Hello,
It is hinted in the configuration files that an attacker could gain access
to arbitrary folders by guessing symlink paths that match exported dirs,
but this is not the case. They can get access to the root export with
certainty by simply symlinking to "../../../../../../../", which will
always return "/".
This is due to realpath() being called in the main thread which isn't
chrooted, concatenating the result with the export root to create the
export entry's final absolute path which the kernel then exports.
PS: I already sent this patch to the mailing list about the same subject
but it was poorly formatted. Changes were merged into a single commit. I
have broken it up into smaller commits and made the patch into a single
thread. Pardon the mistake, first contribution.
Thanks
Christopher Bii (5):
nfsd_path.h - nfsd_path.c: - Configured export rootdir must now be an
absolute path - Rootdir is into a global variable what will also be
used to retrieve it later on - nfsd_path_nfsd_rootdir(void) is
simplified with nfsd_path_rootdir which returns the global var
rather than reprobing config for rootdir entry
nfsd_path.c: - Simplification of nfsd_path_strip_root(char*)
nfsd_path.h - nfsd_path.c: - nfsd_path_prepend_dir(const char*, const
char*) -> nfsd_path_prepend_root(const char*)
NFS export symlink vulnerability fix - Replaced dangerous use of
realpath within support/nfs/export.c with nfsd_realpath variant
that is executed within the chrooted thread rather than main
thread. - Implemented nfsd_path.h methods to work securely within
chrooted thread using nfsd_run_task() helper
support/nfs/exports.c - Small changes
support/export/export.c | 17 +-
support/include/nfsd_path.h | 9 +-
support/misc/nfsd_path.c | 362 ++++++++++++------------------------
support/nfs/exports.c | 49 ++---
4 files changed, 151 insertions(+), 286 deletions(-)
--
2.47.1
