Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180)

2007.03.31
Credit: Tim Rees
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

TrueCrypt 4.3 for Linux from http://www.truecrypt.org/ It seems to be possible to perform various denial of service attacks on a Linux computer running TrueCrypt in set-uid root mode, or possible introduce evil binaries into normally trusted locations. I tested this on the latest version, 4.3, which corrected another vulnerability, but it still seems insecure. The following command mounts a file-based container over /usr/bin. This can be done by a non-root user provided TrueCrypt is in set-uid mode, and the file container does not have to contain any files: tim# truecrypt -u myvolume.tc /usr/bin This could result in system binaries becoming inaccessible, or if the user has copied his own binaries into the file container, they could potentially replace legitimate system binaries with malicious ones, e.g. a /usr/bin/sudo that does something nasty. To do this I did the following (as non-root). # truecrypt -c # create a FAT32 volume called test.tc # truecrypt -u test.tc tmpdir # mount in a tmp dir in my home dir # cd tmpdir # cp ../badbinary ./sudo # copy in an evil binary from somewhere # chmod +x sudo # truecrypt -d # unmount the volume # truecrypt -u test.tc /usr/bin # mount same volume over /usr/bin All other system binaries (e.g. screen etc.) are now inaccessible, but if a user (or root) runs sudo (or whatever the user names it) in the meantime before someone realises something is wrong, the malicious binary will be executed. Because the umount and truecrypt binaries reside in /usr/bin, if they have been "masked" by an empty container mounted on /usr/bin, it may not be possible to recover the system without a reboot. It also seems possible to arbitrarily deny users local (and possibly remote) access to the system, for example through the following command: tim# truecrypt -u myvolume.tc /home/sally Even if the user does not have write access to /home/sally, the unrestricted set-uid operation means that "tim" has now "mounted over" sally's home directory. If sally is currently logged in, her files will appear to "disappear" because they have been mounted over. If user sally tries to log in, in my tests she cannot then log in graphically because some of her configuration files have become inaccessible. User sally has been denied access to the system by a non-root user. I believe there also may be another vulnerability here. If user sally could log in (e.g. through a terminal), any files she writes to "/home/sally" will actually be re-directed to the volume mounted by user tim. If the file-hosted volume is FAT32, user tim could potentially "steal" files as they are written not to sally's regular home directory but to the FAT32 volume. I have been unable to test this successfully though since it seems user sally cannot log in after this denial of service is performed. There seems to be other ways to perform a DoS too. Mounting a volume (even if empty) over /tmp affects operation of the system (users cannot log in through X), and mounting over /var/log could be done to subvert system log messages to a FAT32 volume that can be read by any user. A "workaround" is to remove the set-uid bit from /usr/bin/truecrypt, but then only root can mount TrueCrypt volumes. It seems there needs to be much tigher control on where non-root users can mount their volumes to. -- Tim Rees


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top