cfs-1.4.0beta2 root exploitable bug

ther (therapy@GUARDIAN.HTU.TUWIEN.AC.AT)
Sat, 21 Feb 1998 01:13:27 +0100

the security problem with the pseudo nfsd of cfs:

cfsd uses the seteuid call to change to the users id and doesn't have to
care for premissions any more.. after the users request has been handled
it changes back to root. but while processing the users request euid=users
id and the user is able to kill cfsd or do whatever he wants with the
process.. for example mmaping /proc/<cfsdpid>/mem to memory and change the
code. cfsd seteuid's itself to root again after the file access and
wonders why it should execute "echo * * > /root/.rhosts" *g*.
i currently figured out a sollution for linux only - the
setfs{uid,gid} call. the man page describes exactly this security problem:

---
       An explict call to setfsuid is usually only used  by  pro-
       grams  such  as  the  Linux NFS server that need to change
       what user ID is used for file access without a correspond-
       ing change in the real and effective user IDs. A change in
       the normal user IDs for a program such as the  NFS  server
       is  a security hole that can expose it to unwanted signals
       from other user IDs.
---

--- cfs_orig.h Sat Feb 21 01:00:51 1998 +++ cfs.h Sat Feb 21 01:02:47 1998 @@ -200,6 +200,10 @@ #define become(x) ((x)==NULL?(setuidx(ID_EFFECTIVE | ID_REAL,0)||setgidx(ID_EFFECTIVE|ID_REAL,0)) :\ (setgidx(ID_EFFECTIVE|ID_REAL,rgid(x)) || setuidx(ID_EFFECTIVE|ID_REAL, ruid(x)))) #else +#ifdef linux +#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\ + (setfsgid(rgid(x)) || setfsuid(ruid(x)))) +#else #define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\ (setegid(rgid(x)) || seteuid(ruid(x)))) #endif

this should fix the problem for linux.. i haven't tested nor compiled it, cause i'm really to tired for this know ;)

bye, therapy