[UNIX] LSF eauth Vulnerability Leads to Remote Code Execution (LSF_From_PC)
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 26 Feb 2004 12:02:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
LSF eauth Vulnerability Leads to Remote Code Execution (LSF_From_PC)
"eauth" is the component within <http://www.platform.com> LSF (Load
Sharing Facility) which controls authentication. Specific input data
strings can be constructed and can cause failure of the eauth binary,
leading to the code execution under root privileges. This security risk is
contained to "local cluster". This means that it can be exploited remotely
(from one host to another) but only between hosts within the LSF cluster.
* Load Sharing Facility versions 4.x, 5.x, 6.x
Tests shows, that it is possible to cause SIGSEGV on eauth. The bug is in
'eauth -s' mode.
This is how you can reproduce the bug:
$ eauth -s ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[press Enter]
1006 1006 eKlempa 192.168.10.106 4110 20 user ? [press Enter]
LSF_From_PC AAAAAAAAAAAAAAAAAAAA ? ? ? ? ? ? ? ?[press Enter]
Segmentation fault (core dumped)
This bug is exploitable (i.e. attacker can change program execution flow
and point it to code of her choice, effectively gaining root access
privilege). As everyone can execute 'eauth' and it is setuid==root,
attacker can locally gain root privileges by exploiting it. Moreover,
while 'eauth -s' is used by daemons like 'mbatchd' to authorize clients,
it is possible to exploit this vulnerability on remote host within a
How to patch:
This problem has been directly addressed in a security patch released for
LSF. The fix is contained to the "eauth" binary which will need to be
replaced for each platform used in the cluster. The patch can be
downloaded from Platform FTP site.
If the OS or version is not currently available, it can be built on
demand. Please contact Platform Technical Support if you have any
questions or concerns. Phone: 1-877-444-4573 or Email:
This bug was confirmed in Platform's official security advisory dated 9
Feb 2004. It is accessible directly from Platform as Knowledge Base
The information has been provided by <mailto:firstname.lastname@example.org> Tomasz
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.