Netware NFS compromise

Summary
Description:A flaw in the way NetWare-NFS mode 1 and 2 maps the "Read Only" flag to UNIX allows a root compromise on systems which mount user-writable volumes exported via NetWare NFS
Author:"Andrew J. Anderson" <andrew@DB.ERAU.EDU>
Compromise: root (local)
Vulnerable Systems:Those mounting user-writable volumes exported via NetWare NFS
Date:8 January 1998
Details


Date: Thu, 8 Jan 1998 10:16:44 -0500
From: "Andrew J. Anderson" <andrew@DB.ERAU.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: NetWare NFS

Summary:

By using a "feature" of NetWare NFS, root can be compromised on any UNIX
host that mounts a user-writable volume exported via NetWare NFS.

Details:

NetWare NFS is a product made by Novell for NetWare<->UNIX connectivity.
There are 4 basic modes of operation on NetWare NFS:

        1) NetWare Mode
                In this mode, traditional NetWare access modes
                determine files access rights in the NFS name
                space.
        2) NetWare-NFS mode 1
                In this mode trustee rights are used to emulate
                NFS permissions and access modes.
        3) NetWare-NFS mode 2
                In this mode, both trustee rights and NetWare
                attributes are used to emulate NFS permissions
                and access modes.
        4) NFS Mode
                In this mode, no attribute or permissions mapping
                is done.

The problem is with NetWare-NFS mode 1 and 2.  Novell decided on some
interesting ways to 'emulate' UNIX's permission scheme.  The problem is
that they do not perform the same sanity checks that UNIX does when
making these emulations work.

OK, enough setup...here's the problem:

One of the challenges Novell faced is how to map the "Read Only" flag from
NetWare's permission bits to the UNIX permissions.  Some versions of UNIX
will allow a user to overwrite a file even if it is chmod'ed to 444.
NetWare will not allow a file to be written to at all if it is flagged
"Read Only", thus they decided that the best way to make this happen under
UNIX was to change the ownership of the file to root.

Bad, bad, bad idea.  Very bad idea.

Thus all one needs to do is to copy a binary from the UNIX system into the
NetWare NFS area, make the binary SUID, and then go to a NetWare client
and flag it "Read Only".  Boom SUID root binary.

Novell has been aware of this for several months.  They have been working
on a fix for this, but according to the NetWare people that I work with it
"doesn't work".  I haven't been able to get more than this out of
them...they don't seem to like me too much lately. :)

Incidentally, this was discovered while copying files from a CD into a
user's home directory.  Since the CD is a read-only media, windows 95
decided to set the "Read-Only" flag on those files in the NetWare home
directory.  This caused the user to not only not own the files he had just
copied but also lose ownership of the directory those files were in.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Andrew Anderson                       http://amelia.db.erau.edu/~andrew/
               if(!(family_tree=fork())){redneck=TRUE;}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]