[nycbug-talk] security advisory

Isaac Levy ike
Thu Jan 19 15:56:54 EST 2006


Hi Charles,

On Jan 19, 2006, at 3:46 PM, Charles Sprickman wrote:
<snip>
>> ?  Well, you'd have to mount some other filesystem on top of the  
>> files you wish to circumvent first?
>> Unless I'm missing something truly awful here...
>>
>> http://packetstormsecurity.org/0601-exploits/rt-sa-2005-15.txt
>
> I think I'm missing something too...  The example shows someone nfs  
> mounting a directory over an existing, populated directory.

Yes.

> The guy is then shocked that the flags from the files under that  
> filesystem do not show up???  I don't think I'd expect that.

Well, me neither- it just seems nobody has thought of or tried this  
scenario yet.

>   Is he suggesting that changes made to the nfs mounted directory  
> will somehow remain after the nfs dir is unmounted???

No- simply suggesting that particular files could be overwritten  
which could allow a user to do malicious things while the volume is  
mounted.

Dirty things can happen, but it's a long shot, really.  In the case  
of jails, I have a hard time seeing how the jailed servers would be  
able to escape the securelevels, unless the nfs volume was somehow  
mounted before the rc/jail mechanism starts the jail...

So with that, you could 'chflags -R -noschg /' in your jail while  
exploiting this, but you'd simply chflags the files you've  
overwritten (and that is only if the jail was started in a low/normal  
securelevel, where jailed root can do this anyhow).
I'm trying really hard to think up a case where this could be used to  
compromise the host, (even based on resource attacks, etc...), but I  
can't think of any?

>
> If this is all the fuss, then I guess I understand why Theo is  
> going into "shut up and go away" mode.

Well, yeah.

Rocket-
.ike






More information about the talk mailing list