so widely circulated works
> with ncpumount with no modifications.
I should note that smbmount suffers from a kernel interface design
flaw resulting in an exploitable race condition - if ncpmount lets
users mount arbitrary filesystems, it is also vulnerable to this
attack; in fact, any tool for letting users mount arbitrary
filesystems on arbitrary mount points is.
smbmount also has buffer overflows, although if they're the "same" as
the one in mount I don't know. I posted about this once before, and I
sent patches to the smbmount maintainer, who said he'd look into it
"in the fall". I haven't heard anything back since then, nor have I
heard anything about fixing the race condition.
The race condition is the standard problem: if you check permissions
in a different namei() operation than performing an action, symlinks
can be flipped around in between. In this case the problem is that the
user mode program performs a permission check using stat, and then
hands the pathname for the mount point off to the kernel which then
does another namei() to find the actual inode to mount over. This
means that you can mount stuff anywhere you like, such as over /etc.
Proceeding to a root shell from there is left as an exercise.
My point? chmod u-s smbmount, smbumount, ncpmount, ncpumount, and
anything else that lets users do mounts on mount points of their own
choosing. Also be careful where you permit users to mount things when
using a program (such as ordinary mount) that lets you configure
particular mount points for users to use. And keep it this way until
you hear news of kernel support for user mounting.
(The solution to this problem is to push the permission checks for
doing mounts down into the kernel, where they belong.)
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino