Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Very probable remote root vulnerability in cfengine
From: Pekka Savola (pekkasNETCORE.FI)
Date: Mon Oct 02 2000 - 01:56:30 CDT

cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
several format string vulnerabilities in syslog() calls. Everyone, or
if access controls are being used, accepted hosts, can inject the network
daemon with a message causing segmentation fault. As cfd is almost always
run as root due to it's nature (centralized configuration management
etc.), this can be quite lethal and lead into a root compromise.


Notified the author on 1st Oct 2000 and worked with him. Different fix
was applied to the newly released 1.6.0.a11 (alpha version).

I got the impression that there isn't going to be an official fix for
1.5.x releases.


Every recent version except 1.6.0a11 released on 1st Oct 2000.

1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools. Debian, at least, includes cfengine
as a package.

I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other

Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform.


If access controls are used (this is not the default) in cfd.conf or
equivalent, the attacker must have access to an allowed system
first. Spoofing would probably also yield similar results; the fact
that there doesn't need not to be any reply from the server makes it

Segmentation fault can be induced as follows:

$ telnet cfdserver 5308
Trying x.y.z.w...
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH myhostname root %s%s%s%s%s%s%s%s
telnet> quit
Connection closed.
where is your IP address and myhostname is some resolvable

A longer string of %s's can also be used if that doesn't produce good

If the %s string is not long enough, string like the following will be
syslogged; this doesn't look good:
cfdserver cfd[11330]: Reverse hostname lookup failed, host
claiming to be myhostname root
cfdserver.some.domain(null) nev^M was s%s%s^M
^A^Q0^D^Hj ^H^Hj

In the end, cfd dies in a segmentation fault.

As you can set %s%s%s freely, and it's passed almost without checking
as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this.

Also, other components of cfengine use the same logging functions, so
a local root exploit could also be possible but those aren't as
interesting as this and will be fixed at the same time.


Not my business; I'm sure someone will produce one sooner or later though.


Enable access controls in cfd.conf and/or firewall off TCP port
5308. These can't be considered _good_ workarounds as users in the
local network/legit hosts can still exploit the service.


"Standard" patch to syslog calls included. It applies quite cleanly to
both 1.5.x and 1.6.0aXX.


The vulnerability was found by Pekka Savola <pekkasnetcore.fi> while
doing a minor audit on cfengine in the light of format string

Pekka Savola                 "Tell me of difficulties surmounted,
Pekka.Savolanetcore.fi      not those you stumble over and fall"

  • TEXT/PLAIN attachment: stored