Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 27 Oct 2023 15:25:16 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Security issues in passim local caching server

Hello list,

this is a report about findings in the passim [1] local caching server.

1) Introduction
===============

Passim is a relatively new project for a local caching server that helps
distributing publicly available files in local networks to save network
bandwidth. It is a dependency of new fwupd [2] releases, which is why it
has come to our attention.

Passim consists of a daemon component running as a separate passim user
and group. The daemon offers a local D-Bus interface over which only the
root user may publish or unpublish files on the network. Non-root users
may only inspect the available items via D-Bus.

Furthermore the daemon announces all cached items via the Ahavi
discovery protocol. For retrieval of individual items a small libsoup
based HTTP server is integrated into the daemon, listening on port
25000.

A small command line programm `passim` allows to interact with the
daemon's D-Bus interface.

The findings in this report are based on the upstream release tag 0.1.3.

2) Findings
===========

2.1) Remote DoS Against `passimd` by Triggering NULL Pointer Dereference
------------------------------------------------------------------------

When accessing a URL different from the root "/" and without passing any
parameters "?" then a segmentation fault is the result in passim-server.c:751
(null pointer dereference, because there is no request).

Example:

    root# curl -v -k 'https://localhost:27500/myfile'
    root# journalctl -u passim.service | tail -n 5
    Oct 25 12:45:24 mybox passimd[5091]: accepting HTTP/1.1 GET /myfile  from ::1:39278 (loopback)
    Oct 25 12:45:24 mybox passimd[5091]: g_strsplit: assertion 'string != NULL' failed
    Oct 25 12:45:29 mybox systemd[1]: passim.service: Main process exited, code=dumped, status=11/SEGV
    Oct 25 12:45:29 mybox systemd[1]: passim.service: Failed with result 'core-dump'.

Upstream has library settings in effect to abort on failing assertions
instead of trying to continue, to prevent possible memory access errors
from becoming exploitable.

This issue is fixed via upstream commit 1f7bcea [3].

2.2) Serving Static Files from a Directory owned by Unprivileged Users
----------------------------------------------------------------------

Passim supports the configuration of static directories on the local
file system, whose content will be processed and published upon startup.

Consider a directory controlled by 'nobody':

    root# cat /etc/passim.d/nobody.conf
    [passim]
    Path=/var/lib/nobody/passim

There's two things that I found problematic in such a scenario.

### a) Placing Inaccessible Files in the Directory

    root# sudo -u nobody -g nobody /bin/bash
    nobody$ mkdir /var/lib/nobody/passim
    nobody$ touch /var/lib/nobody/passim/somefile
    nobody$ chmod 000 /var/lib/nobody/passim/somefile

This will prevent future starts of `passimd`:

    root# systemctl restart passim.service
    Job for passim.service failed because the control process exited with error code.
    See "systemctl status passim.service" and "journalctl -xeu passim.service" for details.
    root# journalctl -u passim.service | tail -n 6
    Oct 25 12:56:58 mybox passimd[5330]: scanning /var/lib/nobody/passim
    Oct 25 12:56:58 mybox passimd[5330]: failed to scan sysconfpkg directory: Error opening file /var/lib/nobody/passim/somefile: Permission denied
    Oct 25 12:56:58 mybox systemd[1]: passim.service: Main process exited, code=exited, status=1/FAILURE
    Oct 25 12:56:58 mybox systemd[1]: passim.service: Failed with result 'exit-code'.
    Oct 25 12:56:58 mybox systemd[1]: Failed to start Local Caching Server.

This opens a local DoS vector against passimd for the unprivileged user
that owns the directory. This is also valid for other situations like a
FIFO placed there, broken symlinks or symlinks to inaccessible locations
as well as race conditions (time of readdir() vs. time of open()).

This has at least partially been addressed by upstream commit f4c34bd3.

### b) Placing Symlinks to Otherwise Inaccessible Data in the Directory

Although `passimd` runs with low privileges by default there are some
interesting files that a local attacker might want to get their hands
on. Since `passimd` follows symlinks in the directory one could try to
"publish" files from /proc/<pidof passimd> by placing symlinks. This is
somewhat difficult though, since a race condition has to be won (the PID
of a starting `passimd` needs to be known to place a proper symlink).
Also there are not that many interesting files in there I believe. E.g.
/proc/<pid>/mem cannot be shared this way, since it cannot be read
sequentially.

A much simpler attack is to publish the SSL private key of `passimd` though:

    root# sudo -u nobody -g nobody /bin/bash
    nobody$ mkdir /var/lib/nobody/passim
    nobody$ ln -s /var/lib/passim/secret.key /var/lib/nobody/passim/secret

    root# systemctl restart passim.service
    root# passim dump
    passimd is running
    1c69e7e4d7b7ed655eafa94942a5ef04f7c7688a0519be387133176154f58fe6 secret size:2.5 kB
    root# sha256sum /var/lib/passim/secret.key
    1c69e7e4d7b7ed655eafa94942a5ef04f7c7688a0519be387133176154f58fe6  /var/lib/passim/secret.key

From here on the local attacker can simply download the now shared
"secret key" from localhost.

It has to be noted that this SSL private key has no security purpose in
passimd but only serves to prevent network traffic security scanners
from raising alarm over unencrypted traffic.

Thus currently there is no known information leak using this attack that
has attacker value. It is still crossing of a security boundary and
could be problematic in the future.

Upstream issue #26 [5] deals with this issue but is not yet completely
fixed, due to a remaining race condition.

Bugfix Release and Upstream Reporting
=====================================

I reported these issues to the upstream author on 2023-10-25. No
coordinated disclosure was desired so bugfixes have been and still are
developed publicly over the GitHub issue tracker.

There are some disagreements with upstream about whether these issues
are qualifying as security issues. I believe they are. Due to this no
CVEs have been assigned as of now.

Passim is packaged, to my knowledge, in Fedora Linux and Arch Linux
already. Otherwise it should not be widespread.

Upstream is working on a new release of Passim containing fixes for
these and some other non-security issues I reported as well.

References
==========

[1]: https://github.com/hughsie/passim
[2]: https://github.com/fwupd/fwupd
[3]: https://github.com/hughsie/passim/issues/25
[4]: https://github.com/hughsie/passim/commit/4cba26103daab69aedf584ae3a69ba48f4c34bd3
[5]: https://github.com/hughsie/passim/issues/26

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.