Rocks Clusters <=4.1 local root

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Rocks Clusters <=4.1 local root
From: Xavier <compromise@xxxxxxxxx>
Date: Fri, 14 Jul 2006 15:33:28 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=PtMoC/zrreTkB7LgaNDDko2+S5BXeX19D395d1/SIOz4knwcKLoMYsReXn5tQI49iCcPh9FjpUrxpZ/SC4lLMizKwFVRDTa01oogUOe8WcycWDDDDK7F1D01iB+79EsNwk1RA7tjHPJGsZUHjI2boz9o/HAYzrSuKkrrHH1o04U=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt)

             tigerteam.se security advisory - TSEAD-200606-6
                             www.tigerteam.se

    Advisory: Rocks Clusters <=4.1 local root vulnerabilities
        Date: Wed Jul 5 15:52:59 EDT 2006
 Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
   Reference: TSEAD-200606-6
      Author: Xavier de Leon - xavier@xxxxxxxxxxxx


SYNOPSIS

   "Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
    Linux COTS clusters. Building a Rocks cluster does not require any
    experience in clustering, yet a cluster architect will find a flexible
    and programmatic way to redesign the entire software stack just below the
    surface (appropriately hidden from the majority of users). Although Rocks
    includes the tools expected from any clustering software stack (PBS,
    Maui, GM support, Ganglia, etc), it is unique in its simplicity of
    installation."[7]

    Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
    due to improper validating of arguments in two of its suid and world
    executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
    an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
    FLOPS.


VENDER RESPONSE

   May 31, 2006: Initial contact
    Jun 1, 2006: Response, Disclosure, Verification of bug,
                 redirected to another project Contact. Fixed
                 in CVS[1]
    Jun 9, 2006: Attempted contact after 8 days of silence
   Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
   Jun 30, 2006: Attempted contact after 29 days of silence
    Jul 5, 2006: No contact


VULNERABILITIES

   1) mount-loop:
      mount-loop is a binary that is distributed with suid root and is world
      executable.

      The problem is the program does not properly filter args
      to be used in a system() execution. An attacker could gain root from
      command line. A link[2] to its source can be found below.

      PoC[4] provided below.

   2) umount-loop:
      umount-loop is a binary that is distributed with suid root and is world
      executable.

      The problem is the program does not properly filter args
      to be used in a system() execution. An attacker could gain root from
      command line. A link[3] to its source can be found below.

      PoC[5] provided below.

DISCOVERY

   Xavier de Leon <xavier@xxxxxxxxxxxx>
   check out http://xavsec.blogspot.com for future sec releases on my part


ABOUT TIGERTEAM.SE

   tigerteam.se offers spearhead competence within the areas of vulnerability
   assessment, penetration testing, security implementation, and advanced
   ethical hacking training. tigerteam.se consists of Michel Blomgren -
   company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
   security consultant. Together we have worked for organizations in over 15
   countries.


REFERENCES

   [1]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nodes/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
   [2]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
   [3]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
   [4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
   [5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
   [6]: http://www.rocksclusters.org/rocks-register/
   [7]: http://distrowatch.com/table.php?distribution=rockscluster

Prev by Date: MyGallery "Room.php" SQL Injection
Next by Date: [SECURITY] Plain text password in Finjan Appliance 5100/8100 NG backup file
Previous by thread: MyGallery "Room.php" SQL Injection
Next by thread: [SECURITY] Plain text password in Finjan Appliance 5100/8100 NG backup file
Index(es):
- Date
- Thread