Bug 409701

Summary: CVE-2007-5964 Privilege Escalation (from local system) through /net autofs mount configuration bug
Product: [Fedora] Fedora Reporter: Josh Lange <sillygates>
Component: autofsAssignee: Ian Kent <ikent>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 8CC: ikent, jmoyer, security-response-team, thoger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.2-20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-15 17:51:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 410031    

Description Josh Lange 2007-12-04 02:58:24 UTC
Description of problem:
A stock install of RHEL5 and Fedora 8 (and possibly earlier versions) have /net
managed by autofs (look at /etc/auto.master).

Unfortunately, the "nosuid" mount option is not specified, meaning that any
system auto-mounted under /net may have arbitrary suid root binaries.

Version-Release number of selected component (if applicable): RHEL 5, Fedora 8,
possibly others

How reproducible: Always


Steps to Reproduce:
1. set up an NFS server with an suid root binary in an exported directory.
2. log into a system running fedora 8/rhel5. Ensure autofs is running.
3. as a non-root user on the fedora8/rhel5 box, change directory to
/net/hostname_of_nfs_server.tld/exported_path/
4. run the suid root binary
  
Actual results:
The suid binary runs with the effective UID of 0, making it so the unprivileged
user now has full access to the system.

Expected results:
the share should have been mounted with the nosuid option, so that the
executable does no run with the effective uid of root.

Additional info:
changing (in /etc/auto.master):
"/net    -hosts"
to:
"/net   -nosuid  -hosts"
Will prevent exploitation. 


I have also mailed this alert to secalert@redhat.com ( from jhlange@calpoly.edu ).

Comment 1 Mark J. Cox 2007-12-04 10:33:50 UTC
CVE-2007-5964, see bug #410031 for top level

Comment 2 Tomas Hoger 2007-12-12 13:28:31 UTC
*** Bug 421361 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2007-12-15 17:51:04 UTC
autofs-5.0.2-20 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.