COMMAND
cfs
SYSTEMS AFFECTED
Systems running cfs-1.4.0beta2
PROBLEM
'therapy' posted following about cfs root exploitable bug. cfsd
uses the seteuid call to change to the users id and doesn't have
to care for premissions any more. After the users request has
been handled it changes back to root, but while processing the
users request euid=users id and the user is able to kill cfsd or
do whatever he wants with the process. For example mmaping
/proc/<cfsdpid>/mem to memory and change the code. cfsd seteuid's
itself to root again after the file access and wonders why it
should execute "echo * * > /root/.rhosts".
After a setreuid call the process is marked as undumpable under
Linux - so the programm code can't be modified, cause undumpable
processes are not inserted in the proc tree, but it still could
be killed with a signal.
SOLUTION
Therapy currently figured out a sollution for linux only - the
setfs{uid,gid} call. The man page describes exactly this security
problem:
An explict call to setfsuid is usually only used by pro-
grams such as the Linux NFS server that need to change
what user ID is used for file access without a correspond-
ing change in the real and effective user IDs. A change in
the normal user IDs for a program such as the NFS server
is a security hole that can expose it to unwanted signals
from other user IDs.
Patch follows:
--- cfs_orig.h Sat Feb 21 18:14:03 1998
+++ cfs.h Sat Feb 21 17:53:08 1998
@@ -200,8 +200,13 @@
#define become(x) ((x)==NULL?(setuidx(ID_EFFECTIVE |
ID_REAL,0)||setgidx(ID_EFFECTIVE|ID_REAL,0)) :\
(setgidx(ID_EFFECTIVE|ID_REAL,rgid(x)) ||
setuidx(ID_EFFECTIVE|ID_REAL, ruid(x))))
#else
+#ifdef linux
+#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\
+ (setfsgid(rgid(x)) || setfsuid(ruid(x))))
+#else
#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\
(setegid(rgid(x)) || seteuid(ruid(x))))
+#endif
#endif
#define keyof(f) (&((f)->ins->key))
#define vectof(f) ((f)->vect)
This patch is against:
ftp://ftp.funet.fi/pub/crypt/utilities/file/cfs.1.4.0.beta2.tar.gz