Date: Mon, 2 Oct 2000 09:58:31 +0300 (EEST) From: Pekka Savola <pekkas@netcore.fi> To: security@freebsd.org Subject: Very probable remote root vulnerability in cfengine (fwd) Message-ID: <Pine.LNX.4.21.0010020957240.14048-200000@netcore.fi>
index | next in thread | raw e-mail
[-- Attachment #1 --] Hi, I was unable to reproduce this in FreeBSD (ports cfengine), but you might still want to take a look -- I find it probable this may be exploitable some other way. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola@netcore.fi not those you stumble over and fall" ---------- Forwarded message ---------- Date: Mon, 2 Oct 2000 09:56:30 +0300 (EEST) From: Pekka Savola <pekkas@netcore.fi> To: bugtraq@securityfocus.com Subject: Very probable remote root vulnerability in cfengine PROBLEM: -------- cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains several format string vulnerabilities in syslog() calls. Everyone, or if access controls are being used, accepted hosts, can inject the network daemon with a message causing segmentation fault. As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise. AUTHOR INTERACTION: ------------------- Notified the author on 1st Oct 2000 and worked with him. Different fix was applied to the newly released 1.6.0.a11 (alpha version). I got the impression that there isn't going to be an official fix for 1.5.x releases. VERSIONS AND PLATFORMS AFFECTED: -------------------------------- Every recent version except 1.6.0a11 released on 1st Oct 2000. 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not part of Red Hat Linux or Powertools. Debian, at least, includes cfengine as a package. I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I wouldn't be surprised if it was exploitable some way or the other though. Not tested on other non-Linux platforms, but if you run cfd I suggest you check it out no matter the platform. DETAILS: -------- If access controls are used (this is not the default) in cfd.conf or equivalent, the attacker must have access to an allowed system first. Spoofing would probably also yield similar results; the fact that there doesn't need not to be any reply from the server makes it easier. Segmentation fault can be induced as follows: ----- $ telnet cfdserver 5308 Trying x.y.z.w... Connected to cfdserver.some.domain. Escape character is '^]'. CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s ^] telnet> quit Connection closed. ----- where 1.1.1.1 is your IP address and myhostname is some resolvable hostname. A longer string of %s's can also be used if that doesn't produce good results. If the %s string is not long enough, string like the following will be syslogged; this doesn't look good: ----- cfdserver cfd[11330]: Reverse hostname lookup failed, host claiming to be 1.1.1.1 myhostname root cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M ^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj ----- In the end, cfd dies in a segmentation fault. As you can set %s%s%s freely, and it's passed almost without checking as-is to syslog(), it shouldn't be too difficult for Joe Hacker to exploit this. Also, other components of cfengine use the same logging functions, so a local root exploit could also be possible but those aren't as interesting as this and will be fixed at the same time. EXPLOIT: -------- Not my business; I'm sure someone will produce one sooner or later though. WORKAROUND: ----------- Enable access controls in cfd.conf and/or firewall off TCP port 5308. These can't be considered _good_ workarounds as users in the local network/legit hosts can still exploit the service. PATCH: ------ "Standard" patch to syslog calls included. It applies quite cleanly to both 1.5.x and 1.6.0aXX. CREDITS: -------- The vulnerability was found by Pekka Savola <pekkas@netcore.fi> while doing a minor audit on cfengine in the light of format string vulnerabilities. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola@netcore.fi not those you stumble over and fall" [-- Attachment #2 --] diff -uNr cfengine-1.6.0.a10.orig/src/log.c cfengine-1.6.0.a10/src/log.c --- cfengine-1.6.0.a10.orig/src/log.c Wed Sep 6 14:43:03 2000 +++ cfengine-1.6.0.a10/src/log.c Sun Oct 1 20:09:09 2000 @@ -71,12 +71,12 @@ if (LOGGING && IsPrivileged()) { - syslog(LOG_ERR,string,VFQNAME); + syslog(LOG_ERR,"%s",string,VFQNAME); if (strlen(errstr) != 0) { - syslog(LOG_ERR,errstr,VFQNAME); - syslog(LOG_ERR,strerror(errno),VFQNAME); + syslog(LOG_ERR,"%s",errstr,VFQNAME); + syslog(LOG_ERR,"%s",strerror(errno),VFQNAME); } } break; @@ -110,11 +110,11 @@ case cflogonly: if (LOGGING && IsPrivileged()) { - syslog(LOG_INFO,string,VFQNAME); + syslog(LOG_INFO,"%s",string,VFQNAME); if ((errstr == NULL) || (strlen(errstr) > 0)) { - syslog(LOG_ERR,errstr,VFQNAME); + syslog(LOG_ERR,"%s",errstr,VFQNAME); } } @@ -125,7 +125,7 @@ if (LOGGING && IsPrivileged()) { - syslog(LOG_ERR,string,VFQNAME); + syslog(LOG_ERR,"%s",string,VFQNAME); } if (string[strlen(string)-1] != '\n') @@ -141,8 +141,8 @@ if (LOGGING && IsPrivileged()) { - syslog(LOG_ERR,errstr,VFQNAME); - syslog(LOG_ERR,strerror(errno),VFQNAME); + syslog(LOG_ERR,"%s",errstr,VFQNAME); + syslog(LOG_ERR,"%s",strerror(errno),VFQNAME); } } return;help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0010020957240.14048-200000>