Why is "nodev" in /etc/fstab so important? How can character devices be used for hacking?

mount security devices fstab

17,799

Because access to the underlying device is controlled only by file permissions by default, so if your USB stick contains a POSIX filesystem with a world-writable device node corresponding to a real device in the system, you can use that device node to access the corresponding device as a "plain" user. Imagine a device corresponding to one of the audio devices, your webcam, /dev/sda (which is a block device rather than a character device, but the argument is the same)...

Here's an example to make things clearer. Say you want to access /dev/sda (then you can pretty much do anything you want with the contents of the disk, including planting a program which would allow you to become root; this is a block device but the problem is the same with character devices). On your target system, ls -l /dev/sda shows

brw-rw----  1 root disk      8,   0 Sep  8 11:25 sda

This means /dev/sda is a block device (the b at the beginning of the line), with major number 8 and minor number 0 (the 8, 0 in the middle of the line). The device is only accessible to root (read/write) and members of the disk group (also read/write).

Now imagine on this system you can't become root but for some reason you can mount USB sticks as a user without nodev. On another system, where you are root, you can create a corresponding special file on your USB key:

mknod -m 666 usersda b 8 0

This will create a special file called usersda, readable and writable by everyone.

Mount the key on your target system and hey presto, you can use the usersda device in the same way as /dev/sda, but with no access restriction...

(This will work even with encrypted file systems, as long as you are able to access the decrypted mapper device: create device which matches the appropriate /dev/mapper entry.)

17,799

rosix

Updated on September 18, 2022

Comments

rosix over 1 year
I am learning about linux security and struggling to understand why a USB stick with a character device on it is potentially dangerous.

If I have a USB stick with a bash executable that has setuid root on it, the danger is obvious: Anybody with such a USB stick can gain root privileges on my computer if I have an entry like
```
/dev/sdb1 /media/usbstick auto defaults 0 0
```
in my /etc/fstab because defaults includes suid.

But what about character devices? How can I use a character device to gain root privileges or break stuff if a USB stick with a character device on it gets mounted with dev or defaults?
rosix about 9 years

That sounds interesting! But I'm not sure I understand it. A device is a file and files are accessed through inodes. The fake device on my USB stick would have a different inode and therefore it would be a different device, wouldn't it?
Stephen Kitt about 9 years

A device is a special file, with a major and minor number; you can see those if you do ls -l /dev, they're the two numbers which appear instead of the file size. The kernel matches a device special file with a driver using those numbers, so you can have multiple files which point to the same kernel driver and device. The special files are created using mknod.
telcoM over 5 years

Note that /dev/tty* devices are character devices, and an intruder gaining full read/write access to your terminal sessions and/or the system console combined with abusing terminal emulator features might allow all kinds of nasty tricks...
Stephen Kitt over 5 years

@telcoM I was considering writing that up too, but setting up a MITM tty attack takes a bit longer to describe correctly ;-) (to read passwords and the like).
The Quark almost 5 years

@StephenKitt So when in the man page of mount it says dev: Interpret character or block special devices on the filesystem. and nodev: Do not interpret character or block special devices on the file system., "interpret" actually means "matching the device special file with the corresponding driver"?
Stephen Kitt almost 5 years

@TheQuark pretty much, yes. It’s a little more general; I’d say “interpret” means “treat device files as device nodes, not plain files”.
n00b almost 5 years

"Mount the key on your target system and hey presto, you can use the usersda device in the same way as /dev/sda, but with no access restriction..." can you expand on this a little? if i mount the usb stick (/dev/sdb1), then i still need to then mount "usersda" file on the stick, which requires root privileges (unless there is also an fstab entry for the "usersda" file as well). in addition when I tried it just now locally, the files of that mounted 'usdersda' file have the same permissions applied to it as, as the original disk (I dont have write access to /etc/passwd for example). What gives?
Stephen Kitt almost 5 years

@n00b you can’t mount usersda, but you can at least use it to read from the underlying disk with no restrictions, and possibly write to it as well. You can easily copy all the disk’s contents, and with tools such as debuge2fs, overwrite /etc/shadow etc.