Bug 1006100 (CVE-2013-4342) - CVE-2013-4342 xinetd: ignores user and group directives for tcpmux services
Summary: CVE-2013-4342 xinetd: ignores user and group directives for tcpmux services
Keywords:
Status: NEW
Alias: CVE-2013-4342
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1006477 1007293 1007294 1007297 1007299 1014897
Blocks: 1006478
TreeView+ depends on / blocked
 
Reported: 2013-09-10 02:48 UTC by thomas.swan
Modified: 2019-09-29 13:08 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
preliminary patch to set credentials before execve (7.70 KB, patch)
2013-09-10 02:48 UTC, thomas.swan
no flags Details | Diff
updated, simpler patch (351 bytes, patch)
2013-09-19 05:15 UTC, thomas.swan
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1409 normal SHIPPED_LIVE Moderate: xinetd security update 2013-10-07 21:14:51 UTC

Description thomas.swan 2013-09-10 02:48:06 UTC
Created attachment 795808 [details]
preliminary patch to set credentials before execve

Description of problem:

If a tcpmux service is enabled, the user and group directives are ignored and the service always runs as root. Verified in the xinetd codebase and affects all active versions of RHEL and Fedora.  Without the fix for CVE-2012-0862, previously exposed non-tcpmux services could run as root bypassing their respective user and group restrictions.

Version-Release number of selected component (if applicable):
2.3.15-6

How reproducible:
Always

Steps to Reproduce:
1. Enabled tcpmux-server 
2. Create a sample tcpmux service

   service testcred
   {
      id = tcpmux-testcred
      disable = no
      user = nobody
      group = nobody
      socket_type = stream
      type = TCPMUXPLUS UNLISTED
      flags = NAMEINARGS
      server = /usr/bin/id
      server_args = id
      wait = no
   }

3. telnet localhost 1
4. type testcred

Actual results:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
testcred 
+Go
uid=0(root) gid=0(root) groups=0(root)

Expected results:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
testcred 
+Go
uid=99(nobody) gid=99(nobody) groups=99(nobody)

Additional info:

Comment 1 Vincent Danen 2013-09-10 16:42:42 UTC
Thanks for this report, Thomas.  It seems it was reported to Debian 8 years ago and was never fixed or even reported upstream:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678

Comment 3 thomas.swan 2013-09-12 00:39:40 UTC
I have a github pull request for upstream addressing this as well.  If you think that it should be retracted for now, please let me know.

Comment 4 thomas.swan 2013-09-12 01:48:04 UTC
The github request has been redacted.  When you are ready, and if you want, I can issue a new pull request.

Comment 6 Huzaifa S. Sidhpurwala 2013-09-12 06:13:00 UTC
This issue has been assigned CVE-2013-4342

Comment 11 thomas.swan 2013-09-19 05:15:29 UTC
Created attachment 799732 [details]
updated, simpler patch

I believe the child_process, not exec_server should be called on a tcpmux service.  This preserves the existing behavior of exec_server and also keeps the tcpmux services within the same code path as other services when being executed.

Comment 12 thomas.swan 2013-09-23 17:00:10 UTC
The later patch should be the correct fix.

Comment 15 Huzaifa S. Sidhpurwala 2013-10-02 06:39:53 UTC
(In reply to thomas.swan from comment #9)
> With regards to responsible disclosure, please let me know when would be the
> correct time to create a pull request for the proposed fix to the upstream
> repository on github.  On github, the current home, pull requests are
> public, and I would not want to place the pull request in the open until it
> has been properly communicated.  
> 
> I would also like to provide the patch to the freebsd ports maintainer.
> Please advise.

Thomas,

Hi, it seems i did not see comment #1 above, this issue is already public, do you mind if i open up this bug now? You can do a public pull request.

Comment 16 thomas.swan 2013-10-03 04:32:59 UTC
Please, go ahead.  The pull request has been created.

Comment 17 Huzaifa S. Sidhpurwala 2013-10-03 04:44:15 UTC
Created xinetd tracking bugs for this issue:

Affects: fedora-all [bug 1014897]

Comment 18 Vincent Danen 2013-10-07 16:08:34 UTC
Acknowledgements:

Red Hat would like to thank Thomas Swan of FedEx for reporting this issue.

Comment 19 errata-xmlrpc 2013-10-07 17:19:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1409 https://rhn.redhat.com/errata/RHSA-2013-1409.html

Comment 22 Fedora Update System 2013-10-11 23:56:21 UTC
xinetd-2.3.15-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2013-10-12 04:27:56 UTC
xinetd-2.3.15-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.