COMMAND
cfengine
SYSTEMS AFFECTED
Every recent version except 1.6.0a11 released on 1st Oct 2000
PROBLEM
Pekka Savola found following. cfd daemon in GNU CFEngine contains
several format string vulnerabilities in syslog() calls.
Everyone, or if access controls are being used, accepted hosts,
can inject the network daemon with a message causing segmentation
fault. As cfd is almost always run as root due to it's nature
(centralized configuration management etc.), this can be quite
lethal and lead into a root compromise.
1.5.x and 1.6.0a10 were tested on Red Hat Linux; however, this is
not part of Red Hat Linux or Powertools. Debian, at least,
includes cfengine as a package.
Pekka tried to reproduce this on FreeBSD 3.4 or 4.1 -- no luck; he
wouldn't be surprised if it was exploitable some way or the other
though.
If access controls are used (this is not the default) in cfd.conf
or equivalent, the attacker must have access to an allowed system
first. Spoofing would probably also yield similar results; the
fact that there doesn't need not to be any reply from the server
makes it easier. Segmentation fault can be induced as follows:
$ telnet cfdserver 5308
Trying x.y.z.w...
Connected to cfdserver.some.domain.
Escape character is '^]'.
CAUTH 1.1.1.1 myhostname root %s%s%s%s%s%s%s%s
^]
telnet> quit
Connection closed.
where 1.1.1.1 is your IP address and myhostname is some resolvable
hostname. A longer string of %s's can also be used if that
doesn't produce good results.
If the %s string is not long enough, string like the following
will be syslogged; this doesn't look good:
cfdserver cfd[11330]: Reverse hostname lookup failed, host
claiming to be 1.1.1.1 myhostname root
cfdserver.some.domain(null)1.1.1.1 nev^M was 1.1.1.1 s%s%s^M
^Aû½^QÀØÀôü¿0¼^D^HÀj ^Húì¿^Hý¿Àj
In the end, cfd dies in a segmentation fault.
As you can set %s%s%s freely, and it's passed almost without
checking as-is to syslog(), it shouldn't be too difficult for Joe
Hacker to exploit this. Also, other components of cfengine use
the same logging functions, so a local root exploit could also be
possible but those aren't as interesting as this and will be fixed
at the same time.
SOLUTION
Different fix was applied to the newly released 1.6.0.a11 (alpha
version). There is an impression that there isn't going to be an
official fix for 1.5.x releases.
Workaround is to enable access controls in cfd.conf and/or
firewall off TCP port 5308. These can't be considered _good_
workarounds as users in the local network/legit hosts can still
exploit the service.
"Standard" patch to syslog calls included. It applies quite
cleanly to both 1.5.x and 1.6.0aXX.
diff -uNr cfengine-1.6.0.a10.orig/src/log.c cfengine-1.6.0.a10/src/log.c
--- cfengine-1.6.0.a10.orig/src/log.c Wed Sep 6 14:43:03 2000
+++ cfengine-1.6.0.a10/src/log.c Sun Oct 1 20:09:09 2000
@@ -71,12 +71,12 @@
if (LOGGING && IsPrivileged())
{
- syslog(LOG_ERR,string,VFQNAME);
+ syslog(LOG_ERR,"%s",string,VFQNAME);
if (strlen(errstr) != 0)
{
- syslog(LOG_ERR,errstr,VFQNAME);
- syslog(LOG_ERR,strerror(errno),VFQNAME);
+ syslog(LOG_ERR,"%s",errstr,VFQNAME);
+ syslog(LOG_ERR,"%s",strerror(errno),VFQNAME);
}
}
break;
@@ -110,11 +110,11 @@
case cflogonly:
if (LOGGING && IsPrivileged())
{
- syslog(LOG_INFO,string,VFQNAME);
+ syslog(LOG_INFO,"%s",string,VFQNAME);
if ((errstr == NULL) || (strlen(errstr) > 0))
{
- syslog(LOG_ERR,errstr,VFQNAME);
+ syslog(LOG_ERR,"%s",errstr,VFQNAME);
}
}
@@ -125,7 +125,7 @@
if (LOGGING && IsPrivileged())
{
- syslog(LOG_ERR,string,VFQNAME);
+ syslog(LOG_ERR,"%s",string,VFQNAME);
}
if (string[strlen(string)-1] != '\n')
@@ -141,8 +141,8 @@
if (LOGGING && IsPrivileged())
{
- syslog(LOG_ERR,errstr,VFQNAME);
- syslog(LOG_ERR,strerror(errno),VFQNAME);
+ syslog(LOG_ERR,"%s",errstr,VFQNAME);
+ syslog(LOG_ERR,"%s",strerror(errno),VFQNAME);
}
}
return;
For SuSE Linux:
SuSE-7.0: ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/cfengine-1.5.4-82.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/cfengine-1.5.4-82.src.rpm
SuSE-6.4: ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/cfengine-1.5.4-82.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/cfengine-1.5.4-82.src.rpm
SuSE-6.3: ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/cfengine-1.5.4-82.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/cfengine-1.5.4-82.src.rpm
SuSE-6.2: ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/cfengine-1.5.4-82.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/cfengine-1.5.4-82.src.rpm
SuSE-6.1: ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/cfengine-1.5.4-82.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/cfengine-1.5.4-82.src.rpm
SuSE-6.0: please use the update packages for the SuSE-6.1 distribution.
SuSE-5.3: ftp://ftp.suse.com/pub/suse/i386/update/5.3/ap1/cfengine-1.5.4-87.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/5.3/zq1/cfengine-1.5.4-87.src.rpm
SuSE-7.0: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/ap1/cfengine-1.5.4-83.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/cfengine-1.5.4-83.src.rpm
SuSE-6.4: ftp://ftp.suse.com/pub/suse/axp/update/6.4/ap1/cfengine-1.5.4-82.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/cfengine-1.5.4-82.src.rpm
SuSE-6.3: Please use the update packages for the SuSE-6.4 distribution.
SuSE-6.1: ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/cfengine-1.5.4-84.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/cfengine-1.5.4-84.src.rpm
SuSE-7.0: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/ap1/cfengine-1.5.4-85.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/cfengine-1.5.4-85.src.rpm
SuSE-6.4: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/cfengine-1.5.4-82.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/cfengine-1.5.4-82.src.rpm
For Linux-Mandrake:
Linux-Mandrake 7.1: 7.1/RPMS/cfengine-1.5.4-5mdk.i586.rpm
7.1/SRPMS/cfengine-1.5.4-5mdk.src.rpm
There are precompiled binary packages of cfengine for some NetBSD
ports available from:
ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/sysutils/cfengine/README.html
If no precompiled binary is available for your platform, you can
build your own from source. First, make sure that you have a
version of the pkgsrc hierarchy from 2nd October 2000 or later.