<<< Date Index >>>     <<< Thread Index >>>

Rocks Clusters <=4.1 local root



(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt)

             tigerteam.se security advisory - TSEAD-200606-6
                             www.tigerteam.se

    Advisory: Rocks Clusters <=4.1 local root vulnerabilities
        Date: Wed Jul 5 15:52:59 EDT 2006
 Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
   Reference: TSEAD-200606-6
      Author: Xavier de Leon - xavier@xxxxxxxxxxxx


SYNOPSIS

   "Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
    Linux COTS clusters. Building a Rocks cluster does not require any
    experience in clustering, yet a cluster architect will find a flexible
    and programmatic way to redesign the entire software stack just below the
    surface (appropriately hidden from the majority of users). Although Rocks
    includes the tools expected from any clustering software stack (PBS,
    Maui, GM support, Ganglia, etc), it is unique in its simplicity of
    installation."[7]

    Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
    due to improper validating of arguments in two of its suid and world
    executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
    an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
    FLOPS.


VENDER RESPONSE

   May 31, 2006: Initial contact
    Jun 1, 2006: Response, Disclosure, Verification of bug,
                 redirected to another project Contact. Fixed
                 in CVS[1]
    Jun 9, 2006: Attempted contact after 8 days of silence
   Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
   Jun 30, 2006: Attempted contact after 29 days of silence
    Jul 5, 2006: No contact


VULNERABILITIES

   1) mount-loop:
      mount-loop is a binary that is distributed with suid root and is world
      executable.

      The problem is the program does not properly filter args
      to be used in a system() execution. An attacker could gain root from
      command line. A link[2] to its source can be found below.

      PoC[4] provided below.

   2) umount-loop:
      umount-loop is a binary that is distributed with suid root and is world
      executable.

      The problem is the program does not properly filter args
      to be used in a system() execution. An attacker could gain root from
      command line. A link[3] to its source can be found below.

      PoC[5] provided below.

DISCOVERY

   Xavier de Leon <xavier@xxxxxxxxxxxx>
   check out http://xavsec.blogspot.com for future sec releases on my part


ABOUT TIGERTEAM.SE

   tigerteam.se offers spearhead competence within the areas of vulnerability
   assessment, penetration testing, security implementation, and advanced
   ethical hacking training. tigerteam.se consists of Michel Blomgren -
   company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
   security consultant. Together we have worked for organizations in over 15
   countries.


REFERENCES

   [1]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nodes/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
   [2]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
   [3]: 
http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
   [4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
   [5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
   [6]: http://www.rocksclusters.org/rocks-register/
   [7]: http://distrowatch.com/table.php?distribution=rockscluster