Bug 12562 - Multiple command-injections and privilege escalations in misc-progs
Summary: Multiple command-injections and privilege escalations in misc-progs
Status: ASSIGNED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all Linux
: - Unknown - Security
Assignee: Michael Tremer
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-30 22:03 UTC by ipfire
Modified: 2021-01-27 21:08 UTC (History)
3 users (show)

See Also:


Attachments
0001-Drop-launch-ether-wake.patch (5.19 KB, patch)
2021-01-06 14:58 UTC, Michael Tremer
Details
0002-core154-Manually-set-capabilites-for-etherwake.patch (865 bytes, patch)
2021-01-06 14:59 UTC, Michael Tremer
Details
0003-misc-progs-Introduce-run.patch (4.99 KB, patch)
2021-01-06 14:59 UTC, Michael Tremer
Details
0004-misc-progs-backupctrl-Use-new-run-function.patch (1.50 KB, patch)
2021-01-06 14:59 UTC, Michael Tremer
Details
0005-misc-progs-pakfire-Use-new-run-function.patch (1.16 KB, patch)
2021-01-06 14:59 UTC, Michael Tremer
Details
0006-misc-progs-Add-functions-to-sanitise-input-arguments.patch (1.80 KB, patch)
2021-01-06 15:00 UTC, Michael Tremer
Details
0007-misc-progs-addonctrl-Sanitise-add-on-names-before-us.patch (3.45 KB, patch)
2021-01-06 15:00 UTC, Michael Tremer
Details
0008-misc-progs-extrahdctrl-Use-new-run-function.patch (1.14 KB, patch)
2021-01-06 15:00 UTC, Michael Tremer
Details
0009-misc-progs-mpfirectrl-Use-new-run-function.patch (1.38 KB, patch)
2021-01-06 15:00 UTC, Michael Tremer
Details
0010-misc-progs-smartctrl-Sanitise-device-name.patch (904 bytes, patch)
2021-01-06 15:00 UTC, Michael Tremer
Details
0011-misc-progs-sshctrl-Sanitise-runtime-for-tempstart.patch (880 bytes, patch)
2021-01-06 15:01 UTC, Michael Tremer
Details
0012-misc-progs-sambactrl-Remove-unused-smbsafeconfpdc-co.patch (1.09 KB, patch)
2021-01-06 15:01 UTC, Michael Tremer
Details
0013-misc-progs-sambactrl-Sanitise-username.patch (2.23 KB, patch)
2021-01-06 15:01 UTC, Michael Tremer
Details
0014-samba-Remove-option-to-chose-user-group-and-shell.patch (3.00 KB, patch)
2021-01-06 15:01 UTC, Michael Tremer
Details
0015-samba-Add-helper-script-to-pipe-password.patch (6.63 KB, patch)
2021-01-06 15:01 UTC, Michael Tremer
Details
0001-misc-progs-addonctrl-Replace-all-sprintf-with-snprin.patch (2.68 KB, patch)
2021-01-07 12:17 UTC, Michael Tremer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description ipfire 2020-12-30 22:03:16 UTC
Introduction
------------
The misc-progs utilities are often setuid and can be executed by the group "nobody". They use functions like "safe_system" and often do not perform input validation.

See for example:
https://github.com/ipfire/ipfire-2.x/blob/master/src/misc-progs/launch-ether-wake.c#L29

As it stands, these binaries are a trivial way to elevate privileges should a vulnerable service be exploited. 

I didn't see misc-progs in ipfire 3. However, since ipfire 2 seems to be the release that's offered for general use, this does effect ipfire users today.


Example
------
In the following example, tested on the newest ipfire release, a user "test" has been created that's also a member of the group "nobody". 

-su-5.0$ cat /etc/os-release 
NAME="IPFire"
VERSION="2.25"
ID=ipfire
VERSION_ID=2
PRETTY_NAME="IPFire 2.25 (x86_64) - core153"
ANSI_COLOR="0:31"
-su-5.0$ id
uid=1001(test) gid=1001(test) groups=1001(test),99(nobody)
-su-5.0$ /usr/local/bin/launch-ether-wake test ';/bin/bash;%'
/usr/sbin/etherwake: option requires an argument -- 'i'
usage: ether-wake [-i <ifname>] [-p aa:bb:cc:dd[:ee:ff]] 00:11:22:33:44:55
   Use '-u' to see the complete set of options.
[root@ipfire test]# id
uid=0(root) gid=0(root) groups=0(root)

So, an attacker that takes control over a process that's in the nobody group, e. g. the httpd apache server or unbound, can trivially gain root access.

It doesn't look that ether-wake is the only command that's affected. It seems some commands in misc-progs try to filter user input, while others do not. 

Possible solutions
------------------
An obvious solution is to validate all inputs for the commands. So, in the above example, launch-ether-wake could check whether an interface exists (or whether the parameter consists of characters that are valid for interfaces) or whether the mac address is valid. 

The comment for the safe_system function https://github.com/ipfire/ipfire-2.x/blob/master/src/misc-progs/setuid.c#L56 actually that you should filter for semicolons etc. Commands like backupctrl https://github.com/ipfire/ipfire-2.x/blob/master/src/misc-progs/backupctrl.c#L25 however don't filter for semicolons, only a few chars like &&. Therefore, the checks can probably be considered insufficient. 


So, possible first steps towards improving the situation could be the following:

1. Implementing a function like safe_system(), except that it would not invoke system() but rather the binary directly, e. g. using the exec() family of functions. This avoids those injection commands. It should be used in all calls that only call a single command. In the example above, the exploit only works because safe_system() uses /bin/sh but there is no reason to call /bin/sh. Had it called etherwake directly, the exploit would not have worked.   

2. Currently, some commands try to filter unwanted characters in argv[1] before calling safe_system(), but miss some characters or don't have any filtering at all. Therefore, a central function could be implemented that would be used by all commands. Note however that this is still a blacklisting approach and thus not ideal.

3. Whitelist as much as possible. If a parameter is supposed to be a mac address, make sure it is one. Or if a parameter is expected to be only alphanumeric characters, check for this too.
Comment 1 Michael Tremer 2020-12-31 16:27:37 UTC
Thank you for reporting this vulnerability. It helps us a lot to make IPFire more secure.

I will have a look at this and submit patches to this ticket. So far I can confirm it and I have marked this ticket at security-sensitive so that it won't be visible on the bug tracker. I will remove that mark as soon as a patch has been submitted and has been approved.
Comment 2 Michael Tremer 2021-01-06 14:57:50 UTC
I have now come up with various fixes for these vulnerabilities which I would like to post here and I am asking for a review of them. If you agree with the changes, I will post them to the mailing list.

The lauch-ether-wake binary has been dropped and I have given etherwake CAP_NET_RAW. Therefore the web UI can now call it without need for the helper.

I have removed that commands that are composed from input variables are executed using a shell. Therefore the entire class of shell command injection should be removed. I have changed safe_system() so that it is a wrapper for the new function and not all of the code has to be changed.

After these changes, all vulnerabilities should be fixed. Please let me know if you find anything that I overlooked.

Thank you again for your help to make IPFire better software :)
Comment 3 Michael Tremer 2021-01-06 14:58:56 UTC
Created attachment 831 [details]
0001-Drop-launch-ether-wake.patch
Comment 4 Michael Tremer 2021-01-06 14:59:12 UTC
Created attachment 832 [details]
0002-core154-Manually-set-capabilites-for-etherwake.patch
Comment 5 Michael Tremer 2021-01-06 14:59:26 UTC
Created attachment 833 [details]
0003-misc-progs-Introduce-run.patch
Comment 6 Michael Tremer 2021-01-06 14:59:39 UTC
Created attachment 834 [details]
0004-misc-progs-backupctrl-Use-new-run-function.patch
Comment 7 Michael Tremer 2021-01-06 14:59:51 UTC
Created attachment 835 [details]
0005-misc-progs-pakfire-Use-new-run-function.patch
Comment 8 Michael Tremer 2021-01-06 15:00:02 UTC
Created attachment 836 [details]
0006-misc-progs-Add-functions-to-sanitise-input-arguments.patch
Comment 9 Michael Tremer 2021-01-06 15:00:16 UTC
Created attachment 837 [details]
0007-misc-progs-addonctrl-Sanitise-add-on-names-before-us.patch
Comment 10 Michael Tremer 2021-01-06 15:00:29 UTC
Created attachment 838 [details]
0008-misc-progs-extrahdctrl-Use-new-run-function.patch
Comment 11 Michael Tremer 2021-01-06 15:00:40 UTC
Created attachment 839 [details]
0009-misc-progs-mpfirectrl-Use-new-run-function.patch
Comment 12 Michael Tremer 2021-01-06 15:00:52 UTC
Created attachment 840 [details]
0010-misc-progs-smartctrl-Sanitise-device-name.patch
Comment 13 Michael Tremer 2021-01-06 15:01:05 UTC
Created attachment 841 [details]
0011-misc-progs-sshctrl-Sanitise-runtime-for-tempstart.patch
Comment 14 Michael Tremer 2021-01-06 15:01:16 UTC
Created attachment 842 [details]
0012-misc-progs-sambactrl-Remove-unused-smbsafeconfpdc-co.patch
Comment 15 Michael Tremer 2021-01-06 15:01:27 UTC
Created attachment 843 [details]
0013-misc-progs-sambactrl-Sanitise-username.patch
Comment 16 Michael Tremer 2021-01-06 15:01:38 UTC
Created attachment 844 [details]
0014-samba-Remove-option-to-chose-user-group-and-shell.patch
Comment 17 Michael Tremer 2021-01-06 15:01:49 UTC
Created attachment 845 [details]
0015-samba-Add-helper-script-to-pipe-password.patch
Comment 18 ipfire 2021-01-06 19:56:31 UTC
Hi Michael,

Currently, I only have time for a quick review. 

Patch 1: OK
Patch 2: OK
Patch 4: OK
Patch 5: OK
Patch 7: I personally would prefer calling run() instead of safe_system(), just as a matter of principle, since you only execute a single command here. Similarly, I would prefer snprintf() over sprintf(), even though you did check for overflows before. This way, people attention is not taken by these calls to sprintf() and analyzer will not produce warnings.
Patch 8: OK
Patch 9: OK

I'll have to check the rest once I have more time. To be clear, the "OK" only refers to this bug. So if the setuid binary calls a perl script, I did not check whether the perl script deals properly with the arguments or whether it has other bugs. 

Regards,
Albert
Comment 19 Michael Tremer 2021-01-07 12:17:22 UTC
Created attachment 846 [details]
0001-misc-progs-addonctrl-Replace-all-sprintf-with-snprin.patch

Thanks for looking into this so far.

(In reply to ipfire from comment #18)
> Patch 7: I personally would prefer calling run() instead of safe_system(),
> just as a matter of principle, since you only execute a single command here.
> Similarly, I would prefer snprintf() over sprintf(), even though you did
> check for overflows before. This way, people attention is not taken by these
> calls to sprintf() and analyzer will not produce warnings.

I replaced all of those calls with snprintf(). See the attached patch.

> I'll have to check the rest once I have more time. To be clear, the "OK"
> only refers to this bug. So if the setuid binary calls a perl script, I did
> not check whether the perl script deals properly with the arguments or
> whether it has other bugs. 

This is what this ticket is about. I would like to release these fixes as soon as possible. If there is anything else in any of the scripts that are being called, that would be a new ticket and I would like to work on that after this. One at a time.
Comment 20 Michael Tremer 2021-01-25 17:19:20 UTC
Hello Albert,

I would like to close the development cycle very soon and I would like these patches to be included to patch the problem as soon as possible for our users.

Did you have some more time to review them or do you need a little bit longer?
Comment 21 Michael Tremer 2021-01-27 21:08:37 UTC
I have merged all patches into "next" and they are scheduled for release soon.

This bug report is also public again now.

Thank you for your help and your valuable contribution to IPFire.