[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Probable remote root in cfengine

Title: Probable remote root in cfengine
Released by:
Date: 2nd October 2000
Printable version: Click here


cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains

several format string vulnerabilities in syslog() calls.  Everyone, or

if access controls are being used, accepted hosts, can inject the network

daemon with a message causing segmentation fault.  As cfd is almost always

run as root due to it's nature (centralized configuration management

etc.), this can be quite lethal and lead into a root compromise.



Notified the author on 1st Oct 2000 and worked with him.  Different fix

was applied to the newly released 1.6.0.a11 (alpha version).

I got the impression that there isn't going to be an official fix for

1.5.x releases.



Every recent version except 1.6.0a11 released on 1st Oct 2000.

1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not

part of Red Hat Linux or Powertools.  Debian, at least, includes cfengine

as a package.

I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I

wouldn't be surprised if it was exploitable some way or the other


Not tested on other non-Linux platforms, but if you run cfd I suggest you

check it out no matter the platform.



If access controls are used (this is not the default) in cfd.conf or

equivalent, the attacker must have access to an allowed system

first.   Spoofing would probably also yield similar results; the fact

that there doesn't need not to be any reply from the server makes it


Segmentation fault can be induced as follows:


$ telnet cfdserver 5308

Trying x.y.z.w...

Connected to cfdserver.some.domain.

Escape character is '^]'.

CAUTH myhostname root %s%s%s%s%s%s%s%s


telnet> quit

Connection closed.


where is your IP address and myhostname is some resolvable


A longer string of %s's can also be used if that doesn't produce good


If the %s string is not long enough, string like the following will be

syslogged; this doesn't look good:


cfdserver cfd[11330]: Reverse hostname lookup failed, host

claiming to be myhostname root

cfdserver.some.domain(null) nev^M  was s%s%s^M

^A^Q0^D^Hj ^H^Hj


In the end, cfd dies in a segmentation fault.

As you can set %s%s%s freely, and it's passed almost without checking

as-is to syslog(), it shouldn't be too difficult for Joe

Hacker to exploit this.

Also, other components of cfengine use the same logging functions, so

a local root exploit could also be possible but those aren't as

interesting as this and will be fixed at the same time.



Not my business; I'm sure someone will produce one sooner or later though.



Enable access controls in cfd.conf and/or firewall off TCP port

5308.  These can't be considered _good_ workarounds as users in the

local network/legit hosts can still exploit the service.



"Standard" patch to syslog calls included.  It applies quite cleanly to

both 1.5.x and 1.6.0aXX.



The vulnerability was found by Pekka Savola  while

doing a minor audit on cfengine in the light of format string



Pekka Savola                 "Tell me of difficulties surmounted,

Pekka.Savola@netcore.fi      not those you stumble over and fall"

(C) 1999-2000 All rights reserved.