UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824,
MOKB-03-11-2006, CVE-2006-5679
Bill Moran
wmoran at collaborativefusion.com
Fri Nov 24 20:15:47 UTC 2006
On Fri, 24 Nov 2006 21:04:30 +0100
Lutz Boehne <lboehne at damogran.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > Out of the box you need to be root to mount things. Once you have
> > root access to a box you don't need silly things like this to crash
> > it.
> >
> > If you've gone out of your way to configure your box in such a way
> > that a non-root user can mount arbitrary UFS filesystems then they
> > certainly don't need to waste their time with buffer-overflows and
> > the like. They can simply mount a filesystem with any number of SUID
> > root binaries on it and have their way with the box.
> >
> > Either way, while it's senseless to argue that the buffer overflows
> > don't exist, anyone in a positiion to actually exploit them doesn't
> > need them to be malicious.
>
> I do quite not agree with your analysis.
>
> Firstly, if you set the vfs.usermount sysctl to 1, users can mount any
> filesystem from a device they have read access to to any directory they
> own, _but_ if the user does so, FreeBSD will automatically mount that
> filesystem nosuid. So the intent is to give a local user the possibilty
> to mount a filesystem without gaining full control over the machine.
>
> Secondly, why would people go out of their way to set that sysctl to 1?
> I can see this happen in environments where users are not supposed to
> have full control over their desktop machines, but where they need to
> transfer data to/from USB flash drives.
>
> Thirdly, while I'm talking about desktop machines, many desktop Linux
> distributions are configured such they will _automatically_ mount USB
> media once those are plugged in (and pop up an icon on the KDE or GNOME
> desktop). It's only a matter of time until such functionality will be
> available on FreeBSD (maybe it already is?) and widely used on desktop
> machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite
> user friendly. On such machines an attacker would not even need a local
> user account.
>
> While one might say that these attack scenarios all require physical
> access (and we all know that physical access is game over, right;)),
> simply plugging in a USB memory device is much more inconspicious than
> other "physical" attacks, like rebooting a box into single user mode
> (which one could additionally secure with a password prompt).
I don't think anyone is arguing whether or not this is a bug. It is.
I will argue, however, that it does not constitute a security flaw, which
is what the MOKB folks claim. If a user has the ability to graft untrusted
filesystems onto the filesystem tree, that user is in one of a few scenerios:
1) They are root or equivalent.
2) They have physical access to the machine.
3) They are working on a machine that is secured incorrectly.
If #1, then it's a mute point, as root can DOS a machine without any kernel
bugs. If #2, it's a mute point, as physical access bypasses any software
security anyway. And #3 is a mute point, since any system can be configured
to be insecure by a properly skilled idiot, and the kernel hackers can't be
expected to program around idiotic sysadmins.
So, yes, it is a bug that needs to be fixed. But I don't see it as a security
issue.
-Bill
More information about the freebsd-security
mailing list