[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : system stability compromise via mount_union program

Title: system stability compromise via mount_union program
Released by: FREEBSD
Date: 17th May 1996
Printable version: Click here
=============================================================================

FreeBSD-SA-96:10                                            Security Advisory

                                                    The FreeBSD Project, Inc.



Topic:          system stability compromise via mount_union program



Category:       core

Module:         unionfs

Announced:      1996-05-17

Affects:        FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current

Corrected:      (workaround) 2.1-stable and 2.2-current as of 1996-05-17

Source:         4.4BSD (lite)

FreeBSD only:   no



Patches:        http://freebsd.org/pub/CERT/patches/SA-96:10/



=============================================================================



I.   Background



     A bug was found in the union file system code which can allow

     an unprivileged local user to compromise system stability.

     This problem is present in all source code and binary

     distributions of FreeBSD version 2.x released before 1996-05-18.



     All FreeBSD users are encouraged to use the workaround provided

     until the FreeBSD Project distributes a full solution.





II.  Problem Description



     The union filesystem code had problems with certain mount ordering

     problems.  By executing a certain sequence of mount_union commands,

     an unprivileged local user may cause a system reload.



     NOTE: This is a different problem than the one discussed in

     FreeBSD SA-96:09.  The workaround for this vulnerability is

     similar to the one discussed in 96:09, but the proper solution

     for the unauthorized access problem in 96:09 does not address

     this vulnerability.





III. Impact



     The problem could allow local users to compromise system stability.



     This vulnerability can only be exploited by users with a valid

     account on the local system.





IV. Solution(s)



     The FreeBSD project is currently developing a solution to this

     problem,  however the proper solution will not be available until

     a future FreeBSD release.  We do not anticipate releasing patches

     for previous versions of FreeBSD due to the extensive nature of this

     fix.  This security advisory will be updated as new information is

     made available.



V. Workaround



     This vulnerability can quickly and easily be limited by removing

     the setuid permission bit from the mount_union program.  This

     workaround will work for all versions of FreeBSD affected by

     this problem.



     As root, execute the command:



          % chmod u-s /sbin/mount_union



     then verify that the setuid permissions of the files have been

     removed.  The permissions array should read "-r-xr-xr-x" as

     shown here:



           % ls -l /sbin/mount_union

           -r-xr-xr-x  1 root  bin   53248 Apr 26 04:40 /sbin/mount_union



     In addition to changing the permissions on the executable files,

     if you have the source code installed, we suggest patching the

     sources so that mount_union will not be installed with the

     setuid bit set:



*** /usr/src/sbin/mount_union/Makefile  Sun Nov 20 14:47:52 1994

 --- /usr/src/sbin/mount_union/Makefile        Fri May 17 10:36:09 1996

***************

*** 8,14 ****

  CFLAGS+= -I${.CURDIR}/../../sys -I${MOUNT}

  .PATH:        ${MOUNT}



 - BINOWN= root

 - BINMODE=4555

 -

  .include 

 --- 8,11 ----



=============================================================================

The FreeBSD Project, Inc.



Web Site:                       http://www.freebsd.com/

Confidential contacts:          security-officer@freebsd.org

PGP Key:                        http://freebsd.org/pub/CERT/public_key.asc

Security notifications:         security-notifications@freebsd.org

Security public discussion:     security@freebsd.org



Notice: Any patches in this document may not apply cleanly due to

        modifications caused by digital signature or mailer software.

        Please reference the URL listed at the top of this document

        for original copies of all patches if necessary.

=============================================================================






(C) 1999-2000 All rights reserved.