Denial of reality vulnerabilities

[Posted July 12, 2006 by corbet]

On July 7, the folks at rPath sent out a security update for a pair of kernel vulnerabilities. The update reads, in part:

Previous versions of the kernel package are vulnerable to two denial of service attacks. The first allows any local user to fill up file systems by causing core dumps to write to directories to which they do not have write access permissions.

The bug in question is designated CVE-2006-2451; it was fixed in the 2.6.17.4 kernel release. All kernels since 2.6.13 are vulnerable, but one cannot just rely on the nominal version number: Red Hat helpfully backported this bug into the 2.6.9 kernel shipped with RHEL4.

Reading the description above, some system administrators may feel that there is no particular urgency in applying this update. The risk that a rogue user would fill up a disk with core dump files may seem small, so an update fixing the problem - and which requires a system reboot to be effective - can maybe be deferred for a while. After all, the Linux kernel core dump code takes pains to avoid overwriting files with core dumps, so the real potential for harm is small. It's a denial of service bug.

Except that it's not. All that is required is to create a program containing a string in the format understood by cron, send it over to /etc/cron.d, and use the bug to create a core dump there. Eventually cron will wander along, helpfully pick the line it understands out of the surrounding binary junk, and execute (as root) the commands found there. It is a simple and straightforward local root exploit; an example implementation has been posted to the full-disclosure list.

Paul Starzetz has posted a complaint about the characterization of a fully-exploitable vulnerability as a denial of service problem; he has seen this done with other vulnerabilities as well. He is right. "Denial of service" makes the vulnerability seem less severe, especially if it is only exploitable locally. Those words may cause vulnerabilities to remain open longer by inspiring inaction on both the administrator and distributor sides. If a bug can be exploited for privilege escalation, it should not be described as a denial of service problem.

To its credit, Red Hat (which is where the bug was discovered) notes that the bug could be exploited to gain root privileges. Ubuntu, which closed the vulnerability four days later, says "This could be exploited to drain available disk space on system partitions, or, under some circumstances, to execute arbitrary code with full root privileges." This advisory could use an edit as well: "under some circumstances" makes the exploit seem unlikely or difficult. A more accurate wording would be "if the attacker wants."

Lest it seem that rPath and Ubuntu are receiving too much grief: as of this writing, five days after disclosure, rPath, Ubuntu, and Red Hat are the only distributors to have fixed this problem. They have done the most important part: making an update available. All other distributors who have shipped kernels based on 2.6.13 or later remain vulnerable to a trivial local root exploit. Might this slow response be caused, in part, by the perception that this is a mere local denial of service bug?

As a community, we feel that we have the best security support out there. Vulnerabilities are not hidden, and fixes come promptly. In cases like this one, however, we have let our users down. Presenting an easily exploitable root vulnerability as a denial of service problem is just the sort of obfuscation that we normally try to avoid. And the fact that a number of distributions remain vulnerable is a failure to live up to our own promises. We can - and must - do better than that.

Index entries for this article
Kernel	Security/Vulnerabilities

Denial of reality vulnerabilities

Posted Jul 13, 2006 6:49 UTC (Thu) by dune73 (guest, #17225) [Link] (1 responses)

Good journalism puts the finger where it hurts. This is an example of good journalism. Thanks.

Denial of reality vulnerabilities

Posted Jul 24, 2006 9:19 UTC (Mon) by csamuel (✭ supporter ✭, #2624) [Link]

Hear hear! Well said JC..

Timeline

Posted Jul 13, 2006 7:25 UTC (Thu) by mjcox@redhat.com (guest, #31775) [Link]

To clarify on the article text here is the timeline of discovery

19 June 2006: Red Hat security team first aware of issue.

21 June 2006: Red Hat notified kernel security team and vendor-sec (private list which other Linux vendors security teams take part in) under embargo. We gave our working exploit showing this was a privilege escalation flaw to these groups.

06 July 2006: Embargo lifted

Denial of reality vulnerabilities

Posted Jul 13, 2006 9:30 UTC (Thu) by cjwatson (subscriber, #7322) [Link]

Martin Pitt's improved the Ubuntu advisory text now at http://www.ubuntu.com/usn/usn-311-1, although it's too late to fix the e-mail.

Denial of reality vulnerabilities

Posted Jul 13, 2006 10:24 UTC (Thu) by tres (guest, #352) [Link] (1 responses)

Gentoo appears to be fixed. CVS Changelog entries:
http://www.gentoo.org/cgi-bin/viewcvs.cgi/sys-kernel/gent...

Denial of reality vulnerabilities

Posted Jul 13, 2006 10:28 UTC (Thu) by tres (guest, #352) [Link]

Actually it appears to have been fixed almost a week ago. Right about the time of disclosure.

Thu Jul 6 23:33:57 2006 UTC (6 days, 10 hours ago) by dsd
Update to Linux 2.6.16.24 for coredump privilege escalation security fix

Fri Jul 7 10:20:12 2006 UTC (5 days, 23 hours ago) by dsd
Update to Linux 2.6.17.4 for coredump privilege escalation security fix

Debian

Posted Jul 13, 2006 12:32 UTC (Thu) by paravoid (subscriber, #32869) [Link]

Debian's stable is unaffected by this issue (2.6.8 without a backported bug).
testing (etch)/unstable's 2.6.16/17 are both vulnerable, not for long I presume.

What of cron?

Posted Jul 13, 2006 14:19 UTC (Thu) by lysse (guest, #3190) [Link] (15 responses)

Perhaps I'm missing something here, but couldn't it be regarded as a bug in cron that it doesn't do a basic sanity check on its configuration files, to ensure that they are actually text files...? In which case, what turns the security problem from a DoS into an easy root-hole is the interaction of two bugs, rather than either bug in isolation... ouch.

What of cron?

Posted Jul 13, 2006 14:39 UTC (Thu) by droundy (guest, #4559) [Link] (3 responses)

Cron is a trivial example, but there are plenty of programs that execute scripts located in particular directories of /etc (although perhaps not so often), so a bug that allows users to dump files in directories where they have no permissions I would say is inherently a priviledge escalation bug.

Yes, cron could be more careful, but on the other hand, relying on unix permissions to restrict users doesn't seem like an inherent security flaw.

What of cron?

Posted Jul 13, 2006 17:57 UTC (Thu) by spitzak (guest, #4593) [Link] (1 responses)

But most of those programs would get an error on the first "command" it found in the file of garbage and quit at that point, never able to reach the embedded command.

I would think a program that keeps parsing text from the file, ignoring errors no matter how bad they are, is a security hole, as this shows. I would suspect that not just cron is at fault, I would look at every older Unix utility.

What of cron?

Posted Jul 21, 2006 5:59 UTC (Fri) by Cato (guest, #7643) [Link]

Exactly - the fact that cron can execute strings found in the middle of core files is a security issue and should be fixed at the same time.

What of cron?

Posted Jul 20, 2006 8:11 UTC (Thu) by robbe (guest, #16131) [Link]

> but there are plenty of programs that execute scripts located in particular
> directories of /etc"

Care to name a few affected programs/services?

Things that execute everything in a directory (e.g. /etc/rcX.d) are not vulnerable, because core files are not executable. I tried feeding one to bash, dash, and zsh all bombed out with errors (bash's being most wise).

There may be programs as stupid as cron, but they should be fixed, if only in the interest of safety (guard against errors).

What of cron?

Posted Jul 13, 2006 14:40 UTC (Thu) by cventers (guest, #31465) [Link] (1 responses)

Yeah, it's not the kernel's fault that cron trusts any garbage you throw
at it. So I'd say the _kernel_ problem is a denial of service issue, but
the /distributions/ now have privilege escalation bugs to fix.

What of cron?

Posted Jul 13, 2006 17:55 UTC (Thu) by iabervon (subscriber, #722) [Link]

I'd say it's a privilege escalation kernel exploit to let non-root users write to o+rx o-w directories, generating a root-owned file, even if the filename and much of the contents can't be chosen arbitrarily.

What of cron?

Posted Jul 13, 2006 14:54 UTC (Thu) by Thalience (subscriber, #4217) [Link] (7 responses)

Furthermore, are the core dump files owned by the user, or by root?

If the core file is still owned by the user who ran the program, it seems like a very bad idea for cron to read files not owned by root from /etc/cron.d/.

What of cron?

Posted Jul 13, 2006 15:36 UTC (Thu) by cventers (guest, #31465) [Link] (6 responses)

Well, the issue is that prctl() can be used to set your program such that
its core files will be written by root, regardless of who started it.

The rationale behind that was that you might have a program that you want
to be able to debug but that might be handling sensitive data, so prctl()
lets you say "create a core file that _only_ root can read".

So the denial of service thing is definitely true. The cron interaction
just plain sucks.

What of cron?

Posted Jul 13, 2006 18:08 UTC (Thu) by hppnq (guest, #14462) [Link] (5 responses)

Cron gets the username from the filename, not the actual ownership of the file. (At least, on a default Dapper, this happens for files in /var/spool/cron/crontabs, where they end up if edited through crontab -e, for instance. Newer incantations seem to expect a username on the cronjob line.)

If the user "core" does not exist, a crontab -- at least, in /var/spool/cron/crontabs, haven't investigated /etc/cron.d and friends -- called "core" will be ignored by crond and an error message indicating the failure will be logged; otherwise, its jobs, if any, are run as the user core.

So if a user without root privileges can cause core files to be called "root", you're in trouble. On my default Dapper, this cannot be easily done -- but YMMV. ;-)

Oh, and yes, my Dapper also checks whether the file owner is actually the user indicated by the crontab filename. Phew. ;-)

What of cron?

Posted Jul 13, 2006 18:11 UTC (Thu) by corbet (editor, #1) [Link] (4 responses)

/etc/cron.d is a very different place, it has nothing to do with per-user crontabs at all.

What of cron?

Posted Jul 13, 2006 18:26 UTC (Thu) by hppnq (guest, #14462) [Link] (3 responses)

Yes, that's what I meant. I just didn't investigate whether cron works as designed in that case. ;-)

(By the way, I did not mean to make the problem look any less serious than it is, though. Patch!)

What of cron?

Posted Jul 13, 2006 19:31 UTC (Thu) by hppnq (guest, #14462) [Link] (2 responses)

I just didn't investigate whether cron works as designed in that case.

Yup, it does. So also in the /etc/cron.d case, a cracker would at least need to be able to manipulate the core dump's filename as well. Which requires root privileges on my system.

Again, this bug is trivially exploitable. But not by just dumping core in /etc/cron.d.

What of cron?

Posted Jul 14, 2006 5:23 UTC (Fri) by hppnq (guest, #14462) [Link] (1 responses)

[Nice, my own thread.]

Well, investigating a bit more turns up that indeed, dumping core in /etc/cron.d is sufficient: cron really doesn't care at all what files are called in /etc/cron.d. OMG. OMG. OMG. Jon, you were right as always.

(But really, cron's security model is *unbelievably* stupid.)

What of cron?

Posted Jul 19, 2006 7:25 UTC (Wed) by hein.zelle (guest, #33324) [Link]

Has this behaviour of cron led to any separate security advisories / fixes yet?

What of cron?

Posted Jul 20, 2006 7:59 UTC (Thu) by mjthayer (guest, #39183) [Link]

Perhaps part of the problem here is just that too many privileges are
given to system tasks by default. Capability (as in EROS etc) fans would
certainly say so, but I think that even the possibilities available in a
standard Linux system are not being fully utilised.

For instance: a cron job to process man pages does not have to run as
root. If the ownership of the man pages is set to user "man", that job
can be run setuid man. cron itself can run setuid - to something which
only has the privileges to execute those setuid cron scripts.

I think the same could be applied to a lot of system daemons and would
result in a somewhat safer system. How many processes really need to run
with root privileges? Most just need access to a subset of files.

Exploited

Posted Jul 13, 2006 18:15 UTC (Thu) by mp (subscriber, #5615) [Link]

Apparently this very vulnerability was used to gain root access in the recent compromise of gluck.debian.org.
http://lists.debian.org/debian-news/debian-news-2006/msg0...

Denial of reality vulnerabilities

Posted Jul 13, 2006 20:16 UTC (Thu) by giraffedata (guest, #1954) [Link] (1 responses)

This editorial seems to be arguing with somebody, but whom?

I assume the descriptions of the bug as a DOS are just errors. If the author had realized there's a way to exploit it to get privilege escalation, he would have written it up that way. Is someone still claiming the original description is appropriate?

If it's just an editorial against making mistakes, there's not much point -- it's preaching to the converted.

Denial of reality vulnerabilities

Posted Jul 20, 2006 8:08 UTC (Thu) by Wol (subscriber, #4433) [Link]

If the author HADN'T realised, then he clearly hadn't read the initial advisories, and shouldn't have been writing the official advisory.

mjcox said the first announcement on the private security mailing list described it as a privilege escalation problem.

Cheers,
Wol