Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824

On Fri, 24 Nov 2006 21:04:30 +0100
Lutz Boehne <lboehne@damogran.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > Out of the box you need to be root to mount things.  Once you have 
> > root access to a box you don't need silly things like this to crash 
> > it.
> > 
> > If you've gone out of your way to configure your box in such a way 
> > that a non-root user can mount arbitrary UFS filesystems then they 
> > certainly don't need to waste their time with buffer-overflows and 
> > the like.  They can simply mount a filesystem with any number of SUID 
> > root binaries on it and have their way with the box.
> > 
> > Either way, while it's senseless to argue that the buffer overflows 
> > don't exist, anyone in a positiion to actually exploit them doesn't 
> > need them to be malicious.
> 
> I do quite not agree with your analysis.
> 
> Firstly, if you set the vfs.usermount sysctl to 1, users can mount any
> filesystem from a device they have read access to to any directory they
> own, _but_ if the user does so, FreeBSD will automatically mount that
> filesystem nosuid. So the intent is to give a local user the possibilty
> to mount a filesystem without gaining full control over the machine.
> 
> Secondly, why would people go out of their way to set that sysctl to 1?
> I can see this happen in environments where users are not supposed to
> have full control over their desktop machines, but where they need to
> transfer data to/from USB flash drives.
> 
> Thirdly, while I'm talking about desktop machines, many desktop Linux
> distributions are configured such they will _automatically_ mount USB
> media once those are plugged in (and pop up an icon on the KDE or GNOME
> desktop). It's only a matter of time until such functionality will be
> available on FreeBSD (maybe it already is?) and widely used on desktop
> machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite
> user friendly. On such machines an attacker would not even need a local
> user account.
> 
> While one might say that these attack scenarios all require physical
> access (and we all know that physical access is game over, right;)),
> simply plugging in a USB memory device is much more inconspicious than
> other "physical" attacks, like rebooting a box into single user mode
> (which one could additionally secure with a password prompt).

I don't think anyone is arguing whether or not this is a bug.  It is.

I will argue, however, that it does not constitute a security flaw, which
is what the MOKB folks claim.  If a user has the ability to graft untrusted
filesystems onto the filesystem tree, that user is in one of a few scenerios:
1) They are root or equivalent.
2) They have physical access to the machine.
3) They are working on a machine that is secured incorrectly.

If #1, then it's a mute point, as root can DOS a machine without any kernel
bugs.  If #2, it's a mute point, as physical access bypasses any software
security anyway.  And #3 is a mute point, since any system can be configured
to be insecure by a properly skilled idiot, and the kernel hackers can't be
expected to program around idiotic sysadmins.

So, yes, it is a bug that needs to be fixed.  But I don't see it as a security
issue.

-Bill
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"