Platform LSF 'eauth' Buffer Overflow Lets Local and Remote Cluster Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1009178
|
|
CVE Reference: CAN-2004-0317
(Links to External Site)
|
Updated: Mar 23 2004
|
Original Entry Date: Feb 23 2004
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.x, 5.x, 6.x
|
Description: A vulnerability was reported in Platform Load Sharing Facility (LSF) in the 'eauth' component. A local or remote user can gain root access.
Tomasz Grabowski reported that a local user can invoke eauth in '-s' mode and supply specially crafted data strings to cause arbitrary
code to be executed on the target system. The 'eauth' binary is configured with set user id (setuid) root privileges, so code will
run with root privileges, the report said.
It is also reported that 'eauth -s' is used by the 'mbatchd' daemon and other daemons,
so a user on a host within an LSF cluster can trigger the flaw on another host within the same LSF cluster.
The vendor was reportedly
notified on October 26, 2003.
|
Impact: A local user can execute arbitrary code on the target system with root privileges.
A user on a host within an LSF cluster can execute arbitrary code on a remote target system within the same LSF cluster.
|
Solution: According to the report, a patch is available from the vendor at:
FTP: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example:
patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z
The vendor reportedly issued an advisory on February 9, 2004 under Knowledge
Base Article KB1-5RZI1.
|
Vendor URL: www.platform.com/products/LSFfamily/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Tomasz Grabowski <cadence@aci.com.pl>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 23 Feb 2004 13:38:34 +0100 (CET)
From: Tomasz Grabowski <cadence@aci.com.pl>
Subject: [Full-Disclosure] Lam3rZ Security Advisory #1/2004: LSF eauth vulnerability leads to
|
Lam3rZ Security Advisory #1/2004
23 Feb 2004
Remote (within a cluster) root in LSF
Name: Load Sharing Facility versions 4.x, 5.x, 6.x
Severity: High
Vendor URL: http://www.platform.com
Author: Tomasz Grabowski (cadence@aci.com.pl)
Vendor notified: 26 Oct 2003
Vendor confirmed: 27 Oct 2003
Vendor advisory: 9 Feb 2004
Impact:
-------
"eauth" is the component within LSF which controls authenication. Specific
input data strings can be constructed and can cause failure of the eauth
binary, leading to the code execution under root privileges. This security
risk is contained to "local cluster". This means that it can be exploited
remotely (from one host to another) but only between hosts within the LSF
cluster.
Description:
------------
Tests shows, that it is possible to cause SIGSEGV on eauth.
The bug is in 'eauth -s' mode.
This is how you can reproduce the bug:
$ eauth -s [press Enter]
1006 1006 eKlempa 192.168.10.106 4110 20 user [press Enter]
LSF_From_PC AAAAAAAAAAAAAAAAAAAA [press Enter]
Segmentation fault (core dumped)
This bug is exploitable (i.e. attacker can change program execution flow
and point it to code of her choice, effectively gaining root access
privilege). As everyone can execute 'eauth' and it is setuid==root,
attacker can locally gain root privileges by exploiting it. Moreover,
while 'eauth -s' is used by daemons like 'mbatchd' to authorize clients,
it is possible to exploit this vulnerability on remote host within a
cluster.
How to patch:
-------------
This problem has been directly addressed in a security patch released for
LSF. The fix is contained to the "eauth" binary which will need to be
replaced for each platform used in the cluster. The patch can be
downloaded from Platform FTP site.
FTP: ftp.platform.com
Path: patches/<version>/os/<os>/eauth*
Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z
If the OS or version is not currently available, it can be built on
demand. Please contact Platform Technical Support if you have any
questions or concerns.
Phone: 1-877-444-4573
Email: support@platform.com
References:
-----------
This bug was confirmed in Platform's official security advisory dated
9 Feb 2004. It is accessible directly from Platform as Knowledge Base
Article KB1-5RZI1.
--
Tomasz Grabowski
Technical University of Szczecin, +48 (91)4494234
Academic Centre of Computer Science www.man.szczecin.pl
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
