COMMAND

    NetWare NFS

SYSTEMS AFFECTED

    NetWare

PROBLEM

    Andrew  J.  Anderson  found  following.   By  using a "feature" of
    NetWare NFS, root can be compromised on any UNIX host that  mounts
    a user-writable volume exported via  NetWare NFS.  NetWare NFS  is
    a product made by  Novell for NetWare<->UNIX connectivity.   There
    are 4 basic modes of operation on NetWare NFS:

    1) NetWare Mode
       In this mode, traditional NetWare access modes determine  files
       access rights in the NFS name space.
    2) NetWare-NFS mode 1
       In this mode trustee rights are used to emulate NFS permissions
       and access modes.
    3) NetWare-NFS mode 2
       In this mode,  both trustee rights  and NetWare attributes  are
       used to emulate NFS permissions and access modes.
    4) NFS Mode
       In this mode, no attribute or permissions mapping is done.

    The problem is with NetWare-NFS mode  1 and 2.  Novell decided  on
    some interesting ways to 'emulate' UNIX's permission scheme.   The
    problem is that  they do not  perform the same  sanity checks that
    UNIX does when making these emulations work.

    One of the challenges Novell faced  is how to map the "Read  Only"
    flag from NetWare's permission bits to the UNIX permissions.  Some
    versions of UNIX will allow a user to overwrite a file even if  it
    is chmod'ed to 444.  NetWare  will not allow a file to  be written
    to at all if it is flagged "Read Only", thus they decided that the
    best  way  to  make  this  happen  under  UNIX  was  to change the
    ownership of the file to root. Bad, bad, bad idea.  Very bad idea.

    Thus all one needs to do is to copy a binary from the UNIX  system
    into the NetWare NFS area, make the binary SUID, and then go to  a
    NetWare client and flag it "Read Only".  Boom SUID root binary.

SOLUTION

    Take a look at:

        http://support.novell.com/cgi-bin/search/tidfinder.cgi?2940551