what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

truecrypt-dos.txt

truecrypt-dos.txt
Posted Mar 29, 2007
Authored by Tim Rees

It seems to be possible to perform various denial of service attacks on a Linux computer running TrueCrypt version 4.3 in setuid root mode, or possibly introduce evil binaries into normally trusted locations.

tags | advisory, denial of service, root
systems | linux
SHA-256 | e4f26c79524c8995fb8c937ec1f23cd1a80777c9b001146d187675f11456ae89

truecrypt-dos.txt

Change Mirror Download
TrueCrypt 4.3 for Linux from http://www.truecrypt.org/

It seems to be possible to perform various denial of service attacks on a Linux
computer running TrueCrypt in set-uid root mode, or possible introduce evil
binaries into normally trusted locations. I tested this on the latest
version, 4.3, which corrected another vulnerability, but it still seems
insecure.

The following command mounts a file-based container over /usr/bin. This can be
done by a non-root user provided TrueCrypt is in set-uid mode, and the file
container does not have to contain any files:

tim# truecrypt -u myvolume.tc /usr/bin

This could result in system binaries becoming inaccessible, or if the user
has copied his own binaries into the file container, they could potentially
replace legitimate system binaries with malicious ones, e.g. a /usr/bin/sudo
that does something nasty.

To do this I did the following (as non-root).

# truecrypt -c # create a FAT32 volume called test.tc
# truecrypt -u test.tc tmpdir # mount in a tmp dir in my home dir
# cd tmpdir
# cp ../badbinary ./sudo # copy in an evil binary from somewhere
# chmod +x sudo
# truecrypt -d # unmount the volume
# truecrypt -u test.tc /usr/bin # mount same volume over /usr/bin

All other system binaries (e.g. screen etc.) are now inaccessible, but if a
user (or root) runs sudo (or whatever the user names it) in the meantime before
someone realises something is wrong, the malicious binary will be executed.

Because the umount and truecrypt binaries reside in /usr/bin, if they have
been "masked" by an empty container mounted on /usr/bin, it may not be possible
to recover the system without a reboot.

It also seems possible to arbitrarily deny users local (and possibly remote)
access to the system, for example through the following command:

tim# truecrypt -u myvolume.tc /home/sally

Even if the user does not have write access to /home/sally, the unrestricted
set-uid operation means that "tim" has now "mounted over" sally's home
directory. If sally is currently logged in, her files will appear to
"disappear" because they have been mounted over. If user sally tries to log
in, in my tests she cannot then log in graphically because some of her
configuration files have become inaccessible. User sally has been denied
access to the system by a non-root user.

I believe there also may be another vulnerability here. If user sally could
log in (e.g. through a terminal), any files she writes to "/home/sally" will
actually be re-directed to the volume mounted by user tim. If the file-hosted
volume is FAT32, user tim could potentially "steal" files as they are written
not to sally's regular home directory but to the FAT32 volume. I have been
unable to test this successfully though since it seems user sally cannot log in
after this denial of service is performed.

There seems to be other ways to perform a DoS too. Mounting a volume (even if
empty) over /tmp affects operation of the system (users cannot log in through
X), and mounting over /var/log could be done to subvert system log messages to
a FAT32 volume that can be read by any user.

A "workaround" is to remove the set-uid bit from /usr/bin/truecrypt, but then
only root can mount TrueCrypt volumes. It seems there needs to be much
tigher control on where non-root users can mount their volumes to.

-- Tim Rees
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close