Re: FW: Very probable remote root vulnerability in cfengine

[Mark . Burgess]

In the worst case, I think that this would have been useful as a denial
of service attack, however 1.6.0.a11 fixes all the vulernabilities which
have been noted to date.

Mark


On  4 Oct, Andrews, Martin wrote:
> Can this be confirmed - particularly, does 1.6.10a11 fix the exploit? Maybe
> an announcement for this release should go out?
> 
> Martin
> 
> -----Original Message-----
> From: Pekka Savola [mailto:address@hidden
> Sent: Monday, October 02, 2000 2:57 AM
> To: address@hidden
> Subject: Very probable remote root vulnerability in cfengine
> 
> 
> PROBLEM:
> --------
> cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
> several format string vulnerabilities in syslog() calls.  Everyone, or
> if access controls are being used, accepted hosts, can inject the network
> daemon with a message causing segmentation fault.  As cfd is almost always
> run as root due to it's nature (centralized configuration management
> etc.), this can be quite lethal and lead into a root compromise.
> 
> AUTHOR INTERACTION:
> -------------------
> 
> Notified the author on 1st Oct 2000 and worked with him.  Different fix
> was applied to the newly released 1.6.0.a11 (alpha version).
> 
> I got the impression that there isn't going to be an official fix for
> 1.5.x releases.
> 
> VERSIONS AND PLATFORMS AFFECTED:
> --------------------------------
> 
> Every recent version except 1.6.0a11 released on 1st Oct 2000.
> 
> 1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
> part of Red Hat Linux or Powertools.  Debian, at least, includes cfengine
> as a package.
> 
> I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
> wouldn't be surprised if it was exploitable some way or the other
> though.
> 
> Not tested on other non-Linux platforms, but if you run cfd I suggest you
> check it out no matter the platform.
> 
> DETAILS:
> --------
> 
> If access controls are used (this is not the default) in cfd.conf or
> equivalent, the attacker must have access to an allowed system
> first.   Spoofing would probably also yield similar results; the fact
> that there doesn't need not to be any reply from the server makes it
> easier.
> 
> Segmentation fault can be induced as follows:
> 
> -----
> $ telnet cfdserver 5308
> Trying x.y.z.w...
> Connected to cfdserver.some.domain.
> Escape character is '^]'.
> CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
> ^]
> telnet> quit
> Connection closed.
> -----
> where 1.1.1.1 is your IP address and myhostname is some resolvable
> hostname.
> 
> A longer string of %s's can also be used if that doesn't produce good
> results.
> 
> If the %s string is not long enough, string like the following will be
> syslogged; this doesn't look good:
> -----
> cfdserver cfd[11330]: Reverse hostname lookup failed, host
> claiming to be 1.1.1.1 myhostname root
> cfdserver.some.domain(null)1.1.1.1 nev^M  was 1.1.1.1 s%s%s^M
> ^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj
> -----
> 
> In the end, cfd dies in a segmentation fault.
> 
> As you can set %s%s%s freely, and it's passed almost without checking
> as-is to syslog(), it shouldn't be too difficult for Joe
> Hacker to exploit this.
> 
> Also, other components of cfengine use the same logging functions, so
> a local root exploit could also be possible but those aren't as
> interesting as this and will be fixed at the same time.
> 
> EXPLOIT:
> --------
> 
> Not my business; I'm sure someone will produce one sooner or later though.
> 
> WORKAROUND:
> -----------
> 
> Enable access controls in cfd.conf and/or firewall off TCP port
> 5308.  These can't be considered _good_ workarounds as users in the
> local network/legit hosts can still exploit the service.
> 
> PATCH:
> ------
> 
> "Standard" patch to syslog calls included.  It applies quite cleanly to
> both 1.5.x and 1.6.0aXX.
> 
> CREDITS:
> --------
> 
> The vulnerability was found by Pekka Savola <address@hidden> while
> doing a minor audit on cfengine in the light of format string
> vulnerabilities.
> 
> --
> Pekka Savola                 "Tell me of difficulties surmounted,
> address@hidden      not those you stumble over and fall"
> 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~