Netware NFS compromise
|Description:||A flaw in the way NetWare-NFS mode 1 and 2 maps the "Read Only" flag to UNIX allows a root compromise on systems which mount user-writable volumes exported via NetWare NFS|
|Author:||"Andrew J. Anderson" <andrew@DB.ERAU.EDU>|
|Compromise:|| root (local)|
|Vulnerable Systems:||Those mounting user-writable volumes exported via NetWare NFS |
|Date:||8 January 1998 |
Date: Thu, 8 Jan 1998 10:16:44 -0500
From: "Andrew J. Anderson" <andrew@DB.ERAU.EDU>
Subject: NetWare NFS
By using a "feature" of NetWare NFS, root can be compromised on any UNIX
host that mounts a user-writable volume exported via NetWare NFS.
NetWare NFS is a product made by Novell for NetWare<->UNIX connectivity.
There are 4 basic modes of operation on NetWare NFS:
1) NetWare Mode
In this mode, traditional NetWare access modes
determine files access rights in the NFS name
2) NetWare-NFS mode 1
In this mode trustee rights are used to emulate
NFS permissions and access modes.
3) NetWare-NFS mode 2
In this mode, both trustee rights and NetWare
attributes are used to emulate NFS permissions
and access modes.
4) NFS Mode
In this mode, no attribute or permissions mapping
The problem is with NetWare-NFS mode 1 and 2. Novell decided on some
interesting ways to 'emulate' UNIX's permission scheme. The problem is
that they do not perform the same sanity checks that UNIX does when
making these emulations work.
OK, enough setup...here's the problem:
One of the challenges Novell faced is how to map the "Read Only" flag from
NetWare's permission bits to the UNIX permissions. Some versions of UNIX
will allow a user to overwrite a file even if it is chmod'ed to 444.
NetWare will not allow a file to be written to at all if it is flagged
"Read Only", thus they decided that the best way to make this happen under
UNIX was to change the ownership of the file to root.
Bad, bad, bad idea. Very bad idea.
Thus all one needs to do is to copy a binary from the UNIX system into the
NetWare NFS area, make the binary SUID, and then go to a NetWare client
and flag it "Read Only". Boom SUID root binary.
Novell has been aware of this for several months. They have been working
on a fix for this, but according to the NetWare people that I work with it
"doesn't work". I haven't been able to get more than this out of
them...they don't seem to like me too much lately. :)
Incidentally, this was discovered while copying files from a CD into a
user's home directory. Since the CD is a read-only media, windows 95
decided to set the "Read-Only" flag on those files in the NetWare home
directory. This caused the user to not only not own the files he had just
copied but also lose ownership of the directory those files were in.
Andrew Anderson http://amelia.db.erau.edu/~andrew/
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:
[ Nmap |
Sec Tools |
Mailing Lists |
Site News |