Bug 372070 - (CVE-2009-1143) AUDIT-0: CVE-2009-1142: open-vm-tools: suid binary
(CVE-2009-1143)
AUDIT-0: CVE-2009-1142: open-vm-tools: suid binary
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Enhancement
: ---
Assigned To: Thomas Biege
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-18 14:58 UTC by Pavol Rusnak
Modified: 2017-08-02 15:10 UTC (History)
3 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pavol Rusnak 2008-03-18 14:58:11 UTC
I created new package open-vm-tools. These are tools that could be installed when openSUSE is running in VMware. It contains one binary that should be packaged as suid root. If it is not, only root on guest system can access Shared files from host system.

i586/open-vm-tools-2008.03.11-1.i586.rpm:
-rwsr-xr-x    1 root    root            43124 Mar 18 15:44 /usr/sbin/mount.vmhgfs
file /usr/sbin/mount.vmhgfs is packaged with suid/sgid permissions
but is not listed in any of /etc/permissions*
please contact security team
Comment 1 Marcus Meissner 2008-03-18 19:49:33 UTC
its likely to be placed in /sbin if it is a mount helper binary.

what filesystem is this?
Comment 2 Pavol Rusnak 2008-03-18 21:57:01 UTC
This filesystem allows to share files between host OS and guest OS installed in VMware.
Comment 3 Pavol Rusnak 2008-04-11 13:56:01 UTC
Any news? Package is now submitted to STABLE and is failing because of this. I will move binary to /sbin if you want.
Comment 4 Ludwig Nussel 2008-04-11 14:14:21 UTC
the package is not prepared for handling setiud binaries. Please have a look at the packaging howto. It describes how %verifyscript, attributes etc should look like. Also don't package the binary with setuid bit set by default, the package will build then.
Comment 5 Pavol Rusnak 2008-04-23 13:22:11 UTC
I submitted new package hopefully with the right use of permission scripts.
Comment 6 Ludwig Nussel 2008-04-23 13:28:45 UTC
Almost :-) %verifyscript is a tag of it's own just like %post. You've mixed %post and %verifyscript:

%post
%run_permissions
%verifyscript
%verify_permissions -e /sbin/mount.vmhgfs
/sbin/ldconfig
%{fillup_and_insserv vmware-guest}

That means that ldconfig and fillup are called when you run rpm -V rather than in %post. See also
$ rpm -qp --scripts /work/CDs/all/full-i386/suse/i586/open-vm-tools.rpm
Comment 7 Pavol Rusnak 2008-04-23 13:41:42 UTC
Submitted again :)
Comment 8 Thomas Biege 2009-03-19 12:06:11 UTC
Is a code review still needed here?
Comment 9 Pavol Rusnak 2009-03-19 12:48:37 UTC
Thomas: Yes, please.
Comment 10 Thomas Biege 2009-03-19 13:39:02 UTC
It is dir hgfsmounter/ right?
Comment 11 Thomas Biege 2009-03-19 13:39:58 UTC
Yes... checked Makefile.am ;)
Comment 12 Thomas Biege 2009-03-19 13:41:04 UTC
1.)
main() is vulnerable to a race condition as it seems and mount() would use an arbitrary traget dir.

   mntRes = mount(shareName, mountPoint, HGFS_NAME, flags, &mountInfo); // XXX tom: mountPoint can be replaced after checks above are passed!
Comment 13 Thomas Biege 2009-03-19 13:45:00 UTC
So, NO setuid root flag for this one.
Comment 14 Pavol Rusnak 2009-03-19 13:54:09 UTC
Thomas: is issue mentioned in comment #12 the only issue blocking the setuid bit ?
Comment 15 Thomas Biege 2009-03-19 14:03:06 UTC
Yes... so far I did not find anything more.
Comment 16 Thomas Biege 2009-03-22 13:36:16 UTC
Hello Dominiqie,
can you forward this issue to Dimitry too please.
Comment 17 Dominique Leuenberger 2009-03-22 13:44:45 UTC
Thomas,

Sorry, I forgot to paste the reply from Dmitry on this one:

>
> mount.vmhgfs
> ===========
> main() is vulnerable to a race condition as it seems and mount() would use
> an arbitrary traget dir.
>
> mntRes = mount(shareName, mountPoint, HGFS_NAME, flags, &mountInfo); //
> XXX tom: mountPoint can be replaced after checks above are passed!
>
> It would be great if those concerns could be addressed at an earliest
> convenience so that openSUSE (and most likely also other distributions with
> similar rules) can ship open-vm-tools with setuid properly set.
>

Hmm, we don't install vmware-hgfsmounter (AKA mount.vmhgfs) as suid root,
hgfs is being mounted by a init.d script and so works fine without it.
I will try to find out why we recommend packaging it with suid root on
out wiki.

----
Comment 18 Thomas Biege 2009-03-26 07:24:33 UTC
CVE-2009-1143
Comment 19 Thomas Biege 2009-03-26 07:37:34 UTC
Because it does not really need setuid I'll close this bug.