freebsd security - Nov 2006 - UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679

Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?

See:

http://projects.info-pull.com/mokb/

MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679


Regards,
Oliver

----- O. Hartmann <ohartman@zedat.fu-berlin.de>
wrote:
> Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?
> 
> See:
> 
> http://projects.info-pull.com/mokb/
> 
> MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679
> 
  Probably not.  In both cases a "crafted filesystem" is mounted to
trigger crash.  Garbage in, garbage out.

  It is hardly exploitable, since only root can mount filesystems.  And only
root could "craft" a bogus filesystem to crash the kernel.  If you are
root, "reboot" is a far faster way to crash the system.

  What the MOKB people seem to leave out, is:  do their "crafted
filesystems" pass a "fsck -f"?  If fsck says the filesystem is
good, then the kernel should not crash.  But I suspect that "fsck -f"
would fix the filesystem.  (BTW, "-f" is mandatory as I suspect that
these "crafted filesystems" would have the clean flag set).  If
"fsck -f" fixes the filesystem, then both of these bugs are bogus.

Tom

On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann
wrote:
> Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?
> 
> See:
> 
> http://projects.info-pull.com/mokb/
> 
> MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679
These two bugs both seem to involve mounting deliberately corrupted
UFS file systems. I'm not sure that many people allow this. To be
honest, I'm surprised that they only list two bugs of this sort -
UFS wasn't designed to be robust to working with accidently corrupted
filesystems, let alone ones corrupted maliciously!

The usual response of UFS to a corrupted filesystem is to panic.
I'm guessing it would have been easier to do:

	grep panic /usr/src/sys/ufs/*/*.c

to find a load of these bugs, rather than writing a fuzzing tool ;-)

(That's not to say that it isn't worth improving things, it's just
likely to be a large amount of work to fix this in a way that
actually makes things better.)

	David.

On Thursday 23 November 2006 15:36, David Malone wrote:
> On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann wrote:
> > Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?
> >
> > See:
> >
> > http://projects.info-pull.com/mokb/
> >
> > MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679
>
> These two bugs both seem to involve mounting deliberately corrupted
> UFS file systems. I'm not sure that many people allow this. To be
> honest, I'm surprised that they only list two bugs of this sort -
> UFS wasn't designed to be robust to working with accidently
> corrupted filesystems, let alone ones corrupted maliciously!
>
> The usual response of UFS to a corrupted filesystem is to panic.
> I'm guessing it would have been easier to do:
>
> 	grep panic /usr/src/sys/ufs/*/*.c
>
> to find a load of these bugs, rather than writing a fuzzing tool
> ;-)
>
> (That's not to say that it isn't worth improving things, it's
just
> likely to be a large amount of work to fix this in a way that
> actually makes things better.)
>
> 	David.
Out of the box you need to be root to mount things.  Once you have 
root access to a box you don't need silly things like this to crash 
it.

If you've gone out of your way to configure your box in such a way 
that a non-root user can mount arbitrary UFS filesystems then they 
certainly don't need to waste their time with buffer-overflows and 
the like.  They can simply mount a filesystem with any number of SUID 
root binaries on it and have their way with the box.

Either way, while it's senseless to argue that the buffer overflows 
don't exist, anyone in a positiion to actually exploit them doesn't 
need them to be malicious.

-- 
Thanks,

Josh Paetzel

David Malone wrote:
> On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann wrote:
>> Is for these UFS bugs in FreeBSD since 6.1 a fix uderway?
>>
>> See:
>>
>> http://projects.info-pull.com/mokb/
>>
>> MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679
> 
> These two bugs both seem to involve mounting deliberately corrupted
> UFS file systems. I'm not sure that many people allow this. To be
> honest, I'm surprised that they only list two bugs of this sort -
> UFS wasn't designed to be robust to working with accidently corrupted
> filesystems, let alone ones corrupted maliciously!
> 
> The usual response of UFS to a corrupted filesystem is to panic.
> I'm guessing it would have been easier to do:
> 
> 	grep panic /usr/src/sys/ufs/*/*.c
> 
> to find a load of these bugs, rather than writing a fuzzing tool ;-)
> 
> (That's not to say that it isn't worth improving things, it's
just
> likely to be a large amount of work to fix this in a way that
> actually makes things better.)
> 
> 	David.

These two bugs are shown for FreeBSD only and I guess, Solaris and other 
BSDs  still use UFS. Are they more robust against this exploit or type 
of exploit?
On the other hand, if these shown bugs aren't as serious as claimed be 
the mentioned page, it sounds more like 'look, we also found on FreeBSD 
something strange, not even on Linux'.

But it is good to know and be aware of.

Regards,
Oliver