Bugtraq mailing list archives
Very probable remote root vulnerability in cfengine
From: Pekka Savola <pekkas () NETCORE FI>
Date: Mon, 2 Oct 2000 09:56:30 +0300
PROBLEM: -------- cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains several format string vulnerabilities in syslog() calls. Everyone, or if access controls are being used, accepted hosts, can inject the network daemon with a message causing segmentation fault. As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise. AUTHOR INTERACTION: ------------------- Notified the author on 1st Oct 2000 and worked with him. Different fix was applied to the newly released 1.6.0.a11 (alpha version). I got the impression that there isn't going to be an official fix for 1.5.x releases. VERSIONS AND PLATFORMS AFFECTED: -------------------------------- Every recent version except 1.6.0a11 released on 1st Oct 2000. 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not part of Red Hat Linux or Powertools. Debian, at least, includes cfengine as a package. I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I wouldn't be surprised if it was exploitable some way or the other though. Not tested on other non-Linux platforms, but if you run cfd I suggest you check it out no matter the platform. DETAILS: -------- If access controls are used (this is not the default) in cfd.conf or equivalent, the attacker must have access to an allowed system first. Spoofing would probably also yield similar results; the fact that there doesn't need not to be any reply from the server makes it easier. Segmentation fault can be induced as follows: ----- $ telnet cfdserver 5308 Trying x.y.z.w... Connected to cfdserver.some.domain. Escape character is '^]'. CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s ^] telnet> quit Connection closed. ----- where 1.1.1.1 is your IP address and myhostname is some resolvable hostname. A longer string of %s's can also be used if that doesn't produce good results. If the %s string is not long enough, string like the following will be syslogged; this doesn't look good: ----- cfdserver cfd[11330]: Reverse hostname lookup failed, host claiming to be 1.1.1.1 myhostname root cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M ^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj ----- In the end, cfd dies in a segmentation fault. As you can set %s%s%s freely, and it's passed almost without checking as-is to syslog(), it shouldn't be too difficult for Joe Hacker to exploit this. Also, other components of cfengine use the same logging functions, so a local root exploit could also be possible but those aren't as interesting as this and will be fixed at the same time. EXPLOIT: -------- Not my business; I'm sure someone will produce one sooner or later though. WORKAROUND: ----------- Enable access controls in cfd.conf and/or firewall off TCP port 5308. These can't be considered _good_ workarounds as users in the local network/legit hosts can still exploit the service. PATCH: ------ "Standard" patch to syslog calls included. It applies quite cleanly to both 1.5.x and 1.6.0aXX. CREDITS: -------- The vulnerability was found by Pekka Savola <pekkas () netcore fi> while doing a minor audit on cfengine in the light of format string vulnerabilities. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola () netcore fi not those you stumble over and fall"
Attachment:
cfengine-1.6.0.a10-syslog.patch
Description:
Current thread:
- Very probable remote root vulnerability in cfengine Pekka Savola (Oct 02)
- Re: Very probable remote root vulnerability in cfengine Ben Collins (Oct 02)
- <Possible follow-ups>
- Re: Very probable remote root vulnerability in cfengine Shaun Clowes (Oct 02)
- Re: Very probable remote root vulnerability in cfengine Sergey Kogan (Oct 03)
- Re: Very probable remote root vulnerability in cfengine David LeBlanc (Oct 03)
- Re: Very probable remote root vulnerability in cfengine Scott Gifford (Oct 03)