Bug 173443

Description Timothy Redaelli (RETIRED) 2007-04-05 10:04:47 UTC

TrueCrypt 4.3 for Linux from http://www.truecrypt.org/

It seems to be possible to perform various denial of service attacks on a Linux
computer running TrueCrypt in set-uid root mode, or possible introduce evil
binaries into normally trusted locations. I tested this on the latest
version, 4.3, which corrected another vulnerability, but it still seems
insecure.

The following command mounts a file-based container over /usr/bin. This can be
done by a non-root user provided TrueCrypt is in set-uid mode, and the file
container does not have to contain any files:

tim# truecrypt -u myvolume.tc /usr/bin

This could result in system binaries becoming inaccessible, or if the user
has copied his own binaries into the file container, they could potentially
replace legitimate system binaries with malicious ones, e.g. a /usr/bin/sudo
that does something nasty.

To do this I did the following (as non-root).

# truecrypt -c # create a FAT32 volume called test.tc
# truecrypt -u test.tc tmpdir # mount in a tmp dir in my home dir
# cd tmpdir
# cp ../badbinary ./sudo # copy in an evil binary from somewhere
# chmod +x sudo
# truecrypt -d # unmount the volume
# truecrypt -u test.tc /usr/bin # mount same volume over /usr/bin

All other system binaries (e.g. screen etc.) are now inaccessible, but if a
user (or root) runs sudo (or whatever the user names it) in the meantime before
someone realises something is wrong, the malicious binary will be executed.

Because the umount and truecrypt binaries reside in /usr/bin, if they have
been "masked" by an empty container mounted on /usr/bin, it may not be possible
to recover the system without a reboot.

It also seems possible to arbitrarily deny users local (and possibly remote)
access to the system, for example through the following command:

tim# truecrypt -u myvolume.tc /home/sally

Even if the user does not have write access to /home/sally, the unrestricted
set-uid operation means that "tim" has now "mounted over" sally's home
directory. If sally is currently logged in, her files will appear to
"disappear" because they have been mounted over. If user sally tries to log
in, in my tests she cannot then log in graphically because some of her
configuration files have become inaccessible. User sally has been denied
access to the system by a non-root user.

I believe there also may be another vulnerability here. If user sally could
log in (e.g. through a terminal), any files she writes to "/home/sally" will
actually be re-directed to the volume mounted by user tim. If the file-hosted
volume is FAT32, user tim could potentially "steal" files as they are written
not to sally's regular home directory but to the FAT32 volume. I have been
unable to test this successfully though since it seems user sally cannot log in
after this denial of service is performed.

There seems to be other ways to perform a DoS too. Mounting a volume (even if
empty) over /tmp affects operation of the system (users cannot log in through
X), and mounting over /var/log could be done to subvert system log messages to
a FAT32 volume that can be read by any user.

A "workaround" is to remove the set-uid bit from /usr/bin/truecrypt, but then
only root can mount TrueCrypt volumes. It seems there needs to be much
tigher control on where non-root users can mount their volumes to.

-- Tim Rees