Bug 772261 (CVE-2012-0787) - CVE-2012-0787 augeas: susceptible to mountpoint attack
Summary: CVE-2012-0787 augeas: susceptible to mountpoint attack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0787
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1005040 1032748 1033395 1033396 1033397
Blocks: 772264 974906
TreeView+ depends on / blocked
 
Reported: 2012-01-06 16:04 UTC by Vincent Danen
Modified: 2019-09-29 12:49 UTC (History)
23 users (show)

Fixed In Version: augeas 1.0.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-02 16:45:22 UTC
Embargoed:


Attachments (Terms of Use)
proposed upstream fix #1 (10.72 KB, patch)
2012-03-25 16:19 UTC, Dominic Cleal
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1537 0 normal SHIPPED_LIVE Low: augeas security, bug fix, and enhancement update 2013-11-21 01:11:37 UTC

Description Vincent Danen 2012-01-06 16:04:54 UTC
Augeas is a configuration management API that represents the contents of config
files as a tree in memory for editing, with the edits being written back to the
actual file. By default it loads files it understands in a large number of
standard system locations (/etc, /boot), but can also open files in a user
specified location [1],[2].

It has two save modes of interest, "backup" that keeps the original in
PATH.augorig and "newfile" that leaves the file alone, but writes the edited
version to PATH.augnew. These can be set via the API [3] or --backup/--new with
augtool (CLI tool around the API).

A flaw was found in the current 0.10.0 version and most previous versions.  It
requires that the directory containing the file to be edited is writable by
another user, so this needs the user to explicitly open a file in another
location or for a file in a default location to be in a group/world writable
directory.

This attack hinges on behaviour to support writing to a bind mount (ticket #32 gives some history [4] relating to oVirt?) when doing the
rename fails with EBUSY or EXDEV. Augeas instead opens the file and writes straight into it, see transform.c in clone_file when copy_if_rename_fails is set from transform_save.

In two of the three, copy_if_rename_fails is only set if the node /augeas/save/copy_if_rename_fails is created by the user to enable the behaviour [4]. I think there are three ways to exploit this code.

1) with --backup

When creating PATH.augsave, copy_if_rename_fails is always set to 1. A bind mount of a single file (or FUSE, enabling non-privileged attacks?) at PATH.augsave would cause the file contents to be written to the bind mounted file.

2) with --new and /augeas/save/copy_if_rename_fails

As above, but create bind mount at PATH.augnew.

3) with --backup and /augeas/save/copy_if_rename_fails

Augeas first moves PATH to PATH.augsave for the backup, then renames PATH.augnew to PATH. There's a tiny window in which a bind mount could be created at PATH, so the file contents are written to the bind mounted file.

[1] http://augeas.net/page/Loading_specific_files
[2] https://github.com/raphink/augeas-sandbox/blob/master/augload
[3] http://augeas.net/docs/api.html#saving-the-tree
[4] https://fedorahosted.org/augeas/ticket/32

Comment 1 Kurt Seifried 2012-01-20 23:05:06 UTC
Assigned CVE internally and added to alias and title.

Comment 10 Dominic Cleal 2012-03-25 16:19:09 UTC
Created attachment 572544 [details]
proposed upstream fix #1

Adding proposed patch for review.

Comment 13 David Lutterkort 2012-07-19 18:32:15 UTC
ACK. Committed proposed upstream fix as commit b8de6a8c

Comment 15 Vincent Danen 2013-09-06 05:40:47 UTC
Upstream commit from 20120719:

https://git.fedorahosted.org/cgit/augeas.git/commit/?id=b8de6a8c

Comment 17 Vincent Danen 2013-09-06 05:46:27 UTC
This was fixed in 1.0.0 according to the changelog (http://augeas.net/news.html):

* prevent cross-mountpoint attacks via .augsave during saving, RedHat bug #772261, CVE-2012-0787

Comment 24 Tomas Hoger 2013-10-28 13:11:34 UTC
(In reply to Vincent Danen from comment #15)
> Upstream commit from 20120719:
> 
> https://git.fedorahosted.org/cgit/augeas.git/commit/?id=b8de6a8c

Project moved to github, matching commit link there is:

https://github.com/hercules-team/augeas/commit/b8de6a8c

Comment 26 errata-xmlrpc 2013-11-21 04:47:46 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1537 https://rhn.redhat.com/errata/RHSA-2013-1537.html

Comment 27 Huzaifa S. Sidhpurwala 2013-11-22 03:11:22 UTC
Created augeas tracking bugs for this issue:

Affects: fedora-all [bug 1033395]
Affects: epel-4 [bug 1033396]
Affects: epel-5 [bug 1033397]


Note You need to log in before you can comment on or make changes to this bug.