[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1362899838.4508.9.camel@pi3-darkstar>
Date: Sun, 10 Mar 2013 08:17:17 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: full-disclosure@...ts.grok.org.uk, oss-security@...ts.openwall.com
Cc: secalert <secalert@...urityreason.pl>
Subject: Multiple SQL Injection vulnerabilities in Disk
Pool Manager (DPM)
Name: Multiple SQL Injection vulnerabilities in
Disk Pool Manager (DPM)
Author: Adam Zabrocki (<pi3@....com.pl>)
Date: November 27, 2009 (Yes, it's very old bug ;P)
Description:
LCG Disk Pool Manager (DPM) has been developed as part of the
LCG
project to provide a light-weight implementation of an SRM compliant
Storage Element (SE). Since gLite 3.0 it is a standard gLite component,
distributed and maintained as part of the gLite release. It has been
developed at European Organization for Nuclear Research (CERN).
DPM is a disk only SE, instead of a disk + MSS implementation like
dCache or Castor. It may act as a replacement for the deprecated classic
SE with the following advantages :
- SRM interface (both v1.1 and v2.2)
- Better scalability : DPM is allow to manage 100+ TB distributing the
load over several servers
- High performances
- Light-weight management
DPM is commonly used in most of the GRID projects including CERN WLCG,
EGEE, ..., etc.
Details:
A multiple SQL Injection vulnerability has been found in Disk
Pool
Manager (DPM). Please read following details:
"./srmv2.2/srmv2_xferreq.c"
int
ns1__srmGetRequestSummary (struct soap *soap,
struct ns1__srmGetRequestSummaryRequest *req,
struct ns1__srmGetRequestSummaryResponse_ *rep)
{
...
char *r_token;
...
...
...
for (i = 0; i < nbtokens; i++) {
...
r_token = req->arrayOfRequestTokens->stringArray[i];
if (strlen (r_token) > CA_MAXDPMTOKENLEN) {
reptokenp->status->statusCode =
SRM_USCOREINVALID_USCOREREQUEST;
reptokenp->status->explanation =
soap_strdup (soap, "Invalid request token");
nb_errors++;
continue;
}
if (dpm_getonereqsummary (thip, r_token, &r_type,
&r_status,
&nbreqfiles, &nb_queued, &nb_progress, &nb_failed) <
0) {
...
...
}
...
...
}
...
...
}
This function is responsible fo reading and parsing requests. If length
of "r_token"
variable is not greather than CA_MAXDPMTOKENLEN function
dpm_getonereqsummary() is called:
"dpm/dpm_procsubr.c"
dpm_getonereqsummary (thip, r_token, r_type, r_status, nbreqfiles,
nb_queued, nb_progress, nb_failed)
struct dpm_srv_thread_info *thip;
char *r_token;
char *r_type;
int *r_status;
int *nbreqfiles;
int *nb_queued;
int *nb_progress;
int *nb_failed;
{
...
...
if (dpm_get_pending_req_by_token (&thip->dbfd, r_token,
&dpm_req, 0, NULL) < 0 &&
dpm_get_req_by_token (&thip->dbfd, r_token, &dpm_req, 0,
NULL) < 0)
return (-1);
...
...
}
... and:
"dpm/dpm_mysql_ifce.c"
dpm_get_pending_req_by_token(dbfd, r_token, dpm_req, lock, rec_addr)
struct dpm_dbfd *dbfd;
char *r_token;
struct dpm_req *dpm_req;
int lock;
dpm_dbrec_addr *rec_addr;
{
char func[29];
static char query[] =
"SELECT \
R_ORDINAL, R_TOKEN, R_UID, \
R_GID, CLIENT_DN, CLIENTHOST, \
R_TYPE, U_TOKEN, \
FLAGS, RETRYTIME, NBREQFILES, \
CTIME, STIME, ETIME, \
STATUS, ERRSTRING, GROUPS \
FROM dpm_pending_req \
WHERE r_token = '%s'";
static char query4upd[] =
"SELECT ROWID, \
R_ORDINAL, R_TOKEN, R_UID, \
R_GID, CLIENT_DN, CLIENTHOST, \
R_TYPE, U_TOKEN, \
FLAGS, RETRYTIME, NBREQFILES, \
CTIME, STIME, ETIME, \
STATUS, ERRSTRING, GROUPS \
FROM dpm_pending_req \
WHERE r_token = '%s' \
FOR UPDATE";
MYSQL_RES *res;
MYSQL_ROW row;
char sql_stmt[1024];
MYSQL_RES *res;
MYSQL_ROW row;
char sql_stmt[1024];
strcpy (func, "dpm_get_pending_req_by_token");
sprintf (sql_stmt, lock ? query4upd : query, r_token);
if (dpm_exec_query (func, dbfd, sql_stmt, &res))
return (-1);
...
...
}
This function creates a query to the MySQL Database - DPM supports three
different databases: MySQL, PostgreSQL and Oracle. In this advisory
I'm focused on MySQL database. This vulnerability may be in all
supported databases. I haven't analyzed all the code.
Variable 'r_token' isn't verified at all so SQL Injection attack is
possible. Anyone with a certificate from a recognised CA can access
the SRM interface so it is a serious vulnerability.
SQL Injection exists not only in dpm_get_pending_req_by_token()
function.
Please read following list of functions which don't check inputs too:
Function dpm_get_cpr_by_fullid() doesn't check 'r_token'
Function dpm_get_cpr_by_surl() doesn't check 'r_token', 'surl'
Function dpm_get_cpr_by_surls() doesn't check 'r_token', 'to_surl'
Function dpm_get_gfr_by_fullid() doesn't check 'r_token'
Function dpm_get_gfr_by_surl() doesn't check 'r_token'
Function dpm_get_pending_req_by_token() doesn't check 'r_token'
Function dpm_get_pending_reqs_by_u_desc() doesn't check 'u_token'
Function dpm_get_pfr_by_fullid() doesn't check 'r_token'
Function dpm_get_pfr_by_surl() doesn't check 'r_token'
Function dpm_get_pool_entry() doesn't check 'poolname' variable but
admin required so it isn't important.
Function dpm_get_req_by_token() doesn't check 'r_token'
Function dpm_get_reqs_by_u_desc() doesn't check 'u_token'
Function dpm_get_spcmd_by_token() doesn't check 's_token'
Function dpm_get_spcmd_by_u_desc() doesn't check 'u_token'
Function dpm_insert_cpr_entry() doesn't check variable 's_token',
'r_token'.
Function dpm_insert_fs_entry() doesn't check 'poolname' variable but
admin required so it isn't important.
Function dpm_insert_gfr_entry() doesn't check variable 's_token',
'r_token'.
Function dpm_insert_pending_entry() doesn't check variable 'u_token',
'r_token'.
Function dpm_insert_pfr_entry() doesn't check variable 's_token',
'r_token'.
Function dpm_insert_pool_entry() doesn't check 'poolname' variable but
admin required so it isn't important.
Function dpm_insert_spcmd_entry() doesn't check variable 's_token',
'u_token' and (not important)
'poolname' - admin required.
Functino dpm_insert_xferreq_entry() doesn't check variable 'u_token',
'r_token'.
Function dpm_list_cpr_entry() doesn't check 'r_token'
Functino dpm_list_fs_entry() doesn't check 'poolname' variable but
admin required so it isn't important.
Function dpm_list_gfr_entry() doesn't check 'r_token'
Function dpm_list_pfr_entry() doesn't check 'r_token'
Function dpm_update_cpr_entry() doesn't check 's_token'
Function dpm_update_gfr_entry() doesn't check 's_token'
Function dpm_update_pfr_entry() doesn't check 's_token'
Function dpm_update_spcmd_entry() doesn't check 'poolname' variable but
admin required so it isn't important.
Proof of concept
$ ./srm2_testGetRequestStatus srm://vmgdda0013.cern.ch:8446/ \'
request status SRM_FAILURE
request state 1
explanation: Failed for all tokens
request summaryArray 1
======= Begin Request ========
Request token: '
state[0]: 14 SRM_INTERNAL_ERROR
$
Please read following dump of SRM log file:
07/23 18:01:50.330 9720,0 dpm_get_pending_req_by_token: mysql_query
error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''''' at line 1
07/23 18:01:50.330 9720,0 dpm_get_req_by_token: mysql_query error: You
have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near ''''' at line
1
07/23 18:01:50.330 9720,0 GetRequestSummary: returns 0,
statusCode=SRM_FAILURE
Here is strace output from the SRMv2.2 process:
poll([{fd=7, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(7, "\335\0\0\0\3SELECT \t\t R_ORDINAL, R_TOKEN, R_UID, \t\t R_GID,
CLIENT_DN, CLIENTHOST, \t\t R_TYPE, U_TOKEN, \t\t FLAGS, RETRYTIME,
NBREQFILES, \t\t CTIME, STIME, ETIME, \t\t STATUS, ERRSTRING, GROUPS
\t\tFROM dpm_pending_req \t\tWHERE r_token = '''", 225) = 225
read(7, "\236\0\0\1\377(\4#42000You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ''''' at line 1", 16384) = 162
gettimeofday({1311434508, 295920}, NULL) = 0
open("/var/log/srmv2.2/log", O_WRONLY|O_CREAT|O_APPEND, 0664) = 8
write(8, "07/23 17:21:48.295 9720,0 dpm_get_pending_req_by_token:
mysql_query error: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ''''' at line 1\n", 226) = 226
close(8) = 0
poll([{fd=7, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(7, "\325\0\0\0\3SELECT \t\t R_ORDINAL, R_TOKEN, R_UID, \t\t R_GID,
CLIENT_DN, CLIENTHOST, \t\t R_TYPE, U_TOKEN, \t\t FLAGS, RETRYTIME,
NBREQFILES, \t\t CTIME, STIME, ETIME, \t\t STATUS, ERRSTRING, GROUPS
\t\tFROM dpm_req \t\tWHERE r_token = '''", 217) = 217
read(7, "\236\0\0\1\377(\4#42000You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ''''' at line 1", 16384) = 162
gettimeofday({1311434508, 296597}, NULL) = 0
open("/var/log/srmv2.2/log", O_WRONLY|O_CREAT|O_APPEND, 0664) = 8
write(8, "07/23 17:21:48.296 9720,0 dpm_get_req_by_token: mysql_query
error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
nea r ''''' at line 1\n", 218) = 218
close(8) = 0
gettimeofday({1311434508, 296942}, NULL) = 0
open("/var/log/srmv2.2/log", O_WRONLY|O_CREAT|O_APPEND, 0664) = 8
write(8, "07/23 17:21:48.296 9720,0 GetRequestSummary: returns 0,
statusCode=SRM_FAILURE\n", 80) = 80
close(8) = 0
And here is strace from the MySQL process:
read(31, "\3SELECT \t\t R_ORDINAL, R_TOKEN, R_UID, \t\t R_GID, CLIENT_DN
, CLIENTHOST, \t\t R_TYPE, U_TOKEN, \t\t FLAGS, RETRYTIME, NBREQFILES,
\t\t CTIME, STIME, ETIME, \t\t STATUS, ERRSTRING, GROUPS \t\tFROM
dpm_pending_req \t\tWHERE r_token = '''", 221) = 221
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [HUP INT QUIT PIPE ALRM TERM
TSTP], 8) = 0
rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT PIPE ALRM TERM TSTP], NULL, 8)
= 0
fcntl(31, F_SETFL, O_RDWR|O_NONBLOCK) = 0
time([1311436910]) = 1311436910
sched_setscheduler(15280, SCHED_OTHER, { 6 }) = -1 EINVAL (Invalid
argument)
sched_setscheduler(15280, SCHED_OTHER, { 8 }) = -1 EINVAL (Invalid
argument)
write(31, "\236\0\0\1\377(\4#42000You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ''''' at line 1", 162) = 162
time([1311436910]) = 1311436910
read(31, 0x1f7ae9b0, 4) = -1 EAGAIN (Resource
temporarily unavailable)
time(NULL) = 1311436910
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [HUP INT QUIT PIPE ALRM TERM
TSTP], 8) = 0
rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT PIPE ALRM TERM TSTP], NULL, 8)
= 0
fcntl(31, F_SETFL, O_RDWR) = 0
read(31, "\325\0\0\0", 4) = 4
read(31, "\3SELECT \t\t R_ORDINAL, R_TOKEN, R_UID, \t\t R_GID, CLIENT_DN
, CLIENTHOST, \t\t R_TYPE, U_TOKEN, \t\t FLAGS, RETRYTIME, NBREQFILES,
\t\t CTIME, STIME, ETIME, \t\t STATUS, ERRSTRING, GROUPS \t\tFROM
dpm_req \t\tWHERE r_token = '''", 213) = 213
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [HUP INT QUIT PIPE ALRM TERM
TSTP], 8) = 0
rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT PIPE ALRM TERM TSTP], NULL, 8)
= 0
fcntl(31, F_SETFL, O_RDWR|O_NONBLOCK) = 0
time([1311436910]) = 1311436910
sched_setscheduler(15280, SCHED_OTHER, { 6 }) = -1 EINVAL (Invalid
argument)
sched_setscheduler(15280, SCHED_OTHER, { 8 }) = -1 EINVAL (Invalid
argument)
write(31, "\236\0\0\1\377(\4#42000You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ''''' at line 1", 162) = 162
time([1311436910]) = 1311436910
read(31, 0x1f7ae9b0, 4) = -1 EAGAIN (Resource
temporarily unavailable)
Affected Software:
All versions of Disk Pool Manager (DPM) below 1.8.6 version are
affected.
1.8.6 was released 19th of February 2013.
Greets
+) David Smith - for testing infrastructures and other helps not only
at this topic.
References
1) https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-2683
2) http://site.pi3.com.pl/adv/disk_pool_manager_1.txt
3) http://blog.pi3.com.pl/?p=402
Timeline
2009-11-27 - Found vulnerability.
2011-08-03 - Vulnerability officialy reported.
2013-02-19 - Updated packages available in the EGI UMD-1 and EGI UMD-2.
2013-03-05 - Public disclosure on vendor's wiki, after allowing sites to
upgrade
(https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-2683)
2013-03-10 - Release of this advisory.
Best regards,
Adam Zabrocki
--
http://pi3.com.pl
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists