||Home : Advisories : Probable remote root in cfengine|
||Probable remote root in cfengine
||2nd October 2000
cfd daemon in GNU CFEngine ( http://www.iu.hioslo.no/cfengine/ ) contains
several format string vulnerabilities in syslog() calls. Everyone, or
if access controls are being used, accepted hosts, can inject the network
daemon with a message causing segmentation fault. As cfd is almost always
run as root due to it's nature (centralized configuration management
etc.), this can be quite lethal and lead into a root compromise.
Notified the author on 1st Oct 2000 and worked with him. Different fix
was applied to the newly released 1.6.0.a11 (alpha version).
I got the impression that there isn't going to be an official fix for
VERSIONS AND PLATFORMS AFFECTED:
Every recent version except 1.6.0a11 released on 1st Oct 2000.
1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is not
part of Red Hat Linux or Powertools. Debian, at least, includes cfengine
as a package.
I briefly tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; I
wouldn't be surprised if it was exploitable some way or the other
Not tested on other non-Linux platforms, but if you run cfd I suggest you
check it out no matter the platform.
If access controls are used (this is not the default) in cfd.conf or
equivalent, the attacker must have access to an allowed system
first. Spoofing would probably also yield similar results; the fact
that there doesn't need not to be any reply from the server makes it
Segmentation fault can be induced as follows:
$ telnet cfdserver 5308
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH 220.127.116.11 myhostname root %s%s%s%s%s%s%s%s
where 18.104.22.168 is your IP address and myhostname is some resolvable
A longer string of %s's can also be used if that doesn't produce good
If the %s string is not long enough, string like the following will be
syslogged; this doesn't look good:
cfdserver cfd: Reverse hostname lookup failed, host
claiming to be 22.214.171.124 myhostname root
cfdserver.some.domain(null)126.96.36.199 nev^M was 188.8.131.52 s%s%s^M
In the end, cfd dies in a segmentation fault.
As you can set %s%s%s freely, and it's passed almost without checking
as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this.
Also, other components of cfengine use the same logging functions, so
a local root exploit could also be possible but those aren't as
interesting as this and will be fixed at the same time.
Not my business; I'm sure someone will produce one sooner or later though.
Enable access controls in cfd.conf and/or firewall off TCP port
5308. These can't be considered _good_ workarounds as users in the
local network/legit hosts can still exploit the service.
"Standard" patch to syslog calls included. It applies quite cleanly to
both 1.5.x and 1.6.0aXX.
The vulnerability was found by Pekka Savola while
doing a minor audit on cfengine in the light of format string
Pekka Savola "Tell me of difficulties surmounted,
Pekka.Savola@netcore.fi not those you stumble over and fall"