lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAATysseZ6_QHzftBA3Szh0zdV4RRwJXp_uAY2Nb0hrwnhBQtpg@mail.gmail.com>
Date: Sun, 1 Jul 2012 00:10:54 +0200
From: "Simon ." <bofh666ftw@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CVE-2012-2945 hadoop-env symlink vulnerability

Software       : hadoop-1.0.3
Vulnerability  : Symlink
Problem type   : local
CVE ID         : CVE-2012-2945
Date           : May 28, 2012
Affected       : min May 08, 2012




Symptom:

$ echo $JAVA_HOME
/usr/lib/jvm/java-7-openjdk
$ file /tmp/hadoop-root-tasktracker.pid
/tmp/hadoop-root-tasktracker.pid: symbolic link to `/etc/passwd-'
$ sh bin/start-all.sh
starting namenode, logging to
/home/cloudopfer/src/hadoop-1.0.3/libexec/../logs/hadoop-root-namenode-t0.out
root@...alhost's password:
localhost: starting datanode, logging to
/home/cloudopfer/src/hadoop-1.0.3/libexec/../logs/hadoop-root-datanode-t0.out
root@...alhost's password:
localhost: starting secondarynamenode, logging to
/home/cloudopfer/src/hadoop-1.0.3/libexec/../logs/hadoop-root-secondarynamenode-t0.out
starting jobtracker, logging to
/home/cloudopfer/src/hadoop-1.0.3/libexec/../logs/hadoop-root-jobtracker-t0.out
root@...alhost's password:
localhost: starting tasktracker, logging to
/home/cloudopfer/src/hadoop-1.0.3/libexec/../logs/hadoop-root-tasktracker-t0.out
$ tail -1 /etc/passwd-
10544

Problem:

$ grep tmp src/hadoop-1.0.3/conf/hadoop-env.sh
# The directory where pid files are stored. /tmp by default.

as pointed out by CVE Team:
"Incidentally, it seems that in Hadoop 1.x, only the
HADOOP_PID_DIR setting is affected, but in Hadoop 2.x, both the
HADOOP_PID_DIR and HADOOP_SECURE_DN_PID_DIR settings might be
affected:

 http://svn.apache.org/repos/asf/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/conf/hadoop-env.sh

 # The directory where pid files are stored. /tmp by default.
 export HADOOP_PID_DIR=${HADOOP_PID_DIR}
 export HADOOP_SECURE_DN_PID_DIR=${HADOOP_PID_DIR}
"


Solution:

Hadoop Cloud Specialists (lol) should edit conf/hadoop-env and change
the pid file directory to something sane.

Impact:

Low

Timeline:

May 25 - got drunk
May 26 - got drunk
May 27 - MARK -
May 28 - playing around with hadoop
       - notified security@
       - got reply, clarified things
Jul 01 - get rid of this ;)


Greetings:

To CVE Team!
To srm, Dude!
To the usual suspects
To those, who trust me.
To all who stay real.

Simon
.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ