Date: Mon, 2 Oct 2000 09:58:31 +0300 (EEST) From: Pekka Savola <pekkas@netcore.fi> To: security@freebsd.org Subject: Very probable remote root vulnerability in cfengine (fwd) Message-ID: <Pine.LNX.4.21.0010020957240.14048-200000@netcore.fi>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1589707168-1171649858-970422716=:9658 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Content-Transfer-Encoding: 8BIT Content-ID: <Pine.LNX.4.21.0010012132382.10078@netcore.fi> Hi, I was unable to reproduce this in FreeBSD (ports cfengine), but you might still want to take a look -- I find it probable this may be exploitable some other way. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola@netcore.fi not those you stumble over and fall" ---------- Forwarded message ---------- Date: Mon, 2 Oct 2000 09:56:30 +0300 (EEST) From: Pekka Savola <pekkas@netcore.fi> To: bugtraq@securityfocus.com Subject: Very probable remote root vulnerability in cfengine PROBLEM: -------- cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains several format string vulnerabilities in syslog() calls. Everyone, or if access controls are being used, accepted hosts, can inject the network daemon with a message causing segmentation fault. As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise. AUTHOR INTERACTION: ------------------- Notified the author on 1st Oct 2000 and worked with him. Different fix was applied to the newly released 1.6.0.a11 (alpha version). I got the impression that there isn't going to be an official fix for 1.5.x releases. VERSIONS AND PLATFORMS AFFECTED: -------------------------------- Every recent version except 1.6.0a11 released on 1st Oct 2000. 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not part of Red Hat Linux or Powertools. Debian, at least, includes cfengine as a package. I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I wouldn't be surprised if it was exploitable some way or the other though. Not tested on other non-Linux platforms, but if you run cfd I suggest you check it out no matter the platform. DETAILS: -------- If access controls are used (this is not the default) in cfd.conf or equivalent, the attacker must have access to an allowed system first. Spoofing would probably also yield similar results; the fact that there doesn't need not to be any reply from the server makes it easier. Segmentation fault can be induced as follows: ----- $ telnet cfdserver 5308 Trying x.y.z.w... Connected to cfdserver.some.domain. Escape character is '^]'. CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s ^] telnet> quit Connection closed. ----- where 1.1.1.1 is your IP address and myhostname is some resolvable hostname. A longer string of %s's can also be used if that doesn't produce good results. If the %s string is not long enough, string like the following will be syslogged; this doesn't look good: ----- cfdserver cfd[11330]: Reverse hostname lookup failed, host claiming to be 1.1.1.1 myhostname root cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M ^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj ----- In the end, cfd dies in a segmentation fault. As you can set %s%s%s freely, and it's passed almost without checking as-is to syslog(), it shouldn't be too difficult for Joe Hacker to exploit this. Also, other components of cfengine use the same logging functions, so a local root exploit could also be possible but those aren't as interesting as this and will be fixed at the same time. EXPLOIT: -------- Not my business; I'm sure someone will produce one sooner or later though. WORKAROUND: ----------- Enable access controls in cfd.conf and/or firewall off TCP port 5308. These can't be considered _good_ workarounds as users in the local network/legit hosts can still exploit the service. PATCH: ------ "Standard" patch to syslog calls included. It applies quite cleanly to both 1.5.x and 1.6.0aXX. CREDITS: -------- The vulnerability was found by Pekka Savola <pekkas@netcore.fi> while doing a minor audit on cfengine in the light of format string vulnerabilities. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola@netcore.fi not those you stumble over and fall" --1589707168-1171649858-970422716=:9658 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="cfengine-1.6.0.a10-syslog.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.21.0010012051560.9658@netcore.fi> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="cfengine-1.6.0.a10-syslog.patch" ZGlmZiAtdU5yIGNmZW5naW5lLTEuNi4wLmExMC5vcmlnL3NyYy9sb2cuYyBj ZmVuZ2luZS0xLjYuMC5hMTAvc3JjL2xvZy5jDQotLS0gY2ZlbmdpbmUtMS42 LjAuYTEwLm9yaWcvc3JjL2xvZy5jCVdlZCBTZXAgIDYgMTQ6NDM6MDMgMjAw MA0KKysrIGNmZW5naW5lLTEuNi4wLmExMC9zcmMvbG9nLmMJU3VuIE9jdCAg MSAyMDowOTowOSAyMDAwDQpAQCAtNzEsMTIgKzcxLDEyIEBADQogCQkgICAg IA0KIAkJICAgICBpZiAoTE9HR0lORyAmJiBJc1ByaXZpbGVnZWQoKSkNCiAJ CQl7DQotCQkJc3lzbG9nKExPR19FUlIsc3RyaW5nLFZGUU5BTUUpOw0KKwkJ CXN5c2xvZyhMT0dfRVJSLCIlcyIsc3RyaW5nLFZGUU5BTUUpOw0KIA0KIAkJ CWlmIChzdHJsZW4oZXJyc3RyKSAhPSAwKQ0KIAkJCSAgIHsNCi0JCQkgICBz eXNsb2coTE9HX0VSUixlcnJzdHIsVkZRTkFNRSk7DQotCQkJICAgc3lzbG9n KExPR19FUlIsc3RyZXJyb3IoZXJybm8pLFZGUU5BTUUpOw0KKwkJCSAgIHN5 c2xvZyhMT0dfRVJSLCIlcyIsZXJyc3RyLFZGUU5BTUUpOw0KKwkJCSAgIHN5 c2xvZyhMT0dfRVJSLCIlcyIsc3RyZXJyb3IoZXJybm8pLFZGUU5BTUUpOw0K IAkJCSAgIH0NCiAJCQl9DQogICAgICAgICAgICAgICAgICAgICAgYnJlYWs7 DQpAQCAtMTEwLDExICsxMTAsMTEgQEANCiAgICBjYXNlIGNmbG9nb25seToN CiAgICAgICAgICAgICAgICAgICAgICBpZiAoTE9HR0lORyAmJiBJc1ByaXZp bGVnZWQoKSkNCiAJCQl7DQotCQkJc3lzbG9nKExPR19JTkZPLHN0cmluZyxW RlFOQU1FKTsNCisJCQlzeXNsb2coTE9HX0lORk8sIiVzIixzdHJpbmcsVkZR TkFNRSk7DQogCQkJDQogCQkJaWYgKChlcnJzdHIgPT0gTlVMTCkgfHwgKHN0 cmxlbihlcnJzdHIpID4gMCkpDQogCQkJICAgew0KLQkJCSAgIHN5c2xvZyhM T0dfRVJSLGVycnN0cixWRlFOQU1FKTsNCisJCQkgICBzeXNsb2coTE9HX0VS UiwiJXMiLGVycnN0cixWRlFOQU1FKTsNCiAJCQkgICB9DQogCQkJfQ0KIAkJ ICAgICANCkBAIC0xMjUsNyArMTI1LDcgQEANCiANCiAJCSAgICAgaWYgKExP R0dJTkcgJiYgSXNQcml2aWxlZ2VkKCkpDQogCQkJew0KLQkJCXN5c2xvZyhM T0dfRVJSLHN0cmluZyxWRlFOQU1FKTsNCisJCQlzeXNsb2coTE9HX0VSUiwi JXMiLHN0cmluZyxWRlFOQU1FKTsNCiAJCQl9DQogIA0KIAkJICAgICBpZiAo c3RyaW5nW3N0cmxlbihzdHJpbmcpLTFdICE9ICdcbicpDQpAQCAtMTQxLDgg KzE0MSw4IEBADQogCQkJDQogCQkJaWYgKExPR0dJTkcgJiYgSXNQcml2aWxl Z2VkKCkpDQogCQkJICAgew0KLQkJCSAgIHN5c2xvZyhMT0dfRVJSLGVycnN0 cixWRlFOQU1FKTsNCi0JCQkgICBzeXNsb2coTE9HX0VSUixzdHJlcnJvcihl cnJubyksVkZRTkFNRSk7DQorCQkJICAgc3lzbG9nKExPR19FUlIsIiVzIixl cnJzdHIsVkZRTkFNRSk7DQorCQkJICAgc3lzbG9nKExPR19FUlIsIiVzIixz dHJlcnJvcihlcnJubyksVkZRTkFNRSk7DQogCQkJICAgfQ0KICAgICAgICAg ICAgICAgICAgICAgICAgIH0NCiAJCSAgICAgcmV0dXJuOw0K --1589707168-1171649858-970422716=:9658-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0010020957240.14048-200000>