Lam3rZ Security Advisory #1/2004

                           23 Feb 2004

               Remote (within a cluster) root in LSF


Name:             Load Sharing Facility versions 4.x, 5.x, 6.x
Severity:         High
Vendor URL:       http://www.platform.com
Author:           Tomasz Grabowski (cadence@aci.com.pl)
Vendor notified:  26 Oct 2003
Vendor confirmed: 27 Oct 2003
Vendor advisory:   9 Feb 2004


Impact:
-------

"eauth" is the component within LSF which controls authenication. Specific
input data strings can be constructed and can cause failure of the eauth
binary, leading to the code execution under root privileges. This security
risk is contained to "local cluster". This means that it can be exploited
remotely (from one host to another) but only between hosts within the LSF
cluster.



Description:
------------

Tests shows, that it is possible to cause SIGSEGV on eauth.
The bug is in 'eauth -s' mode.

This is how you can reproduce the bug:
$ eauth -s                                      [press Enter]
1006 1006 eKlempa 192.168.10.106 4110 20 user   [press Enter]
LSF_From_PC AAAAAAAAAAAAAAAAAAAA                [press Enter]
Segmentation fault (core dumped)


This bug is exploitable (i.e. attacker can change program execution flow
and point it to code of her choice, effectively gaining root access
privilege). As everyone can execute 'eauth' and it is setuid==root,
attacker can locally gain root privileges by exploiting it. Moreover,
while 'eauth -s' is used by daemons like 'mbatchd' to authorize clients,
it is possible to exploit this vulnerability on remote host within a
cluster.


How to patch:
-------------

This problem has been directly addressed in a security patch released for
LSF. The fix is contained to the "eauth" binary which will need to be
replaced for each platform used in the cluster. The patch can be
downloaded from Platform FTP site.

FTP: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z

If the OS or version is not currently available, it can be built on
demand. Please contact Platform Technical Support if you have any
questions or concerns.
Phone: 1-877-444-4573
Email: support@platform.com



References:
-----------

This bug was confirmed in Platform's official security advisory dated
9 Feb 2004. It is accessible directly from Platform as Knowledge Base
Article KB1-5RZI1.


--
Tomasz Grabowski
Technical University of Szczecin,           +48 (91)4494234
Academic Centre of Computer Science     www.man.szczecin.pl