(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt)
tigerteam.se security advisory - TSEAD-200606-6
www.tigerteam.se
Advisory: Rocks Clusters <=4.1 local root vulnerabilities
Date: Wed Jul 5 15:52:59 EDT 2006
Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
Reference: TSEAD-200606-6
Author: Xavier de Leon - xavier (at) tigerteam (dot) se [email concealed]
SYNOPSIS
"Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
Linux COTS clusters. Building a Rocks cluster does not require any
experience in clustering, yet a cluster architect will find a flexible
and programmatic way to redesign the entire software stack just below the
surface (appropriately hidden from the majority of users). Although Rocks
includes the tools expected from any clustering software stack (PBS,
Maui, GM support, Ganglia, etc), it is unique in its simplicity of
installation."[7]
Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
due to improper validating of arguments in two of its suid and world
executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
FLOPS.
VENDER RESPONSE
May 31, 2006: Initial contact
Jun 1, 2006: Response, Disclosure, Verification of bug,
redirected to another project Contact. Fixed
in CVS[1]
Jun 9, 2006: Attempted contact after 8 days of silence
Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
Jun 30, 2006: Attempted contact after 29 days of silence
Jul 5, 2006: No contact
VULNERABILITIES
1) mount-loop:
mount-loop is a binary that is distributed with suid root and is world
executable.
The problem is the program does not properly filter args
to be used in a system() execution. An attacker could gain root from
command line. A link[2] to its source can be found below.
PoC[4] provided below.
2) umount-loop:
umount-loop is a binary that is distributed with suid root and is world
executable.
The problem is the program does not properly filter args
to be used in a system() execution. An attacker could gain root from
command line. A link[3] to its source can be found below.
PoC[5] provided below.
DISCOVERY
Xavier de Leon <xavier (at) tigerteam (dot) se [email concealed]>
check out http://xavsec.blogspot.com for future sec releases on my part
ABOUT TIGERTEAM.SE
tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced
ethical hacking training. tigerteam.se consists of Michel Blomgren -
company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
security consultant. Together we have worked for organizations in over 15
countries.
REFERENCES
[1]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nod
es/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
[2]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src
/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
[3]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src
/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
[4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
[5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
[6]: http://www.rocksclusters.org/rocks-register/
[7]: http://distrowatch.com/table.php?distribution=rockscluster