Is just the agent, the server, or the agent and server vulnerable?
On Thursday, June 11, 2015 at 2:52:36 PM UTC+2, SoulAuctioneer wrote: > > https://github.com/ossec/ossec-hids/releases/tag/2.8.2 > > Fix for CVE-2015-3222 which allows for root escalation via syscheck > > Affected versions: 2.7 - 2.8.1 > > Beginning is OSSEC 2.7 (d88cf1c9) a feature was added to syscheck, which > is the daemon that monitors file changes on a system, called > "report_changes". This feature is only available on *NIX systems. It's > purpose is to help determine what about a file has changed. The logic to > do accomplish this is as follows which can be found in > src/syscheck/seechanges.c: > > 252 /* Run diff */ > 253 date_of_change = File_DateofChange(old_location); > 254 snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/local/%s/diff.%d\" > " > 255 "2>/dev/null", > 256 tmp_location, old_location, > 257 DIFF_DIR_PATH, filename + 1, (int)date_of_change); > 258 if (system(diff_cmd) != 256) { > 259 merror("%s: ERROR: Unable to run diff for %s", > 260 ARGV0, filename); > 261 return (NULL); > 262 } > > Above, on line 258, the system() call is used to shell out to the > system's "diff" command. The raw filename is passed in as an argument > which presents an attacker with the possibility to run arbitrary code. > Since the syscheck daemon runs as the root user so it can inspect any > file on the system for changes, any code run using this vulnerability > will also be run as the root user. > > An example attack might be creating a file called "foo-$(touch bar)" > which should create another file "bar". > > Again, this vulnerability exists only on *NIX systems and is contingent > on the following criteria: > > 1. A vulnerable version is in use. > 2. The OSSEC agent is configured to use syscheck to monitor the file > system for changes. > 3. The list of directories monitored by syscheck includes those writable > by underprivileged users. > 4. The "report_changes" option is enabled for any of those directories. > > The fix for this is to create temporary trusted file names that symlink > back to the original files before calling system() and running the > system's "diff" command. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
