FW: Very probable remote root vulnerability in cfengine

[Andrews, Martin]

Can this be confirmed - particularly, does 1.6.10a11 fix the exploit? Maybe
an announcement for this release should go out?

Martin

-----Original Message-----
From: Pekka Savola [mailto:address@hidden
Sent: Monday, October 02, 2000 2:57 AM
To: address@hidden
Subject: Very probable remote root vulnerability in cfengine


PROBLEM:
--------
cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
several format string vulnerabilities in syslog() calls.  Everyone, or
if access controls are being used, accepted hosts, can inject the network
daemon with a message causing segmentation fault.  As cfd is almost always
run as root due to it's nature (centralized configuration management
etc.), this can be quite lethal and lead into a root compromise.

AUTHOR INTERACTION:
-------------------

Notified the author on 1st Oct 2000 and worked with him.  Different fix
was applied to the newly released 1.6.0.a11 (alpha version).

I got the impression that there isn't going to be an official fix for
1.5.x releases.

VERSIONS AND PLATFORMS AFFECTED:
--------------------------------

Every recent version except 1.6.0a11 released on 1st Oct 2000.

1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools.  Debian, at least, includes cfengine
as a package.

I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
though.

Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform.

DETAILS:
--------

If access controls are used (this is not the default) in cfd.conf or
equivalent, the attacker must have access to an allowed system
first.   Spoofing would probably also yield similar results; the fact
that there doesn't need not to be any reply from the server makes it
easier.

Segmentation fault can be induced as follows:

-----
$ telnet cfdserver 5308
Trying x.y.z.w...
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
^]
telnet> quit
Connection closed.
-----
where 1.1.1.1 is your IP address and myhostname is some resolvable
hostname.

A longer string of %s's can also be used if that doesn't produce good
results.

If the %s string is not long enough, string like the following will be
syslogged; this doesn't look good:
-----
cfdserver cfd[11330]: Reverse hostname lookup failed, host
claiming to be 1.1.1.1 myhostname root
cfdserver.some.domain(null)1.1.1.1 nev^M  was 1.1.1.1 s%s%s^M
^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj
-----

In the end, cfd dies in a segmentation fault.

As you can set %s%s%s freely, and it's passed almost without checking
as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this.

Also, other components of cfengine use the same logging functions, so
a local root exploit could also be possible but those aren't as
interesting as this and will be fixed at the same time.

EXPLOIT:
--------

Not my business; I'm sure someone will produce one sooner or later though.

WORKAROUND:
-----------

Enable access controls in cfd.conf and/or firewall off TCP port
5308.  These can't be considered _good_ workarounds as users in the
local network/legit hosts can still exploit the service.

PATCH:
------

"Standard" patch to syslog calls included.  It applies quite cleanly to
both 1.5.x and 1.6.0aXX.

CREDITS:
--------

The vulnerability was found by Pekka Savola <address@hidden> while
doing a minor audit on cfengine in the light of format string
vulnerabilities.

--
Pekka Savola                 "Tell me of difficulties surmounted,
address@hidden      not those you stumble over and fall"

cfengine-1.6.0.a10-syslog.patch
Description: Text document