Linux RedHat 4.1 (possibly other versions)


    The following vulnerability was reported by Brad Keryan.

    amd  from  the  amd-920824upl102-6.i386.rpm  file distributed with
    RedHat  Linux  4.1  does  not  honor  the  nodev  option  for  NFS
    filesystems  and  probably  other  mount  types, allowing any user
    access to  the device  files in  /dev on  a system,  provided that
    they have  root access  to another  linux box  on the  network. In
    addition, the  default amd.conf  from RH  4.1 maps  /net/* to  NFS
    mounting,  which  makes  the  bug  in  amd  an  easily  accessible
    security hole.

    A friend of Brad who has  an account on his machine found  a major
    security hole  in amd  when he  decided to  play a  prank on  Brad
    involving /dev/dsp at odd hours, but found Brad had denied  access
    to /dev/dsp and /dev/audio. He assumed that Brad had forgotten  to
    put the options nosuid and nodev  in the amd mapping for NFS  (the
    default RedHat 4.1 mapping, which *does* have  opts=nosuid,nodev),
    so he created a  char device on his  machine with major number  14
    and minor 3, permissions 666, exported the directory it was in via
    NFS,  and  logged  into  Brad's  machine.   He used the /net/* amd
    mapping to mount the directory,  and then used the char  device in
    the NFS-mounted filesystem  to play sounds,  although /proc/mounts
    and /etc/mtab displayed it as mounted nodev.

    This exploit works  for block and  char devices. It  could be used
    to do more  malicious acts than  merely play sounds,  such as scan
    /dev/mem for  passwords, change  file permissions  or the contents
    of /etc/shadow  with a  raw disk  editor, and  sundry and  various
    other bad things.

    This bug may affect any other distributions that include amd,  but
    both the exploit and the bug have only been tested on RedHat 4.1.


    A one-character  typo in  the linux-specific  header file  for amd
    prevents it from actually passing the nodev option to the kernel.

    --- amd-upl102/config/os-linux.h.bad    Mon Apr  7 16:41:51 1997
    +++ amd-upl102/config/os-linux.h        Mon Apr  7 16:42:19 1997
    @@ -252,7 +252,7 @@

     #define M_RDONLY 1 /* mount read-only */
     #define M_NOSUID 2 /* ignore suid and sgid bits */
    -#define M_NONDEV 4 /* disallow access to device special files */
    +#define M_NODEV 4 /* disallow access to device special files */
     #define M_NOEXEC 8 /* disallow program execution */
     #define M_SYNC  16 /* writes are synced at once */
     #define M_REMOUNT  32 /* alter flags of a mounted FS */