undefined | Better HN

0 pointsmhogomchungu11y ago0 comments

Reads the instructions again

At step 4,you create the volume on the computer you have root access(a home computer for example),copy the program and set up necessary permission on the program

At step 5,you take the "hot" volume to another computer where you do not have root access to(like a friend's computer).On this friend computer,you open the "hot" volume and then run the suid-root program to gain root shell or run any other root command your prefer.

In a nutshell,if you are on linux and you have TrueCrypt installed,give me your computer to open my TrueCrypt volume and i can get root shell in seconds.No kidding.

The link i provided gave source code to test the exploit,if you cant or prefer not to,the check below link that speaks of the same exploit

http://vinicius777.github.io/blog/2014/07/14/truecrypt-privi...

0 comments

simoncion11y ago

I cannot repro. See this transcript:

http://pastebin.com/y958QtWh

By the way:

  $ man mount
  MOUNT(8)                     System Administration                    MOUNT(8)

  NAME
       mount - mount a filesystem

  SYNOPSIS
  <snip>
       defaults
              Use default options: rw, suid, dev, exec, auto, nouser, and async.
  <snip>

mhogomchunguOP11y ago

Its because you overrode the default option of "suid" with your "nosuid" when mounting.TrueCrypt does not do this and that is where the problem is.

To reproduce the problem,use TrueCrypt with its default mount options,or do your mounting with mount's default options.

The fundamental problem is a bad usage of mount command that comes from usage of mount's default options.You cant reproduce the problem because you changed a bad default option to a good one.

simoncion11y ago

> The fundamental problem is ... mount's default options.

This is exactly my point. You might as well complain to Ted Ts'o about the same vulnerability in ext4. Please do reply to my comment here: https://news.ycombinator.com/item?id=8060884

j / k navigate · click thread line to collapse

0 pointsmhogomchungu11y ago0 comments

Reads the instructions again

At step 4,you create the volume on the computer you have root access(a home computer for example),copy the program and set up necessary permission on the program

In a nutshell,if you are on linux and you have TrueCrypt installed,give me your computer to open my TrueCrypt volume and i can get root shell in seconds.No kidding.

The link i provided gave source code to test the exploit,if you cant or prefer not to,the check below link that speaks of the same exploit

http://vinicius777.github.io/blog/2014/07/14/truecrypt-privi...

0 comments

simoncion11y ago

I cannot repro. See this transcript:

http://pastebin.com/y958QtWh

By the way:

  $ man mount
  MOUNT(8)                     System Administration                    MOUNT(8)

  NAME
       mount - mount a filesystem

  SYNOPSIS
  <snip>
       defaults
              Use default options: rw, suid, dev, exec, auto, nouser, and async.
  <snip>

mhogomchunguOP11y ago

Its because you overrode the default option of "suid" with your "nosuid" when mounting.TrueCrypt does not do this and that is where the problem is.

To reproduce the problem,use TrueCrypt with its default mount options,or do your mounting with mount's default options.

The fundamental problem is a bad usage of mount command that comes from usage of mount's default options.You cant reproduce the problem because you changed a bad default option to a good one.

simoncion11y ago

> The fundamental problem is ... mount's default options.

This is exactly my point. You might as well complain to Ted Ts'o about the same vulnerability in ext4. Please do reply to my comment here: https://news.ycombinator.com/item?id=8060884

j / k navigate · click thread line to collapse