what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cfengine.txt

cfengine.txt
Posted Sep 25, 2003
Authored by Nick Cleaton

The cfservd daemon in Cfengine 2.x prior to version 2.08 has an exploitable stack overflow in the network I/O code used.

tags | advisory, overflow
SHA-256 | 4f06f3f2f02b486dfdd217a7ff03223f7424d241ec1afc4a509699b4844b8187

cfengine.txt

Change Mirror Download
==============================================================================

Background
==========

Cfengine (www.cfengine.org) automates the configuration and maintenance of
large computer networks. A common setup involves running the cfservd daemon
on TCP port 5308 on a central master server, with other hosts periodically
connecting to the master to check for configuration updates.

Vulnerability
=============

There is an exploitable stack overflow in the network I/O code used in the
cfservd daemon in Cfengine 2.x prior to version 2.0.8. Arbitrary code
execution has been demonstrated on x86 FreeBSD and is believed to be possible
on all platforms.

Cfengine 1 is not vulnerable, but downgrading is not recommended as version 1
is nolonger supported by the author.

Cfengine 2 provides strong client authentication by redesigning a stricter
communications protocol. Responsibility for checking input buffers is
relocated in the new code and one important check was not carried over.

The vulnerability occurs after an ACL check on the source IP of the TCP
connection, so this flaw can only be exploited from hosts that are authorized
to connect to the cfservd daemon, or from systems able to spoof an authorized
IP or trick an authorized host into forwarding a connection.

The vulnerability can be exploited without reading any data from the server,
so blind spoofing may be feasible against some platforms.

The cfservd daemon is multithreaded rather than forking, so the attacker only
gets a single chance to get the offset correct within a 4096 byte window, less
a few bytes for shellcode. It may be possible to increase this window by
pre-populating other buffers before triggering the overflow.

The vulnerable network I/O code is used in several other places in Cfengine 2,
so similar problems may exist in other pre-2.0.8 Cfengine TCP servers and
clients.

Vulnerable Versions
===================

Vulnerable:
cfengine-2.0.0
cfengine-2.0.1
cfengine-2.0.2
cfengine-2.0.3
cfengine-2.0.4
cfengine-2.0.5
cfengine-2.0.5b1
cfengine-2.0.5pre
cfengine-2.0.5pre2
cfengine-2.0.6
cfengine-2.0.7
cfengine-2.0.7p1
cfengine-2.0.7p2
cfengine-2.0.7p3
cfengine-2.1.0a6
cfengine-2.1.0a8
cfengine-2.1.0a9

Not Vulnerable:
cfengine-1.6.5 and earlier
cfengine-2.0.8
cfengine-2.0.8p1

Detection
=========

A failed attempt to exploit this vulnerability is likely to cause cfservd to
exit with a segfault, which will show up in the logs.

A successful attempt to exploit may show up as cfservd not running or cfservd
recently restarted, if the attacker is not particularly sophisticated.

The log message "Bad transaction packet -- too long" indicates an attempt to
exploit a patched cfservd.

Fix
===

Upgrade to version 2.0.8p1 or later (recommended), or apply the attached patch
and rebuild cfengine.

The patch was made against 2.0.7p3, and may need to be adapted slightly for
some earlier versions of Cfengine 2.

Workaround
==========

Ensure that you have cfservd ACLs or firewall rules set up to allow
connections from trusted hosts only.

Details
=======

In BusyWithConnection() in cfservd.c, recvbuffer[] (a 4096 byte stack buffer)
is passed to ReceiveTransaction() in net.c. ReceiveTransaction() then reads a
message length as a six digit decimal number from the TCP socket, and passes
the buffer and the length on to RecvSocketStream(), which attempts to read
that many bytes into the buffer.

If the length is greater than 4096, an overflow occurs and the return address
of BusyWithConnection() can be overwritten.

In tests on x86 FreeBSD, recvbuffer[] ends up within a few dozen bytes of the
top of the stack, so the attacker can only send a few dozen extra bytes or
cfservd will segfault before the attacker gets control.

==============================================================================

--
Nick Cleaton
nick@cleaton.net


--- cfengine-2.0.7p3/src/net.c Wed Apr 23 21:48:13 2003
+++ cfengine-2.0.8p1/src/net.c Tue Sep 9 08:38:55 2003
@@ -89,7 +89,7 @@

{ char proto[9];
char status;
- unsigned int len;
+ unsigned int len = 0;

bzero(proto,9);

@@ -101,6 +101,13 @@
sscanf(proto,"%c %u",&status,&len);
Debug("Transaction Receive [%s][%s]\n",proto,proto+8);

+if (len > bufsize - 8)
+ {
+ snprintf(OUTPUT,bufsize,"Bad transaction packet -- too long (%c %d) Proto = %s ",status,len,proto);
+ CfLog(cferror,OUTPUT,"");
+ return -1;
+ }
+
if (strncmp(proto,"CAUTH",5) == 0)
{
Debug("Version 1 protocol connection attempted - no you don't!!\n");
@@ -132,6 +139,12 @@

Debug("RecvSocketStream(%d)\n",toget);

+if (toget > bufsize)
+ {
+ CfLog(cferror,"Bad software request for overfull buffer","");
+ return -1;
+ }
+
for (already = 0; already != toget; already += got)
{
got = recv(sd,buffer+already,toget-already,0);
@@ -144,7 +157,7 @@

if (got == 0) /* doesn't happen unless sock is closed */
{
- Debug("Transmission empty...\n");
+ Debug("Transmission empty or timed out...\n");
fraction = 0;
return already;
}
@@ -178,6 +191,8 @@

do
{
+ Debug("Attempting to send %d bytes\n",tosend-already);
+
sent=send(sd,buffer+already,tosend-already,flags);

switch(sent)
@@ -191,6 +206,7 @@
break;
}
}
+
while(already < tosend);

return already;


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close