OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Very probable remote root vulnerability in cfengine
From: Pekka Savola (pekkasNETCORE.FI)
Date: Mon Oct 02 2000 - 01:56:30 CDT


PROBLEM:
--------
cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
several format string vulnerabilities in syslog() calls. Everyone, or
if access controls are being used, accepted hosts, can inject the network
daemon with a message causing segmentation fault. As cfd is almost always
run as root due to it's nature (centralized configuration management
etc.), this can be quite lethal and lead into a root compromise.

AUTHOR INTERACTION:
-------------------

Notified the author on 1st Oct 2000 and worked with him. Different fix
was applied to the newly released 1.6.0.a11 (alpha version).

I got the impression that there isn't going to be an official fix for
1.5.x releases.

VERSIONS AND PLATFORMS AFFECTED:
--------------------------------

Every recent version except 1.6.0a11 released on 1st Oct 2000.

1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools. Debian, at least, includes cfengine
as a package.

I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
though.

Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform.

DETAILS:
--------

If access controls are used (this is not the default) in cfd.conf or
equivalent, the attacker must have access to an allowed system
first. Spoofing would probably also yield similar results; the fact
that there doesn't need not to be any reply from the server makes it
easier.

Segmentation fault can be induced as follows:

-----
$ telnet cfdserver 5308
Trying x.y.z.w...
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
^]
telnet> quit
Connection closed.
-----
where 1.1.1.1 is your IP address and myhostname is some resolvable
hostname.

A longer string of %s's can also be used if that doesn't produce good
results.

If the %s string is not long enough, string like the following will be
syslogged; this doesn't look good:
-----
cfdserver cfd[11330]: Reverse hostname lookup failed, host
claiming to be 1.1.1.1 myhostname root
cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M
^A^Q0^D^Hj ^H^Hj
-----

In the end, cfd dies in a segmentation fault.

As you can set %s%s%s freely, and it's passed almost without checking
as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this.

Also, other components of cfengine use the same logging functions, so
a local root exploit could also be possible but those aren't as
interesting as this and will be fixed at the same time.

EXPLOIT:
--------

Not my business; I'm sure someone will produce one sooner or later though.

WORKAROUND:
-----------

Enable access controls in cfd.conf and/or firewall off TCP port
5308. These can't be considered _good_ workarounds as users in the
local network/legit hosts can still exploit the service.

PATCH:
------

"Standard" patch to syslog calls included. It applies quite cleanly to
both 1.5.x and 1.6.0aXX.

CREDITS:
--------

The vulnerability was found by Pekka Savola <pekkasnetcore.fi> while
doing a minor audit on cfengine in the light of format string
vulnerabilities.

--
Pekka Savola                 "Tell me of difficulties surmounted,
Pekka.Savolanetcore.fi      not those you stumble over and fall"


  • TEXT/PLAIN attachment: stored