|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
util-linux: privilege elevation via mount or umount
Synthesis of the vulnerability
The mount and umount programs do not correctly loose their privilege when an external helper is called.
Impacted products: Debian, Fedora, Mandriva Linux, Mandriva NF, openSUSE, RHEL, Unix (platform) ~ not comprehensive, ESX.
Severity of this bulletin: 1/4.
Consequences of an intrusion: privileged access/rights.
Hacker's origin: user shell.
Creation date: 11/10/2007.
Références of this threat: BID-25973, CVE-2007-5191, DSA-1449-1, DSA-1450-1, FEDORA-2007-2462, FEDORA-2007-722, MDKSA-2007:198, RHSA-2007:0969-01, SUSE-SR:2007:022, VIGILANCE-VUL-7239, VMSA-2008-0001, VMSA-2008-0001.1.
Description of the vulnerability
When the (u)mount command is run to (u)mount some type of filesystem, it calls external helpers such as /sbin/mount.nfs or /sbin/mount.cifs.
These external helpers have to be called with the real uid/gid of user (and not the effective uid/gid of mount command). The check_special_mountprog() function thus looses its privileges before calling a program with a name like "/sbin/mount._type_".
However, this privilege dropping operation is not correctly done:
- user privileges are lost before group privileges
- error codes are not checked
A local attacker, who can create a malicious /sbin/mount._type_ file can therefore use mount in order to execute code with effective group of mount (if mount is installed sgid).
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a software vulnerability workaround. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.