==============================================================================

Background
==========

Cfengine (www.cfengine.org) automates the configuration and maintenance of
large computer networks.  A common setup involves running the cfservd daemon
on TCP port 5308 on a central master server, with other hosts periodically
connecting to the master to check for configuration updates.

Vulnerability
=============

There is an exploitable stack overflow in the network I/O code used in the
cfservd daemon in Cfengine 2.x prior to version 2.0.8.  Arbitrary code
execution has been demonstrated on x86 FreeBSD and is believed to be possible
on all platforms.

Cfengine 1 is not vulnerable, but downgrading is not recommended as version 1
is nolonger supported by the author.

Cfengine 2 provides strong client authentication by redesigning a stricter
communications protocol. Responsibility for checking input buffers is
relocated in the new code and one important check was not carried over.

The vulnerability occurs after an ACL check on the source IP of the TCP
connection, so this flaw can only be exploited from hosts that are authorized
to connect to the cfservd daemon, or from systems able to spoof an authorized
IP or trick an authorized host into forwarding a connection.  

The vulnerability can be exploited without reading any data from the server,
so blind spoofing may be feasible against some platforms.

The cfservd daemon is multithreaded rather than forking, so the attacker only
gets a single chance to get the offset correct within a 4096 byte window, less
a few bytes for shellcode.  It may be possible to increase this window by
pre-populating other buffers before triggering the overflow.

The vulnerable network I/O code is used in several other places in Cfengine 2,
so similar problems may exist in other pre-2.0.8 Cfengine TCP servers and
clients.

Vulnerable Versions
===================

Vulnerable:
   cfengine-2.0.0
   cfengine-2.0.1
   cfengine-2.0.2
   cfengine-2.0.3
   cfengine-2.0.4
   cfengine-2.0.5
   cfengine-2.0.5b1
   cfengine-2.0.5pre
   cfengine-2.0.5pre2
   cfengine-2.0.6
   cfengine-2.0.7
   cfengine-2.0.7p1
   cfengine-2.0.7p2
   cfengine-2.0.7p3
   cfengine-2.1.0a6
   cfengine-2.1.0a8
   cfengine-2.1.0a9

Not Vulnerable:
   cfengine-1.6.5 and earlier
   cfengine-2.0.8
   cfengine-2.0.8p1

Detection
=========

A failed attempt to exploit this vulnerability is likely to cause cfservd to
exit with a segfault, which will show up in the logs.

A successful attempt to exploit may show up as cfservd not running or cfservd
recently restarted, if the attacker is not particularly sophisticated.

The log message "Bad transaction packet -- too long" indicates an attempt to
exploit a patched cfservd.

Fix
===

Upgrade to version 2.0.8p1 or later (recommended), or apply the attached patch
and rebuild cfengine.

The patch was made against 2.0.7p3, and may need to be adapted slightly for
some earlier versions of Cfengine 2.

Workaround
==========

Ensure that you have cfservd ACLs or firewall rules set up to allow
connections from trusted hosts only.

Details
=======

In BusyWithConnection() in cfservd.c, recvbuffer[] (a 4096 byte stack buffer)
is passed to ReceiveTransaction() in net.c.  ReceiveTransaction() then reads a
message length as a six digit decimal number from the TCP socket, and passes
the buffer and the length on to RecvSocketStream(), which attempts to read
that many bytes into the buffer.

If the length is greater than 4096, an overflow occurs and the return address
of BusyWithConnection() can be overwritten.

In tests on x86 FreeBSD, recvbuffer[] ends up within a few dozen bytes of the
top of the stack, so the attacker can only send a few dozen extra bytes or
cfservd will segfault before the attacker gets control.

==============================================================================

--
Nick Cleaton
nick@cleaton.net


--- cfengine-2.0.7p3/src/net.c  Wed Apr 23 21:48:13 2003
+++ cfengine-2.0.8p1/src/net.c  Tue Sep  9 08:38:55 2003
@@ -89,7 +89,7 @@
 
 { char proto[9];
   char status;
-  unsigned int len;
+  unsigned int len = 0;
  
 bzero(proto,9);
 
@@ -101,6 +101,13 @@
 sscanf(proto,"%c %u",&status,&len);
 Debug("Transaction Receive [%s][%s]\n",proto,proto+8);
 
+if (len > bufsize - 8)
+   {
+   snprintf(OUTPUT,bufsize,"Bad transaction packet -- too long (%c %d) Proto = %s ",status,len,proto);
+   CfLog(cferror,OUTPUT,"");
+   return -1;
+   }
+
 if (strncmp(proto,"CAUTH",5) == 0)
    {
    Debug("Version 1 protocol connection attempted - no you don't!!\n");
@@ -132,6 +139,12 @@
 
 Debug("RecvSocketStream(%d)\n",toget);
 
+if (toget > bufsize)
+   {
+   CfLog(cferror,"Bad software request for overfull buffer","");
+   return -1;
+   }
+ 
 for (already = 0; already != toget; already += got)
    {
    got = recv(sd,buffer+already,toget-already,0);
@@ -144,7 +157,7 @@
  
    if (got == 0)   /* doesn't happen unless sock is closed */
       {
-      Debug("Transmission empty...\n");
+      Debug("Transmission empty or timed out...\n");
       fraction = 0;
       return already;
       }
@@ -178,6 +191,8 @@
 
 do
    {
+   Debug("Attempting to send %d bytes\n",tosend-already);
+
    sent=send(sd,buffer+already,tosend-already,flags);
    
    switch(sent)
@@ -191,6 +206,7 @@
     break;
       }
    }
+
 while(already < tosend);
 
 return already;