Vigil@nce: Linux kernel, privilege elevation via fsuid
April 2009 by Vigil@nce
A NFS client can elevate his privileges on a NFS server, via a
vulnerability related to fsuid.
– Severity: 2/4
– Consequences: administrator access/rights
– Provenance: user account
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 23/04/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The "fsuid" value indicates the identifier of the user who handles
files. For example, a NFS server runs as root and uses fsuid to
create and modify files with privileges of the connected user.
The CAP_MKNOD (device creation) and CAP_LINUX_IMMUTABLE (special
attributes) capabilities have to be suppressed when fsuid is
different from 0. However, this is not the case: if the user has
these capabilities, they are not suppressed.
An attacker who is root on a NFS client can therefore grant the
CAP_MKNOD capability to a user. He can then connect with this
account to the NFS server. He can create a device on the
filesystem. The NFS server does not refuse this operation. The
device can for example be used to access to the hard drive of the
NFS server.
CHARACTERISTICS
– Identifiers: BID-34695, VIGILANCE-VUL-8664
– Url: http://vigilance.fr/vulnerability/Linux-kernel-privilege-elevation-via-fsuid-8664
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2