From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 20:15:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CAC4316A49E for ; Fri, 24 Nov 2006 20:15:46 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 502B843D60 for ; Fri, 24 Nov 2006 20:15:02 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Fri, 24 Nov 2006 15:15:44 -0500 id 00056407.456752F0.000103B9 Date: Fri, 24 Nov 2006 15:15:43 -0500 From: Bill Moran To: Lutz Boehne Message-Id: <20061124151543.03f06b19.wmoran@collaborativefusion.com> In-Reply-To: <4567504E.6040601@damogran.de> References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> <4567504E.6040601@damogran.de> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed version 2.2.9 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 20:15:47 -0000 On Fri, 24 Nov 2006 21:04:30 +0100 Lutz Boehne wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Out of the box you need to be root to mount things. Once you have > > root access to a box you don't need silly things like this to crash > > it. > > > > If you've gone out of your way to configure your box in such a way > > that a non-root user can mount arbitrary UFS filesystems then they > > certainly don't need to waste their time with buffer-overflows and > > the like. They can simply mount a filesystem with any number of SUID > > root binaries on it and have their way with the box. > > > > Either way, while it's senseless to argue that the buffer overflows > > don't exist, anyone in a positiion to actually exploit them doesn't > > need them to be malicious. > > I do quite not agree with your analysis. > > Firstly, if you set the vfs.usermount sysctl to 1, users can mount any > filesystem from a device they have read access to to any directory they > own, _but_ if the user does so, FreeBSD will automatically mount that > filesystem nosuid. So the intent is to give a local user the possibilty > to mount a filesystem without gaining full control over the machine. > > Secondly, why would people go out of their way to set that sysctl to 1? > I can see this happen in environments where users are not supposed to > have full control over their desktop machines, but where they need to > transfer data to/from USB flash drives. > > Thirdly, while I'm talking about desktop machines, many desktop Linux > distributions are configured such they will _automatically_ mount USB > media once those are plugged in (and pop up an icon on the KDE or GNOME > desktop). It's only a matter of time until such functionality will be > available on FreeBSD (maybe it already is?) and widely used on desktop > machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite > user friendly. On such machines an attacker would not even need a local > user account. > > While one might say that these attack scenarios all require physical > access (and we all know that physical access is game over, right;)), > simply plugging in a USB memory device is much more inconspicious than > other "physical" attacks, like rebooting a box into single user mode > (which one could additionally secure with a password prompt). I don't think anyone is arguing whether or not this is a bug. It is. I will argue, however, that it does not constitute a security flaw, which is what the MOKB folks claim. If a user has the ability to graft untrusted filesystems onto the filesystem tree, that user is in one of a few scenerios: 1) They are root or equivalent. 2) They have physical access to the machine. 3) They are working on a machine that is secured incorrectly. If #1, then it's a mute point, as root can DOS a machine without any kernel bugs. If #2, it's a mute point, as physical access bypasses any software security anyway. And #3 is a mute point, since any system can be configured to be insecure by a properly skilled idiot, and the kernel hackers can't be expected to program around idiotic sysadmins. So, yes, it is a bug that needs to be fixed. But I don't see it as a security issue. -Bill