Date: Fri, 24 Nov 2006 15:15:43 -0500 From: Bill Moran <wmoran@collaborativefusion.com> To: Lutz Boehne <lboehne@damogran.de> Cc: freebsd-security@freebsd.org Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 Message-ID: <20061124151543.03f06b19.wmoran@collaborativefusion.com> In-Reply-To: <4567504E.6040601@damogran.de> References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> <4567504E.6040601@damogran.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 24 Nov 2006 21:04:30 +0100 Lutz Boehne <lboehne@damogran.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Out of the box you need to be root to mount things. Once you have > > root access to a box you don't need silly things like this to crash > > it. > > > > If you've gone out of your way to configure your box in such a way > > that a non-root user can mount arbitrary UFS filesystems then they > > certainly don't need to waste their time with buffer-overflows and > > the like. They can simply mount a filesystem with any number of SUID > > root binaries on it and have their way with the box. > > > > Either way, while it's senseless to argue that the buffer overflows > > don't exist, anyone in a positiion to actually exploit them doesn't > > need them to be malicious. > > I do quite not agree with your analysis. > > Firstly, if you set the vfs.usermount sysctl to 1, users can mount any > filesystem from a device they have read access to to any directory they > own, _but_ if the user does so, FreeBSD will automatically mount that > filesystem nosuid. So the intent is to give a local user the possibilty > to mount a filesystem without gaining full control over the machine. > > Secondly, why would people go out of their way to set that sysctl to 1? > I can see this happen in environments where users are not supposed to > have full control over their desktop machines, but where they need to > transfer data to/from USB flash drives. > > Thirdly, while I'm talking about desktop machines, many desktop Linux > distributions are configured such they will _automatically_ mount USB > media once those are plugged in (and pop up an icon on the KDE or GNOME > desktop). It's only a matter of time until such functionality will be > available on FreeBSD (maybe it already is?) and widely used on desktop > machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite > user friendly. On such machines an attacker would not even need a local > user account. > > While one might say that these attack scenarios all require physical > access (and we all know that physical access is game over, right;)), > simply plugging in a USB memory device is much more inconspicious than > other "physical" attacks, like rebooting a box into single user mode > (which one could additionally secure with a password prompt). I don't think anyone is arguing whether or not this is a bug. It is. I will argue, however, that it does not constitute a security flaw, which is what the MOKB folks claim. If a user has the ability to graft untrusted filesystems onto the filesystem tree, that user is in one of a few scenerios: 1) They are root or equivalent. 2) They have physical access to the machine. 3) They are working on a machine that is secured incorrectly. If #1, then it's a mute point, as root can DOS a machine without any kernel bugs. If #2, it's a mute point, as physical access bypasses any software security anyway. And #3 is a mute point, since any system can be configured to be insecure by a properly skilled idiot, and the kernel hackers can't be expected to program around idiotic sysadmins. So, yes, it is a bug that needs to be fixed. But I don't see it as a security issue. -Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061124151543.03f06b19.wmoran>