Description of problem: Between F14 and F15, NetworkManager was changed so that unprivileged console users can store both personal and system connections via the ifcfg-rh plugin. As a result, bug 682290 now constitutes a vulnerability allowing such users to escalate to root. To avoid calling attention to this, I am filing a separate bug rather than updating bug 682290. Version-Release number of selected component (if applicable): NetworkManager-0.9.0-1.fc15 How reproducible: Always Steps to Reproduce (as an unprivileged console user): 1. Create a wired connection named `test'. 2. Change the name to `test\nUSERCTL=true\n/bin/bash', where `\n' stands for a newline entered via Ctrl-Shift-U, A. 3. usernetctl test up Actual results: Root shell. Expected results: Format integrity of /etc/sysconfig/network-scripts/ifcfg-test is maintained.
Connection ID's are basically not restricted and they can contain virtually any character (including non-printable, control, etc.). That's not problem per se. However, when the ID is used is some places some characters can cause problems. In this case, when NAME variable (connection's ID) is written to ifcfg file, some characters are escaped with \ in shvar.c (escapees[] = "\"'\\$~`"). This prevents undesired behaviour in shell, because ifcfg files can be shell-interpreted by means of initscripts. a) The easiest solution would be just dropping newline characters when writing to ifcfg file. See attached patch doing that. b) If we wanted to preserve the newline characters (and/or other control characters), we have to change svEscape()/svUnescape() to proper transfer LF <-> "\n", CR <-> "\r", etc. But, I think non-pritable characters in connection names don't bring any user value and "\n" may cause some problems too in ifcfg files.
Created attachment 523188 [details] Removing newline characters while writing to ifcfg file
One suggestion: I've noticed that shvar.[h|c] used in NM for handling ifcfg files are used by some other packages: usermode, initscripts. And maybe others. It looks like the code comes from ancient rp3 (RedHat PPP dialer). It would be useful to separate the code to an independent library, so that everyone could use it and don't have to duplicate the code. Or at least put the code to a repository as source routines (like gnulib), so that changes are done in one place and everybody can get the latest version from it (maybe mark initscripts copy as that).
It's historically a copy-paste library, mostly due to laziness.
(In reply to comment #3) > Created attachment 523188 [details] > Removing newline characters while writing to ifcfg file Looks good, lets push this into RHEL packages for the security update Z stream. After the embargo lifts we can push upstream and to Fedora.
(In reply to comment #6) > Looks good, lets push this into RHEL packages for the security update Z stream. > After the embargo lifts we can push upstream and to Fedora. And let the Fedora systems get hacked? Thanks a lot. That will make me give you private notice of issues in the future. I thought RHEL is listed as "notaffected" anyway?
The CVE identifier of CVE-2011-3364 has been assigned to this issue.
(In reply to comment #7) Hello Matt, thank you for responsibly reporting this issue to us. To be able to move with this one towards its correction and public announcement we would need privately (in encrypted way) to contact and inform other Linux distributions, shipping NetworkManager package too, about presence of this flaw. Though it is not likely other distributions would use the ifcfg-rh plug-in, which is required this issue to be exploitable. But it is likely, their NetworkManager versions might be affected by improper escaping of certain characters too. Thus we would like to ask you for an approval to privately (in encrypted way) inform other distributions about presence of this issue. Please let us know, if we can do this. Due the embargo date -- we have preliminary set it up to next Wednesday, 2011-09-21. If there would be no embargo date changes necessary (due various reasons, since this depends on many conditions), on next Wednesday this bug would be opened for public audience and affected Fedora NetworManager package updates scheduled. Should there be embargo date change required yet, we would inform you again via this bug. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: Please let us know if it's OK from your side us to inform other distributions about presence of this issue privately. Thank you again, Jan. > (In reply to comment #6) > > Looks good, lets push this into RHEL packages for the security update Z stream. > > After the embargo lifts we can push upstream and to Fedora. > > And let the Fedora systems get hacked? Thanks a lot. That will make me give > you private notice of issues in the future. > > I thought RHEL is listed as "notaffected" anyway?
(In reply to comment #7) > > Looks good, lets push this into RHEL packages for the security update Z > > stream. After the embargo lifts we can push upstream and to Fedora. > > And let the Fedora systems get hacked? Thanks a lot. Matt, just clear up some confusion - Fedora has its dist-git and koji public, there's no mechanism to do private commits / builds. Hence when the fix is committed to dist-git (or upstream VCS), we consider the issue public. The aim here was to have everything ready, so when this is made public, fixes are followed shortly.
(In reply to comment #9) > Thus we would like to ask you for an approval to privately (in > encrypted way) inform other distributions about presence of this issue. Please > let us know, if we can do this. Yes, by all means please inform other distributions. (In reply to comment #10) > Matt, just clear up some confusion - Fedora has its dist-git and koji public, > there's no mechanism to do private commits / builds. Hence when the fix is > committed to dist-git (or upstream VCS), we consider the issue public. The aim > here was to have everything ready, so when this is made public, fixes are > followed shortly. Understood. Thanks for your work on this.
Created attachment 524039 [details] [RHEL6, F14] Removing newline characters while writing to ifcfg file Patch fixing the issue for RHEL 6 and Fedora 14 (they use NetworkManager 0.8.x). The patch is the same as the one in comment #3 (for NM 0.9.x = F15 and above) except shvar.c is at different path.
This issue did NOT affect the versions of the NetworkManager package, as shipped with Red Hat Enterprise Linux 4 and 5 as those versions did not include support for modification (write) of configuration from NetworkManager to the standard /etc/sysconfig/network-scripts/ifcfg-* files yet. -- This issue did NOT affect the version of the NetworkManager package, as shipped with Red Hat Enterprise Linux 6 in the default configuration, since due the polkit settings privileged user account is required to change connections. Though the level of privileges required to be able to change connection settings is a configurable feature and in certain configurations of NetworkManager on Red Hat Enterprise Linux 6 this issue may be exploitable too. -- This issue affects the versions of the NetworkManager package, as shipped with Fedora release of 14 and 15.
Hello Matt, (In reply to comment #11) > (In reply to comment #9) > > Thus we would like to ask you for an approval to privately (in > > encrypted way) inform other distributions about presence of this issue. Please > > let us know, if we can do this. > > Yes, by all means please inform other distributions. Thank you for the approval. Unfortunately due the internal procedures related with dealing with this we will not be able to meet the originally proposed embargo date, thus tomorrow. Wanted to check with you, if it would be possible to postpone / move the embargo date in that way, so this flaw would be publicly disclosed on next Monday, 2011-09-26 12:00 UTC. Please let us know, if this would be possible to postpone yet (so we could propagate the agreement to other vendors too) and thank you for your understanding. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Matt, and yet one query. Please let us know the official form of your name (and possibly company name if desired) you would like to be credited for the discovery and responsibly reporting this issue to us in our advisory? Thanks again, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
(In reply to comment #15) > Wanted to check with you, if it would be possible > to postpone / move the embargo date in that way, so this flaw would be publicly > disclosed on next Monday, 2011-09-26 12:00 UTC. That is fine with me. I am so glad to see prompt and comprehensive action on the bug. (In reply to comment #16) > Please let us know the official form of your name (and > possibly company name if desired) you would like to be credited for the > discovery and responsibly reporting this issue to us in our advisory? "Matt McCutchen" with no company affiliation, please.
A post mortem question: I'd think that the release of F15 with the default configuration affected should have been avoidable, given that I filed bug 682290 back when F15 was in alpha. Ideally I might have recognized the problem in F15 myself, but I was focused on other things than testing F15 at that point and did not foresee ifcfg-rh being opened to unprivileged users (I still think it is a audacious design). Was the team responsible for the F15 changes aware of bug 682290? Is there something I could have done differently, short of reviewing every F(n+1) in enough depth to notice a change like the expanded use of ifcfg-rh?
Created attachment 524560 [details] [RHEL6, F14] Removing newline characters while writing to ifcfg file Removing newline characters when writing ifcfg files - for NM 0.8.x
Created attachment 524563 [details] [F15 and up] Removing newline characters while writing to ifcfg file Removing newline characters when writing to ifcfg files - for NM 0.9.x
Patches in comments #21 and #22 fix and replace the previous ones. (The newlines filtering was not done when name didn't contain spaces or characters for escaping).
Acknowledgements: Red Hat would like to thank Matt McCutchen for reporting this issue.
Created NetworkManager tracking bugs for this issue Affects: fedora-all [bug 741418]
Statement: Not vulnerable. This issue did not affect the versions of NetworkManager as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for writing NetworkManager configurations to the standard /etc/sysconfig/network-scripts/ifcfg-* files.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1338 https://rhn.redhat.com/errata/RHSA-2011-1338.html
NetworkManager-0.8.5.92-1.git20110927.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.