Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130225132745.GA3202@alf.mars>
Date: Mon, 25 Feb 2013 14:27:47 +0100
From: Helmut Grohne <helmut@...divi.de>
To: oss-security@...ts.openwall.com
Cc: Roland Mas <lolando@...ian.org>
Subject: fusionforge CVE-2013-1423 multiple privilege escalations

Hello,

I am publicly disclosing fusionforge CVE-2013-1423 today. On the 25th of
January I reported one of these issues to the Debian security team and
the fusionforge maintainers. In the process of fixing the issue a number
of further issues surfaced. All of these issues currently covered by the
single CVE-2013-1423 have in common that they related to privileged
operations not properly checking their environment and thus leading to
privilege escalation. Let me give an easy to exploit example.

Quoting deb-specific/user_dump_update.pl (fusionforge 5.2-1):
|       $home_dir = $homedir_prefix.'/'.$username;
|       unless (-d $home_dir.'/incoming') {
|           mkdir $home_dir.'/incoming', 0755;
|       }
|
|       my $realuid=get_file_owner_uid($home_dir);
|       if ($uid eq $realuid){
|               system("chown $uid $home_dir/incoming");
|               system("chmod 0755 $home_dir/incoming");

This code is executed as root in a cron job. By replacing ~/incoming
with a hard link to some other file (.e.g. an .ssh/authorized_keys file
from a different user) an attacker can gain ownership of files.

The initial report related to plugins/scmcvs/cronjobs/ssh_create.php
which contained a chown to ~user/.ssh which is user controlled.

Most of the issues relate to usage of chown or chmod on objects
controlled by a user. These issues have been avoided carrying out
operations on user controlled files with the effective permission of the
user (seteuid). Another source was TOCTOU race conditions which have
been avoided by using O_EXCL which is file mode "x" in php. Also some
file permission were only fixed after closing the file (information
disclosure) which is now done at open time by using umask.

Roland Mas iteratively updated the sources with me giving feedback on
issues. The resulting patches have been commited to the respective git
branches. Please have a look at those patches for further details.

5.0: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=0cc51b3aca51fa915a35195fdf729bcdb903f2af
5.1: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=9937b9d94ab60ff67fe249c1b9a6c8e3fc1778ba
5.2: https://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=fusionforge/fusionforge.git;a=commitdiff;h=1fc730b97c797e03b89cd37823ab345d35286cf4

Here is a list of files affected:

contrib/gforge-3.0-cronjobs.patch (removed)
cronjobs/homedirs.php
deb-specific/fileforge.pl (removed)
deb-specific/group_dump_update.pl
deb-specific/ssh_dump_update.pl
deb-specific/user_dump_update.pl
plugins/scmbzr/common/BzrPlugin.class.php
plugins/scmcvs/common/CVSPlugin.class.php
plugins/scmcvs/cronjobs/cvs.php
plugins/scmcvs/cronjobs/ssh_create.php
plugins/scmgit/common/GitPlugin.class.php
plugins/scmsvn/common/SVNPlugin.class.php
plugins/wiki/cronjobs/create_groups.php
utils/cvs1/cvscreate.sh (removed)
utils/include.pl

Finally I would like to thank Roland Mas for his thorough work on these
issues, his quick reaction and the nice interaction.

Helmut

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.