Hacker News new | past | comments | ask | show | jobs | submit login

Sounds like it works exactly as described by cyphar. The OS trusts permissions that are set on the files, so if you slip it a device ‘file’ writable by anyone then it will let mere users write to the device even if it points to the root filesystem. Devices are denoted simply by numbers on the file inode in the filesystem, it's not difficult to make one that corresponds to the real disk drive.



Right, the attack would be something like:

    # On a machine where you have root, do the following in a Truecrypt volume:
    for maj in {0..4096}; do
      for min in {0..1048576}; do
        mknod block-${maj}.${min} b $maj $min
        mknod char-${maj}.${min} c $maj $min
      done
    done
    chmod a+rwx {block,char}-*
All devices which represent a block device (namely, hard drives and similar media) have some (major, minor) value. There are currently[1] 4096 values for the major number 1048576 for the minor number, so we can just create all of them (or you could just create the first 256 since it's very rare for the number to go above that).

And now when you mount the volume on a machine (with needing root, because that's what TrueCrypt allows you to do), the mounted filesystem contains every possible block and character device with read/write permissions for every user on the system. Therefore, one of the block devices (you can check by doing an ls in /dev) will correspond to the root filesystem and the user can now read or write to it directly.

By adding "nodev", the kernel will not permit any user to access character or block device inodes on the filesystem (even if you would normally have permissions).

[1]: https://elixir.bootlin.com/linux/v5.4.3/source/include/linux...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: