.comment-link {margin-left:.6em;}
Xavier's Security Post
Friday, July 14, 2006
  Rocks Clusters <=4.1 local root
Before May 31st I had discovered several holes in Rocks Clusters, a Linux cluster-friendly distribution. The vulnerabilities are quite trivial, and the bad part is that the suid binaries in question have been circulated with the distribution for a long time without discovery--thus a wide user base is affected. The advisory is below:

tigerteam.se security advisory - TSEAD-200606-6
www.tigerteam.se

Advisory: Rocks Clusters <=4.1 local root vulnerabilities
Date: Wed Jul 5 15:52:59 EDT 2006
Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
Reference: TSEAD-200606-6
Author: Xavier de Leon - xavier@tigerteam.se


SYNOPSIS

"Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
Linux COTS clusters. Building a Rocks cluster does not require any
experience in clustering, yet a cluster architect will find a flexible
and programmatic way to redesign the entire software stack just below the
surface (appropriately hidden from the majority of users). Although Rocks
includes the tools expected from any clustering software stack (PBS,
Maui, GM support, Ganglia, etc), it is unique in its simplicity of
installation."[7]

Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
due to improper validating of arguments in two of its suid and world
executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
FLOPS.


VENDER RESPONSE

May 31, 2006: Initial contact
Jun 1, 2006: Response, Disclosure, Verification of bug,
redirected to another project Contact. Fixed
in CVS[1]
Jun 9, 2006: Attempted contact after 8 days of silence
Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
Jun 30, 2006: Attempted contact after 29 days of silence
Jul 5, 2006: No contact


VULNERABILITIES

1) mount-loop:
mount-loop is a binary that is distributed with suid root and is world
executable.

The problem is the program does not properly filter args
to be used in a system() execution. An attacker could gain root from
command line. A link[2] to its source can be found below.

PoC[4] provided below.

2) umount-loop:
umount-loop is a binary that is distributed with suid root and is world
executable.

The problem is the program does not properly filter args
to be used in a system() execution. An attacker could gain root from
command line. A link[3] to its source can be found below.

PoC[5] provided below.


DISCOVERY

Xavier de Leon
check out http://xavsec.blogspot.com for future sec releases on my part


ABOUT TIGERTEAM.SE

tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced
ethical hacking training. tigerteam.se consists of Michel Blomgren -
company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
security consultant. Together we have worked for organizations in over 15
countries.


REFERENCES

[1]: /rocks/src/roll/base/nodes/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
[2]: /rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
[3]: /rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
[4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
[5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
[6]: http://www.rocksclusters.org/rocks-register/
[7]: http://distrowatch.com/table.php?distribution=rockscluster
 
Comments:
bishhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!!!!!!!!!!!!!!!!!
love youuuuuuuuu
 
Post a Comment

Links to this post:

Create a Link



<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /