[UCI-Linux] [Fwd: [Full-disclosure] Rocks Clusters <=4.1 local root]

Mike Iglesias iglesias at uci.edu
Sat Jul 15 17:22:17 PDT 2006


If you're running a Rocks Cluster, you should should see if there's an 
update that fixes this vulnerability.


-------- Original Message --------
Subject: [Full-disclosure] Rocks Clusters <=4.1 local root
Date: Sat, 15 Jul 2006 14:24:39 -0400
From: Xavier <compromise at gmail.com>
To: full-disclosure at lists.grok.org.uk
References: <116791eb0607141233t267bbd21m4b481ff7d38aa208 at mail.gmail.com>

(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt)

              tigerteam.se security advisory - TSEAD-200606-6
                              www.tigerteam.se

     Advisory: Rocks Clusters <=4.1 local root vulnerabilities
         Date: Wed Jul 5 15:52:59 EDT 2006
  Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
    Reference: TSEAD-200606-6
       Author: Xavier de Leon - xavier at tigerteam.se


SYNOPSIS

    "Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
     Linux COTS clusters. Building a Rocks cluster does not require any
     experience in clustering, yet a cluster architect will find a flexible
     and programmatic way to redesign the entire software stack just below the
     surface (appropriately hidden from the majority of users). Although Rocks
     includes the tools expected from any clustering software stack (PBS,
     Maui, GM support, Ganglia, etc), it is unique in its simplicity of
     installation."[7]

     Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
     due to improper validating of arguments in two of its suid and world
     executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
     an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
     FLOPS.


VENDER RESPONSE

    May 31, 2006: Initial contact
     Jun 1, 2006: Response, Disclosure, Verification of bug,
                  redirected to another project Contact. Fixed
                  in CVS[1]
     Jun 9, 2006: Attempted contact after 8 days of silence
    Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
    Jun 30, 2006: Attempted contact after 29 days of silence
     Jul 5, 2006: No contact


VULNERABILITIES

    1) mount-loop:
       mount-loop is a binary that is distributed with suid root and is world
       executable.

       The problem is the program does not properly filter args
       to be used in a system() execution. An attacker could gain root from
       command line. A link[2] to its source can be found below.

       PoC[4] provided below.

    2) umount-loop:
       umount-loop is a binary that is distributed with suid root and is world
       executable.

       The problem is the program does not properly filter args
       to be used in a system() execution. An attacker could gain root from
       command line. A link[3] to its source can be found below.

       PoC[5] provided below.

DISCOVERY

    Xavier de Leon <xavier at tigerteam.se>
    check out http://xavsec.blogspot.com for future sec releases on my part


ABOUT TIGERTEAM.SE

    tigerteam.se offers spearhead competence within the areas of vulnerability
    assessment, penetration testing, security implementation, and advanced
    ethical hacking training. tigerteam.se consists of Michel Blomgren -
    company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
    security consultant. Together we have worked for organizations in over 15
    countries.


REFERENCES

    [1]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nodes/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
    [2]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
    [3]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
    [4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
    [5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
    [6]: http://www.rocksclusters.org/rocks-register/
    [7]: http://distrowatch.com/table.php?distribution=rockscluster

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


More information about the UCI-Linux mailing list