security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)
Hello, the new version addresses the issue below. Policyd-weight does now exit if it detects symlinks on directories or sockets at startup or directory creation. The flaw can lead to altered or deleted files on following systems: 1: multiuser or 3rd-party-holes hosts that plan to use policyd-weight prior to 0.1.14 beta-15 2: multiuser or 3rd-party-holes hosts that empty the /tmp directory On systems wich do have an existing working directory this should not have an impact as the permissions and ownership is set to write only by root or polw, and once the directory is created policyd-weight doesn't delete it. Workaround/Advice: users can also use /var/run/.policyd-weight as $LOCKPATH. Users who change the $LOCKPATH must issue 'policyd-weight -k stop' first. Otherwise they have to kill the children and cache manually. MD5 (policyd-weight)= b33265ca797eb545ed9df5b0032282e5 SHA256 (policyd-weight) = 84aba66c39a016e60c073a2a2063d0433fc7f28d87baafb5846c48cb26bea5db MD5 (policyd-weight-0.1.14.15.tar.gz) = a3b23cdb37c1179587305b65d9a18515 SHA256 (policyd-weight-0.1.14.15.tar.gz)= c8b8e3eaaf8e96794d5bfdd2a4f5e7a959c0348f1fff5b1c0e7c8ed17a20c731 On Mon, Mar 24, 2008 at 11:19:55AM +0100, Andrej Kacian wrote: > Hello guys, > > I am a maintainer of Gentoo package for policyd-weight. We had following > report coming in from Chris about insecure lockfile creation in your software: > > --8< > Hi, > > I believe I have discovered an insecure temporary file vulnerability in > policyd-weight, which is in the repositories of Debian etch. > > Snippets of code from /usr/sbin/policyd-weight > > my $LOCKPATH = '/tmp/.policyd-weight/'; > > Then the function create_lockpath chown's lockpath: > > sub create_lockpath > { > my $who = shift(@_); > > if(!( -d $LOCKPATH)) > { > mkdir $LOCKPATH or die "$who: error while creating $LOCKPATH: $!"; > } > > my $tuid = $USER; > > if($USER =~ /[^0-9]/) > { > if( !(defined( $tuid = getpwnam($USER) ) ) ) > { > mylog(warning=>"User $USER doesn't exist, create it, or set > \$USER"); > } > } > if( !(chown ($tuid, -1, $LOCKPATH)) ) > { > mylog(warning=>"Couldn't chown $LOCKPATH to $USER: $!"); > } > if( !(chmod (0700, $LOCKPATH)) ) > { > mylog(warning=>"Couldn't set permissions on $LOCKPATH: $!"); > } > } > > I have verified that by doing something like this: > > mkdir /home/chris/foo > ln -s /home/chris/foo /tmp/.policyd-weight > > and starting policyd-weight you can change the ownership or any arbitrary > directory around the system - /home/chris/foo got chown'ed to polw:root. > > I'm sure you can also play tricks with the creation and deletion of the socket > too as they get unlink'ed in a few places, but haven't bothered trying to > exploit them as I think this is plenty to be sure that there is a problem. > --8< > > Maybe you have already been contacted by Debian or FreeBSD security teams, as > Chris has reported this there as well, but in case you weren't, I thought you > should be made aware, in order to fix the issue. > > The bug report in Gentoo Bugzilla is restricted, so this is still confidential > as far as I am concerned. > > Kind regards, > -- > Andrej "Ticho" Kacian > Gentoo Linux Developer - net-mail, antivirus, x86 -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)
On Tue, 25 Mar 2008 01:40:31 +0100 Robert Felber <[EMAIL PROTECTED]> wrote: > the new version addresses the issue below. Policyd-weight does now exit if it > detects symlinks on directories or sockets at startup or directory creation. Hello Robert, I'm afraid 0.1.14.15 doesn't fix the issue reported. By symlinking /tmp/.policyd-weight to /root and starting policyd-weight, I was still able to change ownership of /root directory to user policyd-weight is configured to run as. [EMAIL PROTECTED] /tmp # /usr/lib/postfix/policyd-weight --version policyd-weight version: 0.1.14 beta-15, CacheVer: 5 Perl version: 5.008008 Net::DNS version: 0.61 OS: Linux 2.6.24-gentoo Output from policyd-weight -d run attached. Regards, -- Andrej "Ticho" Kacian Gentoo Linux Developer - net-mail, antivirus, x86 [EMAIL PROTECTED] /tmp # /usr/lib/postfix/policyd-weight -d start policyd-weight version: 0.1.14 beta-15, CacheVer: 5 System: Linux thelair 2.6.24-gentoo #5 Wed Feb 20 20:18:37 CET 2008 i686 Intel(R) Celeron(R) CPU 2.60GHz GenuineIntel GNU/Linux Perl version: 5.008008 Net::DNS version: 0.61 config: /etc/policyd-weight.conf $DEBUG= 0; $REJECTMSG= "550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs"; $REJECTLEVEL = 1; $DEFER_STRING = 'IN_SPAMCOP= BOGUS_MX='; $DEFER_ACTION = '450'; $DEFER_LEVEL = 5; $DNSERRMSG = '450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator'; $dnsbl_checks_only = 0; @dnsbl_checks_only_regexps = ( ); $LOG_BAD_RBL_ONLY = 1; @dnsbl_score = ( 'pbl.spamhaus.org', 3.25, 0,'DYN_PBL_SPAMHAUS', 'sbl-xbl.spamhaus.org', 4.35, -1.5,'SBL_XBL_SPAMHAUS', 'bl.spamcop.net', 3.75, -1.5,'SPAMCOP', 'dnsbl.njabl.org',4.25, -1.5,'BL_NJABL', 'list.dsbl.org', 4.35, 0,'DSBL_ORG', 'ix.dnsbl.manitu.net',4.35, 0,'IX_MANITU' ); $MAXDNSBLHITS = 2; $MAXDNSBLSCORE = 8; $MAXDNSBLMSG = '550 Your MTA is listed in too many DNSBLs'; @rhsbl_score = ( 'multi.surbl.org', 4,0,'SURBL', 'rhsbl.ahbl.org', 4,0,'AHBL', 'dsn.rfc-ignorant.org',3.5, 0,'DSN_RFCI', 'postmaster.rfc-ignorant.org', 0.1, 0,'PM_RFCI', 'abuse.rfc-ignorant.org', 0.1, 0,'ABUSE_RFCI' ); $BL_ERROR_SKIP = 2; $BL_SKIP_RELEASE = 10; $LOCKPATH = '/tmp/.policyd-weight/'; $SPATH = $LOCKPATH.'/polw.sock'; $MAXIDLECACHE = 60; $MAINTENANCE_LEVEL = 5; $CACHESIZE = 2000; $CACHEMAXSIZE= 4000; $CACHEREJECTMSG = '550 temporarily blocked because of previous errors'; $NTTL= 1; $NTIME = 30; $POSCACHESIZE= 1000; $POSCACHEMAXSIZE = 2000; $POSCACHEMSG = 'using cached result'; $PTTL= 60; $PTIME = '3h'; $TEMP_PTIME = '1d'; $DNS_RETRIES = 2; $DNS_RET
Re: security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)
On Fri, Mar 28, 2008 at 09:40:24AM +0100, Robert Felber wrote: > On Thu, Mar 27, 2008 at 11:52:17PM +0100, Andrej Kacian wrote: > > On Tue, 25 Mar 2008 01:40:31 +0100 > > Robert Felber <[EMAIL PROTECTED]> wrote: > > > > > the new version addresses the issue below. Policyd-weight does now exit > > > if it > > > detects symlinks on directories or sockets at startup or directory > > > creation. > > > > Hello Robert, > > > > I'm afraid 0.1.14.15 doesn't fix the issue reported. > > > > By symlinking /tmp/.policyd-weight to /root and starting policyd-weight, I > > was > > still able to change ownership of /root directory to user policyd-weight is > > configured to run as. > > Thanks for reporting. > > This is weird, and I am a little bit confused: > > # perl -wle 'if(-l "/tmp/.policyd-weight"){ print "err" }' > err > > The question is now, why the same test in policyd-weight is > not resulting in a true value. strace of policyd-weight: lstat("/tmp/.policyd-weight/", {st_mode=S_IFDIR|0700, st_size=512, ...}) = 0 strace of command line perl: lstat("/tmp/.policyd-weight", {st_mode=S_IFLNK|0700, st_size=18, ...}) = 0 strace of command line perl with trailing slash: lstat("/tmp/.policyd-weight/", {st_mode=S_IFDIR|0700, st_size=512, ...}) = 0 other test: # if [ -L /tmp/.policyd-weight ]; then echo err; fi err # if [ -L /tmp/.policyd-weight/ ]; then echo err; fi # What the? If I want a check for -d then I'd say so. I am a bit puzzled on how to handle this, and - who to blame. However, I will strip trailing / as a workaround. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)
On Thu, Mar 27, 2008 at 11:52:17PM +0100, Andrej Kacian wrote: > On Tue, 25 Mar 2008 01:40:31 +0100 > Robert Felber <[EMAIL PROTECTED]> wrote: > > > the new version addresses the issue below. Policyd-weight does now exit if > > it > > detects symlinks on directories or sockets at startup or directory creation. > > Hello Robert, > > I'm afraid 0.1.14.15 doesn't fix the issue reported. > > By symlinking /tmp/.policyd-weight to /root and starting policyd-weight, I was > still able to change ownership of /root directory to user policyd-weight is > configured to run as. Thanks for reporting. This is weird, and I am a little bit confused: # perl -wle 'if(-l "/tmp/.policyd-weight"){ print "err" }' err The question is now, why the same test in policyd-weight is not resulting in a true value. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: security: version update: version 0.1.14 beta-15 (was: Insecure lockfile creation - vulnerability report)
On Fri, Mar 28, 2008 at 09:50:45AM +0100, Robert Felber wrote: > On Fri, Mar 28, 2008 at 09:40:24AM +0100, Robert Felber wrote: > > On Thu, Mar 27, 2008 at 11:52:17PM +0100, Andrej Kacian wrote: > > > On Tue, 25 Mar 2008 01:40:31 +0100 > > > Robert Felber <[EMAIL PROTECTED]> wrote: > > > > > > > the new version addresses the issue below. Policyd-weight does now exit > > > > if it > > > > detects symlinks on directories or sockets at startup or directory > > > > creation. > > > > > > Hello Robert, > > > > > > I'm afraid 0.1.14.15 doesn't fix the issue reported. > > > > > > By symlinking /tmp/.policyd-weight to /root and starting policyd-weight, > > > I was > > > still able to change ownership of /root directory to user policyd-weight > > > is > > > configured to run as. > > > > Thanks for reporting. > > > > This is weird, and I am a little bit confused: > > > > # perl -wle 'if(-l "/tmp/.policyd-weight"){ print "err" }' > > err > > > > The question is now, why the same test in policyd-weight is > > not resulting in a true value. > > > strace of policyd-weight: > lstat("/tmp/.policyd-weight/", {st_mode=S_IFDIR|0700, st_size=512, ...}) = 0 > > strace of command line perl: > lstat("/tmp/.policyd-weight", {st_mode=S_IFLNK|0700, st_size=18, ...}) = 0 > > strace of command line perl with trailing slash: > lstat("/tmp/.policyd-weight/", {st_mode=S_IFDIR|0700, st_size=512, ...}) = 0 > > > other test: > > # if [ -L /tmp/.policyd-weight ]; then echo err; fi > err > # if [ -L /tmp/.policyd-weight/ ]; then echo err; fi > # > > What the? If I want a check for -d then I'd say so. > > I am a bit puzzled on how to handle this, and - who to blame. > > However, I will strip trailing / as a workaround. I'll update the releases today. Patch below: --- /old/policyd-weight Tue Mar 25 00:25:39 2008 +++ /new/policyd-weight Fri Mar 28 10:06:46 2008 @@ -23,9 +23,9 @@ # see http://spf.pobox.com/ # # AUTHOR: [EMAIL PROTECTED] -# DATE:Mon Mar 24 23:59:00 CET 2008 +# DATE:Fri Mar 28 10:08:42 CET 2008 # NAME:policyd-weight -# VERSION: 0.1.14 beta-15 +# VERSION: 0.1.14 beta-16 # URL: http://www.policyd-weight.org/ @@ -78,7 +78,7 @@ use vars qw($csock $s $tcp_socket $sock $new_sock $old_mtime); -our $VERSION = "0.1.14 beta-15"; +our $VERSION = "0.1.14 beta-16"; our $CVERSION = 5; # cache interface version our $CMD_DEBUG = 0; # -d switch our $KILL; # -k switch @@ -3624,7 +3624,13 @@ my $who = shift; for ( @_ ) { -if( -l $_ ) + +# strip trailing '/' +# perl and test(1) ignore the request for -l/-L and +# do a lstat with S_IFDIR (added in 0.1.14 beta-16) +s/\/+$//; + +if ( -l $_ ) { fatal_exit("$who: $_ is a symbolic link. Symbolic links are not expected and not allowed within policyd-weight. Exiting!"); } -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/