Denial of reality vulnerabilities [LWN.net]

On July 7, the folks at rPath sent out a security update for a pair of kernel vulnerabilities. The update reads, in part:

Previous versions of the kernel package are vulnerable to two denial of service attacks. The first allows any local user to fill up file systems by causing core dumps to write to directories to which they do not have write access permissions.

The bug in question is designated CVE-2006-2451; it was fixed in the 2.6.17.4 kernel release. All kernels since 2.6.13 are vulnerable, but one cannot just rely on the nominal version number: Red Hat helpfully backported this bug into the 2.6.9 kernel shipped with RHEL4.

Reading the description above, some system administrators may feel that there is no particular urgency in applying this update. The risk that a rogue user would fill up a disk with core dump files may seem small, so an update fixing the problem - and which requires a system reboot to be effective - can maybe be deferred for a while. After all, the Linux kernel core dump code takes pains to avoid overwriting files with core dumps, so the real potential for harm is small. It's a denial of service bug.

Except that it's not. All that is required is to create a program containing a string in the format understood by cron, send it over to /etc/cron.d, and use the bug to create a core dump there. Eventually cron will wander along, helpfully pick the line it understands out of the surrounding binary junk, and execute (as root) the commands found there. It is a simple and straightforward local root exploit; an example implementation has been posted to the full-disclosure list.

Paul Starzetz has posted a complaint about the characterization of a fully-exploitable vulnerability as a denial of service problem; he has seen this done with other vulnerabilities as well. He is right. "Denial of service" makes the vulnerability seem less severe, especially if it is only exploitable locally. Those words may cause vulnerabilities to remain open longer by inspiring inaction on both the administrator and distributor sides. If a bug can be exploited for privilege escalation, it should not be described as a denial of service problem.

To its credit, Red Hat (which is where the bug was discovered) notes that the bug could be exploited to gain root privileges. Ubuntu, which closed the vulnerability four days later, says "This could be exploited to drain available disk space on system partitions, or, under some circumstances, to execute arbitrary code with full root privileges." This advisory could use an edit as well: "under some circumstances" makes the exploit seem unlikely or difficult. A more accurate wording would be "if the attacker wants."

Lest it seem that rPath and Ubuntu are receiving too much grief: as of this writing, five days after disclosure, rPath, Ubuntu, and Red Hat are the only distributors to have fixed this problem. They have done the most important part: making an update available. All other distributors who have shipped kernels based on 2.6.13 or later remain vulnerable to a trivial local root exploit. Might this slow response be caused, in part, by the perception that this is a mere local denial of service bug?

As a community, we feel that we have the best security support out there. Vulnerabilities are not hidden, and fixes come promptly. In cases like this one, however, we have let our users down. Presenting an easily exploitable root vulnerability as a denial of service problem is just the sort of obfuscation that we normally try to avoid. And the fact that a number of distributions remain vulnerable is a failure to live up to our own promises. We can - and must - do better than that.

(Log in to post comments)

What of cron?

Posted Jul 13, 2006 14:39 UTC (Thu) by droundy (subscriber, #4559) [Link]

Cron is a trivial example, but there are plenty of programs that execute scripts located in particular directories of /etc (although perhaps not so often), so a bug that allows users to dump files in directories where they have no permissions I would say is inherently a priviledge escalation bug.

Yes, cron could be more careful, but on the other hand, relying on unix permissions to restrict users doesn't seem like an inherent security flaw.

What of cron?

Posted Jul 13, 2006 17:57 UTC (Thu) by spitzak (guest, #4593) [Link]

But most of those programs would get an error on the first "command" it found in the file of garbage and quit at that point, never able to reach the embedded command.

I would think a program that keeps parsing text from the file, ignoring errors no matter how bad they are, is a security hole, as this shows. I would suspect that not just cron is at fault, I would look at every older Unix utility.

What of cron?

Posted Jul 21, 2006 5:59 UTC (Fri) by Cato (subscriber, #7643) [Link]

Exactly - the fact that cron can execute strings found in the middle of core files is a security issue and should be fixed at the same time.

What of cron?

Posted Jul 20, 2006 8:11 UTC (Thu) by robbe (guest, #16131) [Link]

> but there are plenty of programs that execute scripts located in particular
> directories of /etc"

Care to name a few affected programs/services?

Things that execute everything in a directory (e.g. /etc/rcX.d) are not vulnerable, because core files are not executable. I tried feeding one to bash, dash, and zsh all bombed out with errors (bash's being most wise).

There may be programs as stupid as cron, but they should be fixed, if only in the interest of safety (guard against errors).

What of cron?

Posted Jul 13, 2006 14:40 UTC (Thu) by cventers (subscriber, #31465) [Link]

Yeah, it's not the kernel's fault that cron trusts any garbage you throw
at it. So I'd say the _kernel_ problem is a denial of service issue, but
the /distributions/ now have privilege escalation bugs to fix.

What of cron?

Posted Jul 13, 2006 17:55 UTC (Thu) by iabervon (subscriber, #722) [Link]

I'd say it's a privilege escalation kernel exploit to let non-root users write to o+rx o-w directories, generating a root-owned file, even if the filename and much of the contents can't be chosen arbitrarily.

What of cron?

Posted Jul 13, 2006 14:54 UTC (Thu) by Thalience (subscriber, #4217) [Link]

Furthermore, are the core dump files owned by the user, or by root?

If the core file is still owned by the user who ran the program, it seems like a very bad idea for cron to read files not owned by root from /etc/cron.d/.

What of cron?

Posted Jul 13, 2006 15:36 UTC (Thu) by cventers (subscriber, #31465) [Link]

Well, the issue is that prctl() can be used to set your program such that
its core files will be written by root, regardless of who started it.

The rationale behind that was that you might have a program that you want
to be able to debug but that might be handling sensitive data, so prctl()
lets you say "create a core file that _only_ root can read".

So the denial of service thing is definitely true. The cron interaction
just plain sucks.

What of cron?

Posted Jul 13, 2006 18:08 UTC (Thu) by hppnq (guest, #14462) [Link]

Cron gets the username from the filename, not the actual ownership of the file. (At least, on a default Dapper, this happens for files in /var/spool/cron/crontabs, where they end up if edited through crontab -e, for instance. Newer incantations seem to expect a username on the cronjob line.)

If the user "core" does not exist, a crontab -- at least, in /var/spool/cron/crontabs, haven't investigated /etc/cron.d and friends -- called "core" will be ignored by crond and an error message indicating the failure will be logged; otherwise, its jobs, if any, are run as the user core.

So if a user without root privileges can cause core files to be called "root", you're in trouble. On my default Dapper, this cannot be easily done -- but YMMV. ;-)

Oh, and yes, my Dapper also checks whether the file owner is actually the user indicated by the crontab filename. Phew. ;-)

What of cron?

Posted Jul 13, 2006 18:11 UTC (Thu) by corbet (editor, #1) [Link]

/etc/cron.d is a very different place, it has nothing to do with per-user crontabs at all.

What of cron?

Posted Jul 13, 2006 18:26 UTC (Thu) by hppnq (guest, #14462) [Link]

Yes, that's what I meant. I just didn't investigate whether cron works as designed in that case. ;-)

(By the way, I did not mean to make the problem look any less serious than it is, though. Patch!)

What of cron?

Posted Jul 13, 2006 19:31 UTC (Thu) by hppnq (guest, #14462) [Link]

I just didn't investigate whether cron works as designed in that case.

Yup, it does. So also in the /etc/cron.d case, a cracker would at least need to be able to manipulate the core dump's filename as well. Which requires root privileges on my system.

Again, this bug is trivially exploitable. But not by just dumping core in /etc/cron.d.

What of cron?

Posted Jul 14, 2006 5:23 UTC (Fri) by hppnq (guest, #14462) [Link]

[Nice, my own thread.]

Well, investigating a bit more turns up that indeed, dumping core in /etc/cron.d is sufficient: cron really doesn't care at all what files are called in /etc/cron.d. OMG. OMG. OMG. Jon, you were right as always.

(But really, cron's security model is *unbelievably* stupid.)

What of cron?

Posted Jul 19, 2006 7:25 UTC (Wed) by hein.zelle (guest, #33324) [Link]

Has this behaviour of cron led to any separate security advisories / fixes yet?

What of cron?

Posted Jul 20, 2006 7:59 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

Perhaps part of the problem here is just that too many privileges are
given to system tasks by default. Capability (as in EROS etc) fans would
certainly say so, but I think that even the possibilities available in a
standard Linux system are not being fully utilised.

For instance: a cron job to process man pages does not have to run as
root. If the ownership of the man pages is set to user "man", that job
can be run setuid man. cron itself can run setuid - to something which
only has the privileges to execute those setuid cron scripts.

I think the same could be applied to a lot of system daemons and would
result in a somewhat safer system. How many processes really need to run
with root privileges? Most just need access to a subset of files.