(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt) tigerteam.se security advisory - TSEAD-200606-6 www.tigerteam.se Advisory: Rocks Clusters <=4.1 local root vulnerabilities Date: Wed Jul 5 15:52:59 EDT 2006 Application: mount-loop, umount-loop Vulnerability: Lack of filtering on arguments allow for privilege escalation Reference: TSEAD-200606-6 Author: Xavier de Leon - xavier (at) tigerteam (dot) se [email concealed] SYNOPSIS "Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat Linux COTS clusters. Building a Rocks cluster does not require any experience in clustering, yet a cluster architect will find a flexible and programmatic way to redesign the entire software stack just below the surface (appropriately hidden from the majority of users). Although Rocks includes the tools expected from any clustering software stack (PBS, Maui, GM support, Ganglia, etc), it is unique in its simplicity of installation."[7] Rocks Clusters <=4.1 is vulnerable to local root privilege escalation due to improper validating of arguments in two of its suid and world executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66 FLOPS. VENDER RESPONSE May 31, 2006: Initial contact Jun 1, 2006: Response, Disclosure, Verification of bug, redirected to another project Contact. Fixed in CVS[1] Jun 9, 2006: Attempted contact after 8 days of silence Jun 28, 2006: Project releases Rocks v4.2 Beta with fix Jun 30, 2006: Attempted contact after 29 days of silence Jul 5, 2006: No contact VULNERABILITIES 1) mount-loop: mount-loop is a binary that is distributed with suid root and is world executable. The problem is the program does not properly filter args to be used in a system() execution. An attacker could gain root from command line. A link[2] to its source can be found below. PoC[4] provided below. 2) umount-loop: umount-loop is a binary that is distributed with suid root and is world executable. The problem is the program does not properly filter args to be used in a system() execution. An attacker could gain root from command line. A link[3] to its source can be found below. PoC[5] provided below. DISCOVERY Xavier de Leon <xavier (at) tigerteam (dot) se [email concealed]> check out http://xavsec.blogspot.com for future sec releases on my part ABOUT TIGERTEAM.SE tigerteam.se offers spearhead competence within the areas of vulnerability assessment, penetration testing, security implementation, and advanced ethical hacking training. tigerteam.se consists of Michel Blomgren - company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant. Together we have worked for organizations in over 15 countries. REFERENCES [1]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nod es/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup [2]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src /dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup [3]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src /dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup [4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh [5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py [6]: http://www.rocksclusters.org/rocks-register/ [7]: http://distrowatch.com/table.php?distribution=rockscluster