Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679

Hash: SHA1

Out of the box you need to be root to mount things. Once you have
root access to a box you don't need silly things like this to crash

If you've gone out of your way to configure your box in such a way
that a non-root user can mount arbitrary UFS filesystems then they
certainly don't need to waste their time with buffer-overflows and
the like. They can simply mount a filesystem with any number of SUID
root binaries on it and have their way with the box.

Either way, while it's senseless to argue that the buffer overflows
don't exist, anyone in a positiion to actually exploit them doesn't
need them to be malicious.

I do quite not agree with your analysis.

Firstly, if you set the vfs.usermount sysctl to 1, users can mount any
filesystem from a device they have read access to to any directory they
own, _but_ if the user does so, FreeBSD will automatically mount that
filesystem nosuid. So the intent is to give a local user the possibilty
to mount a filesystem without gaining full control over the machine.

Secondly, why would people go out of their way to set that sysctl to 1?
I can see this happen in environments where users are not supposed to
have full control over their desktop machines, but where they need to
transfer data to/from USB flash drives.

Thirdly, while I'm talking about desktop machines, many desktop Linux
distributions are configured such they will _automatically_ mount USB
media once those are plugged in (and pop up an icon on the KDE or GNOME
desktop). It's only a matter of time until such functionality will be
available on FreeBSD (maybe it already is?) and widely used on desktop
machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite
user friendly. On such machines an attacker would not even need a local
user account.

While one might say that these attack scenarios all require physical
access (and we all know that physical access is game over, right;)),
simply plugging in a USB memory device is much more inconspicious than
other "physical" attacks, like rebooting a box into single user mode
(which one could additionally secure with a password prompt).

Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla -

freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Mounting KVM image
    ... You can then mount the partitionthat contain data you want to ... do this would be to use a cluster-aware filesystem such as Red Hat's ... two machines, then tried to use an ext3 filesystem in write mode from ... Richard Jones, Virtualization Group, Red Hat ...
  • ZFS + NFS problems
    ... users have their own filesystem with a quota set. ... 80-line fstab per machine or mount a higher dir. ... As the share also gets mounted with Linux machines a server-side ...
  • /etc/exports question
    ... I'm trying to allow al machines in a 1/2 class C subnet to mount ... a given NFS mount point. ... But I get permission denied when I try to mount this filesystem ...
  • Re: mount() function problem !
    ... mount() attaches the filesystem specified by source (which is often a device name, ... point within a file system. ... details of the options available for each filesystem type. ... Specifies the journalling mode for file data. ...
  • Re: [autofs] [RFC] Towards a Modern Autofs
    ... >entangling autofs with that work. ... >filesystem it's willing to export. ... >>map is mounted. ... The result is that some users will see mount points ...