Vigil@nce: Linux kernel, bypassing NFS exec
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A NFS client can execute a non executable file located on a server.
Severity: 1/4
Consequences: user access/rights
Provenance: user shell
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/05/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
Access rights on a regular file are:
– w : write
– r : read
– x : execute
The nfs_permission() function of the NFS client incorporated in
the Linux kernel does not check the execute permission. A file
without the execution bit can thus nonetheless be executed.
The NFS client can therefore execute a non executable file located
on a NFS server.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8712
http://vigilance.fr/vulnerability/Linux-kernel-bypassing-NFS-exec-8712