5540420 2000-10-02 18:24 /110 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13033> Ärende: Very probable remote root vulnerability in cfengine ------------------------------------------------------------ PROBLEM: -------- cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains several format string vulnerabilities in syslog() calls. Everyone, or if access controls are being used, accepted hosts, can inject the network daemon with a message causing segmentation fault. As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise. AUTHOR INTERACTION: ------------------- Notified the author on 1st Oct 2000 and worked with him. Different fix was applied to the newly released 1.6.0.a11 (alpha version). I got the impression that there isn't going to be an official fix for 1.5.x releases. VERSIONS AND PLATFORMS AFFECTED: -------------------------------- Every recent version except 1.6.0a11 released on 1st Oct 2000. 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not part of Red Hat Linux or Powertools. Debian, at least, includes cfengine as a package. I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I wouldn't be surprised if it was exploitable some way or the other though. Not tested on other non-Linux platforms, but if you run cfd I suggest you check it out no matter the platform. DETAILS: -------- If access controls are used (this is not the default) in cfd.conf or equivalent, the attacker must have access to an allowed system first. Spoofing would probably also yield similar results; the fact that there doesn't need not to be any reply from the server makes it easier. Segmentation fault can be induced as follows: ----- $ telnet cfdserver 5308 Trying x.y.z.w... Connected to cfdserver.some.domain. Escape character is '^]'. CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s ^] telnet> quit Connection closed. ----- where 1.1.1.1 is your IP address and myhostname is some resolvable hostname. A longer string of %s's can also be used if that doesn't produce good results. If the %s string is not long enough, string like the following will be syslogged; this doesn't look good: ----- cfdserver cfd[11330]: Reverse hostname lookup failed, host claiming to be 1.1.1.1 myhostname root cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M ^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj ----- In the end, cfd dies in a segmentation fault. As you can set %s%s%s freely, and it's passed almost without checking as-is to syslog(), it shouldn't be too difficult for Joe Hacker to exploit this. Also, other components of cfengine use the same logging functions, so a local root exploit could also be possible but those aren't as interesting as this and will be fixed at the same time. EXPLOIT: -------- Not my business; I'm sure someone will produce one sooner or later though. WORKAROUND: ----------- Enable access controls in cfd.conf and/or firewall off TCP port 5308. These can't be considered _good_ workarounds as users in the local network/legit hosts can still exploit the service. PATCH: ------ "Standard" patch to syslog calls included. It applies quite cleanly to both 1.5.x and 1.6.0aXX. CREDITS: -------- The vulnerability was found by Pekka Savola <pekkas@netcore.fi> while doing a minor audit on cfengine in the light of format string vulnerabilities. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola@netcore.fi not those you stumble over and fall" (5540420) ------------------------------------------(Ombruten) Kommentar i text 5540421 av Brevbäraren (som är implementerad i) Python 5540421 2000-10-02 18:24 /54 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13034> Kommentar till text 5540420 av Brevbäraren (som är implementerad i) Python Ärende: Bilaga (cfengine-1.6.0.a10-syslog.patch) till: Very probable remote root vulnerability in cfengine ------------------------------------------------------------ diff -uNr cfengine-1.6.0.a10.orig/src/log.c cfengine-1.6.0.a10/src/log.c --- cfengine-1.6.0.a10.orig/src/log.c Wed Sep 6 14:43:03 2000 +++ cfengine-1.6.0.a10/src/log.c Sun Oct 1 20:09:09 2000 @@ -71,12 +71,12 @@ if (LOGGING && IsPrivileged()) { - syslog(LOG_ERR,string,VFQNAME); + syslog(LOG_ERR,"%s",string,VFQNAME); if (strlen(errstr) != 0) { - syslog(LOG_ERR,errstr,VFQNAME); - syslog(LOG_ERR,strerror(errno),VFQNAME); + syslog(LOG_ERR,"%s",errstr,VFQNAME); + syslog(LOG_ERR,"%s",strerror(errno),VFQNAME); } } break; @@ -110,11 +110,11 @@ case cflogonly: if (LOGGING && IsPrivileged()) { - syslog(LOG_INFO,string,VFQNAME); + syslog(LOG_INFO,"%s",string,VFQNAME); if ((errstr == NULL) || (strlen(errstr) > 0)) { - syslog(LOG_ERR,errstr,VFQNAME); + syslog(LOG_ERR,"%s",errstr,VFQNAME); } } @@ -125,7 +125,7 @@ if (LOGGING && IsPrivileged()) { - syslog(LOG_ERR,string,VFQNAME); + syslog(LOG_ERR,"%s",string,VFQNAME); } if (string[strlen(string)-1] != '\n') @@ -141,8 +141,8 @@ if (LOGGING && IsPrivileged()) { - syslog(LOG_ERR,errstr,VFQNAME); - syslog(LOG_ERR,strerror(errno),VFQNAME); + syslog(LOG_ERR,"%s",errstr,VFQNAME); + syslog(LOG_ERR,"%s",strerror(errno),VFQNAME); } } return; (5540421) ------------------------------------------(Ombruten) 5541901 2000-10-03 07:56 /25 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13062> Kommentar till text 5540420 av Brevbäraren (som är implementerad i) Python Ärende: Re: Very probable remote root vulnerability in cfengine ------------------------------------------------------------ From: Ben Collins <bcollins@DEBIAN.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20001002171440.A8605@visi.net> > > 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not > part of Red Hat Linux or Powertools. Debian, at least, includes cfengine > as a package. > FYI, cfd is not started by default on Debian installs, so unless the admin enables the cfd daemon, there is no concern. However, I have compiled and uploaded fixed packages (powerpc, sparc and i386 so far) to porposed-updates and unstable. Expect an announcement from the security team soon. Ben -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com ' `---=========------=======-------------=-=-----=-===-======-------=--=---' (5541901) ------------------------------------------(Ombruten) 5541937 2000-10-03 08:18 /60 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <13063> Ärende: Re: Very probable remote root vulnerability in cfengine ------------------------------------------------------------ From: Shaun Clowes <shaun@SECUREREALITY.COM.AU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <39d910d4.d3.0@webcentral.com.au> >As you can set %s%s%s freely, and it's passed almost without checking >as-is to syslog(), it shouldn't be too difficult for Joe >Hacker to exploit this. > >EXPLOIT: >-------- > >Not my business; I'm sure someone will produce one sooner or later though. As a member of the 'security community' I can say that I certainly appreciate each and every security vulnerability that is discovered and reported by everyone. If security one day becomes a priority and people are aware of the issues, the Internet will be a much safer place. Having said that, this particular advisory is an example of something I find extrememly frustrating. This bug in particular is almost certainly remotely exploitable, I'd agree with this, however, I don't think that makes life very fair for the average systems administrator. If she reads the advisory, she is told it should be vulnerable not that it is. This could lead her to having to upgrade a service, possibly on a critical machine for no reason if the problem is found to be non exploitable. The security community is in great danger of being a victim of its own sensationalism. Reports of problems that don't really confirm an issue are like the story of the 'boy who cried wolf'. There may or may not be a wolf, but if enough times reports like this are released which turn out not to be exploitable, massive amounts of credibility (along with sysadmin sleep) are lost. Eventually it leads to advisories being ignored en masse. I completely understand that some people are not capable/interested in creating exploits for problems they find. However, it is important that SOMEONE does before the problem is announced. I'm sure the VULN-DEV mailing list can help here, I know my company (SecureReality) is more than willing to help with investigating problems people have found, and I'm sure most of the other Security groups/teams would be willing to also. In the case of SecureReality, we ensure we successfully exploit every problem we report, from buffer overflows to cgi input validation. Some would say security companies have no place in writing exploits, I couldn't disagree more. We write exploits all the time, not to hand to script kiddies but to verify problems we find, we have no intention of ever publishing any exploit we've written. The security industry is full of sensationalism, which may scare people, but given time it'll only annoy them. I'd also just like to say that this particular advisory is fairly well done in that it successfully shows that there is an extremely high probability of the problem being exploited, this rant is more a result of the continual stream of vague advisories flowing onto lists like this. Cheers, Shaun (5541937) ------------------------------------------(Ombruten)