Summary
FOG through 1.5.10 allows local users to gain privileges by mounting a crafted NFS share. In order to exploit the vulnerability, someone needs to mount an NFS share to add an executable file as root. In addition, the SUID bit must be added to this file.
Details
|
echo -e "$storageLocation *(ro,sync,no_wdelay,no_subtree_check,insecure_locks,no_root_squash,insecure,fsid=0)\n$storageLocation/dev *(rw,async,no_wdelay,no_subtree_check,no_root_squash,insecure,fsid=1)" > "$nfsconfig" |
PoC
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
Impact
Privilege Escalation
Solution
Solution for patching is posted here:
https://forums.fogproject.org/topic/17486/fog-1-5-10-and-earlier-nfs-privilege-escalation-vulnerability
AUDIT-CHU Reporter
Summary
FOG through 1.5.10 allows local users to gain privileges by mounting a crafted NFS share. In order to exploit the vulnerability, someone needs to mount an NFS share to add an executable file as root. In addition, the SUID bit must be added to this file.
Details
fogproject/lib/common/functions.sh
Line 1360 in a4bb1bf
PoC
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe
Impact
Privilege Escalation
Solution
Solution for patching is posted here:
https://forums.fogproject.org/topic/17486/fog-1-5-10-and-earlier-nfs-privilege-escalation-vulnerability