oss-sec mailing list archives
CVE-2021-42257: check_smart.pl: unprivileged user can alter hard drive settings
From: Wolfgang Frisch <wolfgang.frisch () suse com>
Date: Thu, 14 Oct 2021 19:47:12 +0200
Hello oss-security, during a routine audit of scripts in openSUSE, I discovered a vulnerability in `check_smart.pl` [4], a plugin for systems monitoring software to monitor the values of SMART attributes of hard and solid state drives, using smartmontools in the background. ## Brief `check_smart.pl` [1][2] from version 6.1 through 6.9 contained an insufficient input validation that allowed an unprivileged user to modify SMART settings, disable SMART monitoring entirely, shut down a drive or degrade a drive's performance by disabling its read cache. The bug was fixed with the release of version 6.9.1 [3]. ## Detailed description `check_smart.pl` needs to run as root in order to execute `smartctl`. This is achieved with an entry in `/etc/sudoers`, which allows a lesser privileged user, e.g. the one the monitoring system runs under, to execute it. User input that is passed to `smartctl` is sufficiently validated apart from one minor oversight. The -d parameter is validated as follows:
if (-b $opt_dl || -c $opt_dl || $opt_dl =~ m/\/dev\/bus\/\d/) { # OK } else { # NOT OK }
Later on, this parameter is passed verbatim to smartctl:
my $full_command = "$smart_command -d $interface -Hi $device"
So an acceptable device name would be a block special device, a char special device or match the regex `/dev/bus/\d`. Critically, this regex matches even when /dev/bus/\d is just a _substring_ of any arbitrary directory, for example `/tmp/dev/bus/1/sda`. This can be exploited to pass arbitrary parameters to smartctl, some of which affect the drive's behavior negatively: ### Steps to reproduce
su -l -s /bin/bash nagios mkdir -p /tmp/dev/bus/1/ ln -s /dev/sda /tmp/dev/bus/1/ ls -l /tmp/dev/bus/1/sda /usr/lib/nagios/plugins/check_smart --debug -i auto -d "/tmp/dev/bus/1/sda -s off" SMART Disabled.
The upstream developer Claudio Kuenzler was very responsive and quickly remediated the problem with the release of check_smart-6.9.1 [3]. [1] https://github.com/Napsty/check_smart [2] https://www.claudiokuenzler.com/monitoring-plugins/check_smart.php[3] https://www.claudiokuenzler.com/blog/1068/check_smart-6.9.1-security-fix-release-pseudo-device-path
[4] https://bugzilla.suse.com/show_bug.cgi?id=1183057 Best regards, Wolfgang -- Wolfgang Frisch <wolfgang.frisch () suse com> Security Engineer OpenPGP fingerprint: A2E6 B7D4 53E9 544F BC13 D26B D9B3 56BD 4D4A 2D15 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
Current thread:
- CVE-2021-42257: check_smart.pl: unprivileged user can alter hard drive settings Wolfgang Frisch (Oct 14)