lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <116791eb0607141233t267bbd21m4b481ff7d38aa208@mail.gmail.com>
Date: Fri, 14 Jul 2006 15:33:28 -0400
From: Xavier <compromise@...il.com>
To: bugtraq@...urityfocus.com
Subject: Rocks Clusters <=4.1 local root

(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt)

              tigerteam.se security advisory - TSEAD-200606-6
                              www.tigerteam.se

     Advisory: Rocks Clusters <=4.1 local root vulnerabilities
         Date: Wed Jul 5 15:52:59 EDT 2006
  Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
    Reference: TSEAD-200606-6
       Author: Xavier de Leon - xavier@...erteam.se


SYNOPSIS

    "Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
     Linux COTS clusters. Building a Rocks cluster does not require any
     experience in clustering, yet a cluster architect will find a flexible
     and programmatic way to redesign the entire software stack just below the
     surface (appropriately hidden from the majority of users). Although Rocks
     includes the tools expected from any clustering software stack (PBS,
     Maui, GM support, Ganglia, etc), it is unique in its simplicity of
     installation."[7]

     Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
     due to improper validating of arguments in two of its suid and world
     executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
     an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
     FLOPS.


VENDER RESPONSE

    May 31, 2006: Initial contact
     Jun 1, 2006: Response, Disclosure, Verification of bug,
                  redirected to another project Contact. Fixed
                  in CVS[1]
     Jun 9, 2006: Attempted contact after 8 days of silence
    Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
    Jun 30, 2006: Attempted contact after 29 days of silence
     Jul 5, 2006: No contact


VULNERABILITIES

    1) mount-loop:
       mount-loop is a binary that is distributed with suid root and is world
       executable.

       The problem is the program does not properly filter args
       to be used in a system() execution. An attacker could gain root from
       command line. A link[2] to its source can be found below.

       PoC[4] provided below.

    2) umount-loop:
       umount-loop is a binary that is distributed with suid root and is world
       executable.

       The problem is the program does not properly filter args
       to be used in a system() execution. An attacker could gain root from
       command line. A link[3] to its source can be found below.

       PoC[5] provided below.

DISCOVERY

    Xavier de Leon <xavier@...erteam.se>
    check out http://xavsec.blogspot.com for future sec releases on my part


ABOUT TIGERTEAM.SE

    tigerteam.se offers spearhead competence within the areas of vulnerability
    assessment, penetration testing, security implementation, and advanced
    ethical hacking training. tigerteam.se consists of Michel Blomgren -
    company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
    security consultant. Together we have worked for organizations in over 15
    countries.


REFERENCES

    [1]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nodes/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
    [2]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
    [3]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
    [4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
    [5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
    [6]: http://www.rocksclusters.org/rocks-register/
    [7]: http://distrowatch.com/table.php?distribution=rockscluster

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ