lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4a6942471003050906r57dd4472h2e1efe0b76a54838@mail.gmail.com>
Date: Fri, 5 Mar 2010 12:06:01 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: ncpfs, Multiple Vulnerabilities

============================================
 ncpfs, Multiple Vulnerabilities
 March 5, 2010
 CVE-2010-0788, CVE-2010-0790, CVE-2010-0791
============================================

==Description==

The ncpmount, ncpumount, and ncplogin utilities, installed as part of the ncpfs
package, contain several vulnerabilities.

1. ncpmount, ncpumount, and ncplogin are vulnerable to race conditions that
allow a local attacker to unmount arbitrary mountpoints, causing
denial-of-service, or mount Netware shares to arbitrary directories,
potentially leading to root compromise.  This issue was formerly assigned
CVE-2009-3297, but has since been re-assigned CVE-2010-0788 to avoid overlap
with related bugs in other packages.

2. ncpumount is vulnerable to an information disclosure vulnerability that
allows a local attacker to verify the existence of arbitrary files, violating
directory permissions.  This issue has been assigned CVE-2010-0790.

3. ncpmount, ncpumount, and ncplogin create lockfiles insecurely, allowing a
local attacker to leave a stale lockfile at /etc/mtab~, causing other mount
utilities to fail and creating denial-of-service conditions.  This issue has
been assigned CVE-2010-0791.

==Workaround==

If unprivileged users do not need the ability to mount and unmount Netware
shares, then the suid bit should be removed from these utilities.

==Solution==

A patch has been released that resolves these issues (attached to this
advisory).  ncpfs-2.2.6.partial.patch is intended for ncpfs releases that have
already been patched against the first vulnerability in this report
(CVE-2010-0788, formerly CVE-2009-3297).  It has been tested against the latest
ncpfs packages distributed by Fedora, Red Hat, and Mandriva.
ncpfs-2.2.6.full.patch is intended for ncpfs releases that have not been
patched against any of these vulnerabilities.  It has been tested against the
latest ncpfs packages distributed by Debian, Ubuntu, and the upstream release
(ftp://platan.vc.cvut.cz/pub/linux/ncpfs/).

Users are advised to recompile from source, or request updated packages from
downstream distributors.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@...il.com).
Thanks to Vitezslav Crhonek for the patch against the first issue.

==References==

CVE identifiers CVE-2010-0788, CVE-2010-0790, and CVE-2010-0791 have been
assigned to these issues.

View attachment "ncpfs-2.2.6.full.patch" of type "text/x-patch" (11621 bytes)

View attachment "ncpfs-2.2.6.partial.patch" of type "text/x-patch" (4952 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ