[nycbug-talk] security advisory
Isaac Levy
ike
Thu Jan 19 15:56:54 EST 2006
Hi Charles,
On Jan 19, 2006, at 3:46 PM, Charles Sprickman wrote:
<snip>
>> ? Well, you'd have to mount some other filesystem on top of the
>> files you wish to circumvent first?
>> Unless I'm missing something truly awful here...
>>
>> http://packetstormsecurity.org/0601-exploits/rt-sa-2005-15.txt
>
> I think I'm missing something too... The example shows someone nfs
> mounting a directory over an existing, populated directory.
Yes.
> The guy is then shocked that the flags from the files under that
> filesystem do not show up??? I don't think I'd expect that.
Well, me neither- it just seems nobody has thought of or tried this
scenario yet.
> Is he suggesting that changes made to the nfs mounted directory
> will somehow remain after the nfs dir is unmounted???
No- simply suggesting that particular files could be overwritten
which could allow a user to do malicious things while the volume is
mounted.
Dirty things can happen, but it's a long shot, really. In the case
of jails, I have a hard time seeing how the jailed servers would be
able to escape the securelevels, unless the nfs volume was somehow
mounted before the rc/jail mechanism starts the jail...
So with that, you could 'chflags -R -noschg /' in your jail while
exploiting this, but you'd simply chflags the files you've
overwritten (and that is only if the jail was started in a low/normal
securelevel, where jailed root can do this anyhow).
I'm trying really hard to think up a case where this could be used to
compromise the host, (even based on resource attacks, etc...), but I
can't think of any?
>
> If this is all the fuss, then I guess I understand why Theo is
> going into "shut up and go away" mode.
Well, yeah.
Rocket-
.ike
More information about the talk
mailing list