5540420 2000-10-02 18:24 /110 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13033>
Ärende: Very probable remote root vulnerability in cfengine
------------------------------------------------------------
PROBLEM:
--------
cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
several format string vulnerabilities in syslog() calls. Everyone, or
if access controls are being used, accepted hosts, can inject the network
daemon with a message causing segmentation fault. As cfd is almost always
run as root due to it's nature (centralized configuration management
etc.), this can be quite lethal and lead into a root compromise.
AUTHOR INTERACTION:
-------------------
Notified the author on 1st Oct 2000 and worked with him. Different
fix was applied to the newly released 1.6.0.a11 (alpha version).
I got the impression that there isn't going to be an official fix for
1.5.x releases.
VERSIONS AND PLATFORMS AFFECTED:
--------------------------------
Every recent version except 1.6.0a11 released on 1st Oct 2000.
1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools. Debian, at least, includes
cfengine as a package.
I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
though.
Not tested on other non-Linux platforms, but if you run cfd I suggest
you check it out no matter the platform.
DETAILS:
--------
If access controls are used (this is not the default) in cfd.conf or
equivalent, the attacker must have access to an allowed system
first. Spoofing would probably also yield similar results; the fact
that there doesn't need not to be any reply from the server makes it
easier.
Segmentation fault can be induced as follows:
-----
$ telnet cfdserver 5308
Trying x.y.z.w...
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
^]
telnet> quit
Connection closed.
-----
where 1.1.1.1 is your IP address and myhostname is some resolvable
hostname.
A longer string of %s's can also be used if that doesn't produce good
results.
If the %s string is not long enough, string like the following will be
syslogged; this doesn't look good:
-----
cfdserver cfd[11330]: Reverse hostname lookup failed, host
claiming to be 1.1.1.1 myhostname root
cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M
^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj
-----
In the end, cfd dies in a segmentation fault.
As you can set %s%s%s freely, and it's passed almost without checking
as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this.
Also, other components of cfengine use the same logging functions, so
a local root exploit could also be possible but those aren't as
interesting as this and will be fixed at the same time.
EXPLOIT:
--------
Not my business; I'm sure someone will produce one sooner or later
though.
WORKAROUND:
-----------
Enable access controls in cfd.conf and/or firewall off TCP port
5308. These can't be considered _good_ workarounds as users in the
local network/legit hosts can still exploit the service.
PATCH:
------
"Standard" patch to syslog calls included. It applies quite cleanly
to both 1.5.x and 1.6.0aXX.
CREDITS:
--------
The vulnerability was found by Pekka Savola <pekkas@netcore.fi> while
doing a minor audit on cfengine in the light of format string
vulnerabilities.
--
Pekka Savola "Tell me of difficulties surmounted,
Pekka.Savola@netcore.fi not those you stumble over and fall"
(5540420) ------------------------------------------(Ombruten)
Kommentar i text 5540421 av Brevbäraren (som är implementerad i) Python
5540421 2000-10-02 18:24 /54 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13034>
Kommentar till text 5540420 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga (cfengine-1.6.0.a10-syslog.patch) till: Very probable remote root vulnerability in cfengine
------------------------------------------------------------
diff -uNr cfengine-1.6.0.a10.orig/src/log.c
cfengine-1.6.0.a10/src/log.c
--- cfengine-1.6.0.a10.orig/src/log.c Wed Sep 6 14:43:03 2000
+++ cfengine-1.6.0.a10/src/log.c Sun Oct 1 20:09:09 2000
@@ -71,12 +71,12 @@
if (LOGGING && IsPrivileged())
{
- syslog(LOG_ERR,string,VFQNAME);
+ syslog(LOG_ERR,"%s",string,VFQNAME);
if (strlen(errstr) != 0)
{
- syslog(LOG_ERR,errstr,VFQNAME);
- syslog(LOG_ERR,strerror(errno),VFQNAME);
+ syslog(LOG_ERR,"%s",errstr,VFQNAME);
+ syslog(LOG_ERR,"%s",strerror(errno),VFQNAME);
}
}
break;
@@ -110,11 +110,11 @@
case cflogonly:
if (LOGGING && IsPrivileged())
{
- syslog(LOG_INFO,string,VFQNAME);
+ syslog(LOG_INFO,"%s",string,VFQNAME);
if ((errstr == NULL) || (strlen(errstr) > 0))
{
- syslog(LOG_ERR,errstr,VFQNAME);
+ syslog(LOG_ERR,"%s",errstr,VFQNAME);
}
}
@@ -125,7 +125,7 @@
if (LOGGING && IsPrivileged())
{
- syslog(LOG_ERR,string,VFQNAME);
+ syslog(LOG_ERR,"%s",string,VFQNAME);
}
if (string[strlen(string)-1] != '\n')
@@ -141,8 +141,8 @@
if (LOGGING && IsPrivileged())
{
- syslog(LOG_ERR,errstr,VFQNAME);
- syslog(LOG_ERR,strerror(errno),VFQNAME);
+ syslog(LOG_ERR,"%s",errstr,VFQNAME);
+ syslog(LOG_ERR,"%s",strerror(errno),VFQNAME);
}
}
return;
(5540421) ------------------------------------------(Ombruten)
5541901 2000-10-03 07:56 /25 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13062>
Kommentar till text 5540420 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Very probable remote root vulnerability in cfengine
------------------------------------------------------------
From: Ben Collins <bcollins@DEBIAN.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001002171440.A8605@visi.net>
>
> 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
> part of Red Hat Linux or Powertools. Debian, at least, includes cfengine
> as a package.
>
FYI, cfd is not started by default on Debian installs, so unless the
admin enables the cfd daemon, there is no concern. However, I have
compiled and uploaded fixed packages (powerpc, sparc and i386 so far)
to porposed-updates and unstable. Expect an announcement from the
security team soon.
Ben
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
(5541901) ------------------------------------------(Ombruten)
5541937 2000-10-03 08:18 /60 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13063>
Ärende: Re: Very probable remote root vulnerability in cfengine
------------------------------------------------------------
From: Shaun Clowes <shaun@SECUREREALITY.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <39d910d4.d3.0@webcentral.com.au>
>As you can set %s%s%s freely, and it's passed almost without checking
>as-is to syslog(), it shouldn't be too difficult for Joe
>Hacker to exploit this.
>
>EXPLOIT:
>--------
>
>Not my business; I'm sure someone will produce one sooner or later though.
As a member of the 'security community' I can say that I certainly
appreciate each and every security vulnerability that is discovered
and reported by everyone. If security one day becomes a priority and
people are aware of the issues, the Internet will be a much safer
place.
Having said that, this particular advisory is an example of something
I find extrememly frustrating. This bug in particular is almost
certainly remotely exploitable, I'd agree with this, however, I don't
think that makes life very fair for the average systems
administrator. If she reads the advisory, she is told it should be
vulnerable not that it is. This could lead her to having to upgrade a
service, possibly on a critical machine for no reason if the problem
is found to be non exploitable.
The security community is in great danger of being a victim of its
own sensationalism. Reports of problems that don't really confirm an
issue are like the story of the 'boy who cried wolf'. There may or
may not be a wolf, but if enough times reports like this are released
which turn out not to be exploitable, massive amounts of credibility
(along with sysadmin sleep) are lost. Eventually it leads to
advisories being ignored en masse.
I completely understand that some people are not capable/interested
in creating exploits for problems they find. However, it is important
that SOMEONE does before the problem is announced. I'm sure the
VULN-DEV mailing list can help here, I know my company
(SecureReality) is more than willing to help with investigating
problems people have found, and I'm sure most of the other Security
groups/teams would be willing to also.
In the case of SecureReality, we ensure we successfully exploit every
problem we report, from buffer overflows to cgi input
validation. Some would say security companies have no place in
writing exploits, I couldn't disagree more. We write exploits all the
time, not to hand to script kiddies but to verify problems we find,
we have no intention of ever publishing any exploit we've written.
The security industry is full of sensationalism, which may scare
people, but given time it'll only annoy them.
I'd also just like to say that this particular advisory is fairly
well done in that it successfully shows that there is an extremely
high probability of the problem being exploited, this rant is more a
result of the continual stream of vague advisories flowing onto lists
like this.
Cheers,
Shaun
(5541937) ------------------------------------------(Ombruten)