Bug 372070 – AUDIT-0: CVE-2009-1142: open-vm-tools: suid binary

Bug 372070 - (CVE-2009-1143) AUDIT-0: CVE-2009-1142: open-vm-tools: suid binary

(CVE-2009-1143)
Summary:	AUDIT-0: CVE-2009-1142: open-vm-tools: suid binary

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Enhancement
Target Milestone:	---
Assigned To:	Thomas Biege
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2008-03-18 14:58 UTC by Pavol Rusnak
Modified:	2017-08-02 15:10 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pavol Rusnak 2008-03-18 14:58:11 UTC

I created new package open-vm-tools. These are tools that could be installed when openSUSE is running in VMware. It contains one binary that should be packaged as suid root. If it is not, only root on guest system can access Shared files from host system.

i586/open-vm-tools-2008.03.11-1.i586.rpm:
-rwsr-xr-x    1 root    root            43124 Mar 18 15:44 /usr/sbin/mount.vmhgfs
file /usr/sbin/mount.vmhgfs is packaged with suid/sgid permissions
but is not listed in any of /etc/permissions*
please contact security team

Comment 1 Marcus Meissner 2008-03-18 19:49:33 UTC

its likely to be placed in /sbin if it is a mount helper binary.

what filesystem is this?

Comment 2 Pavol Rusnak 2008-03-18 21:57:01 UTC

This filesystem allows to share files between host OS and guest OS installed in VMware.

Comment 3 Pavol Rusnak 2008-04-11 13:56:01 UTC

Any news? Package is now submitted to STABLE and is failing because of this. I will move binary to /sbin if you want.

Comment 4 Ludwig Nussel 2008-04-11 14:14:21 UTC

the package is not prepared for handling setiud binaries. Please have a look at the packaging howto. It describes how %verifyscript, attributes etc should look like. Also don't package the binary with setuid bit set by default, the package will build then.

Comment 5 Pavol Rusnak 2008-04-23 13:22:11 UTC

I submitted new package hopefully with the right use of permission scripts.

Comment 6 Ludwig Nussel 2008-04-23 13:28:45 UTC

Almost :-) %verifyscript is a tag of it's own just like %post. You've mixed %post and %verifyscript:

%post
%run_permissions
%verifyscript
%verify_permissions -e /sbin/mount.vmhgfs
/sbin/ldconfig
%{fillup_and_insserv vmware-guest}

That means that ldconfig and fillup are called when you run rpm -V rather than in %post. See also
$ rpm -qp --scripts /work/CDs/all/full-i386/suse/i586/open-vm-tools.rpm

Comment 7 Pavol Rusnak 2008-04-23 13:41:42 UTC

Submitted again :)

Comment 8 Thomas Biege 2009-03-19 12:06:11 UTC

Is a code review still needed here?

Comment 9 Pavol Rusnak 2009-03-19 12:48:37 UTC

Thomas: Yes, please.

Comment 10 Thomas Biege 2009-03-19 13:39:02 UTC

It is dir hgfsmounter/ right?

Comment 11 Thomas Biege 2009-03-19 13:39:58 UTC

Yes... checked Makefile.am ;)

Comment 12 Thomas Biege 2009-03-19 13:41:04 UTC

1.)
main() is vulnerable to a race condition as it seems and mount() would use an arbitrary traget dir.

   mntRes = mount(shareName, mountPoint, HGFS_NAME, flags, &mountInfo); // XXX tom: mountPoint can be replaced after checks above are passed!

Comment 13 Thomas Biege 2009-03-19 13:45:00 UTC

So, NO setuid root flag for this one.

Comment 14 Pavol Rusnak 2009-03-19 13:54:09 UTC

Thomas: is issue mentioned in comment #12 the only issue blocking the setuid bit ?

Comment 15 Thomas Biege 2009-03-19 14:03:06 UTC

Yes... so far I did not find anything more.

Comment 16 Thomas Biege 2009-03-22 13:36:16 UTC

Hello Dominiqie,
can you forward this issue to Dimitry too please.

Comment 17 Dominique Leuenberger 2009-03-22 13:44:45 UTC

Thomas,

Sorry, I forgot to paste the reply from Dmitry on this one:

>
> mount.vmhgfs
> ===========
> main() is vulnerable to a race condition as it seems and mount() would use
> an arbitrary traget dir.
>
> mntRes = mount(shareName, mountPoint, HGFS_NAME, flags, &mountInfo); //
> XXX tom: mountPoint can be replaced after checks above are passed!
>
> It would be great if those concerns could be addressed at an earliest
> convenience so that openSUSE (and most likely also other distributions with
> similar rules) can ship open-vm-tools with setuid properly set.
>

Hmm, we don't install vmware-hgfsmounter (AKA mount.vmhgfs) as suid root,
hgfs is being mounted by a init.d script and so works fine without it.
I will try to find out why we recommend packaging it with suid root on
out wiki.

----

Comment 18 Thomas Biege 2009-03-26 07:24:33 UTC

CVE-2009-1143

Comment 19 Thomas Biege 2009-03-26 07:37:34 UTC

Because it does not really need setuid I'll close this bug.