low
3.3
CWE
16
Advisory Published
CVE Published
Updated

CVE-2011-1089

First published: Fri Mar 18 2011(Updated: )

Dan Rosenberg reported a flaw with suid mount helpers handle access to /etc/mtab [1], which could allow an unprivileged user to corrupt /etc/mtab and possibly manipulate mountpoint options or unmount a filesystem. The original report follows. This was originally sent to the now-defunct vendor-sec mailing list. Seeing how it's a relatively low-severity issue and that we're currently lacking a mechanism for coordination among package maintainers and vendors, this list seems like a perfectly acceptable venue for discussing how to fix it. I discovered that essentially every suid mount helper that uses addmntent() (or invokes util-linux mount, which in turn calls addmntent()) to add entries to /etc/mtab fails to anticipate a low value for RLIMIT_FSIZE, allowing unprivileged users to corrupt /etc/mtab and possibly manipulate mountpoint options. Affected software includes at least: mount.cifs (samba) fusermount (FUSE) mount (util-linux) ncpmount (ncpfs) vmware-hgfsmounter (open-vm-tools) Also affected are all their unmount equivalents. This can be exploited by checking the current size of /etc/mtab, setting an RLIMIT_FSIZE of some small amount greater than that, and invoking a suid mount helper. The edits to /etc/mtab will be truncated to the ulimit and no newline will be appended, so multiple invocations allow near-arbitrary appending to /etc/mtab. addmntent() will octal-encode most special characters, which makes exploitation beyond simple corruption not quite as straightforward, but I'm confident that with some creativity it would be possible to perform unauthorized unmounting, for example. There are a few possible options We could patch glibc to try to raise the rlimit in addmntent(). Or we could fix every suid mount helper to raise the rlimit or have proper error handling for the case when addmntent() fails. This final option requires that mtab editing be done in a temporary file and aborted on failure, which isn't the case for all helpers. Of course, once we figure out how to fix this, we can talk about assigning CVEs, etc. And a followup regarding specific mount helpers: I did a survey of some suid helpers I'm aware of. Here's the existing behavior: util-linux mount ============= * Edits /etc/mtab.tmp with custom my_addmntent(), behaves identically to glibc addmntent() in terms of return code * Succeeds on partial writes, does not remove temp file on failure (could result in additional corruption of /etc/mtab through multiple invocations), does not remove lock file /etc/mtab~ on failure (also an issue) fusermount (FUSE) ================ * Does not edit mtab directly, calls into util-linux mount/umount, no changes needed mount.cifs (samba) ================ * mount.cifs edits /etc/mtab directly, no cleanup on addmntent() failure * umount.cifs edits /etc/mtab.tmp but does not check return code of addmntent() ncpmount (ncpfs) ============== * ncpmount edits /etc/mtab directly, no cleanup on failure, does not remove lock file /etc/mtab~ on failure * ncpumount edits /etc/mtab.tmp but does not check return code of addmntent() vmware-hgfsmounter (open-vm-tools) =============================== * edits /etc/mtab directly, no cleanup on failure Further discussion is ongoing via the oss-security mailing list. [1] <a href="http://thread.gmane.org/gmane.comp.security.oss.general/4374">http://thread.gmane.org/gmane.comp.security.oss.general/4374</a>

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
GNU glibc=2.2.2
GNU glibc=2.9
GNU glibc=2.7
GNU glibc=2.1.2
GNU glibc=2.11
GNU glibc=2.0.5
GNU glibc=2.2.5
GNU glibc=2.0.6
GNU glibc=2.10.1
GNU glibc=1.00
GNU glibc=1.06
GNU glibc=2.1.1
GNU glibc=1.02
GNU glibc=2.0.3
GNU glibc=1.07
GNU glibc=2.3.1
GNU glibc=2.3
GNU glibc=2.12.0
GNU glibc=2.0
GNU glibc<=2.13
GNU glibc=2.1.1.6
GNU glibc=1.04
GNU glibc=1.01
GNU glibc=2.3.10
GNU glibc=2.4
GNU glibc=2.1
GNU glibc=2.3.4
GNU glibc=1.09.1
GNU glibc=2.1.9
GNU glibc=2.3.3
GNU glibc=2.12.1
GNU glibc=2.6.1
GNU glibc=2.0.1
GNU glibc=1.09
GNU glibc=2.10
GNU glibc=2.11.2
GNU glibc=2.5.1
GNU glibc=2.6
GNU glibc=2.0.4
GNU glibc=2.0.2
GNU glibc=2.2.1
GNU glibc=2.3.2
GNU glibc=1.03
GNU glibc=2.1.3.10
GNU glibc=2.3.6
GNU glibc=2.2.3
GNU glibc=2.5
GNU glibc=2.11.3
GNU glibc=1.08
GNU glibc=2.3.5
GNU glibc=2.8
GNU glibc=2.11.1
GNU glibc=2.2.4
GNU glibc=2.1.3
GNU glibc=1.05
GNU glibc=2.2
GNU glibc=2.12.2
GNU glibc=2.10.2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203