Rocks Clusters <=4.1 local root

(direct link: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt)

          tigerteam.se security advisory - TSEAD-200606-6
                          www.tigerteam.se

 Advisory: Rocks Clusters <=4.1 local root vulnerabilities
     Date: Wed Jul 5 15:52:59 EDT 2006

Application: mount-loop, umount-loop
Vulnerability: Lack of filtering on arguments allow for privilege escalation
Reference: TSEAD-200606-6
Author: Xavier de Leon - [email protected]

SYNOPSIS

"Rocks is a complete "cluster on a CD" solution for x86 and IA64 Red Hat
 Linux COTS clusters. Building a Rocks cluster does not require any
 experience in clustering, yet a cluster architect will find a flexible
 and programmatic way to redesign the entire software stack just below the
 surface (appropriately hidden from the majority of users). Although Rocks
 includes the tools expected from any clustering software stack (PBS,
 Maui, GM support, Ganglia, etc), it is unique in its simplicity of
 installation."[7]

 Rocks Clusters <=4.1 is vulnerable to local root privilege escalation
 due to improper validating of arguments in two of its suid and world
 executable binaries, "mount-loop" and "umount-loop". Rocks Clusters has
 an unofficial cluster count[6] of 883 with 41,535 CPUs and 198456.66
 FLOPS.

VENDER RESPONSE

May 31, 2006: Initial contact
 Jun 1, 2006: Response, Disclosure, Verification of bug,
              redirected to another project Contact. Fixed
              in CVS[1]
 Jun 9, 2006: Attempted contact after 8 days of silence
Jun 28, 2006: Project releases Rocks v4.2 Beta with fix
Jun 30, 2006: Attempted contact after 29 days of silence
 Jul 5, 2006: No contact

VULNERABILITIES

1) mount-loop:
   mount-loop is a binary that is distributed with suid root and is world
   executable.

   The problem is the program does not properly filter args
   to be used in a system() execution. An attacker could gain root from
   command line. A link[2] to its source can be found below.

   PoC[4] provided below.

2) umount-loop:
   umount-loop is a binary that is distributed with suid root and is world
   executable.

   The problem is the program does not properly filter args
   to be used in a system() execution. An attacker could gain root from
   command line. A link[3] to its source can be found below.

   PoC[5] provided below.

DISCOVERY

Xavier de Leon <[email protected]>
check out http://xavsec.blogspot.com for future sec releases on my part

ABOUT TIGERTEAM.SE

tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced
ethical hacking training. tigerteam.se consists of Michel Blomgren -
company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT
security consultant. Together we have worked for organizations in over 15
countries.

REFERENCES

[1]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/nodes/rocks-dist.xml?rev=1.10&content-type=text/vnd.viewcvs-markup
[2]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/mount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
[3]: http://cvs.rocksclusters.org/viewcvs/viewcvs.cgi/rocks/src/roll/base/src/dist/umount-loop.c?rev=1.4&content-type=text/vnd.viewcvs-markup
[4]: http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
[5]: http://xavier.tigerteam.se/exploits/rocksumountdirty.py
[6]: http://www.rocksclusters.org/rocks-register/
[7]: http://distrowatch.com/table.php?distribution=rockscluster