CONDOR-2006-0008
Summary: |
|
||||||||||||||||||||||||
On Windows platforms and potentially some old versions of UNIX, if the persistent configuration changes are allowed, then it is possible that an attacker may be able to change the configuration of the machine, which could lead to a root compromise. Persistent configuration changes through the use of condor_config_val is disabled by default, which prevents this vulnerability. |
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
Access Required: |
local ordinary user |
||||||||||||||||||||||||
This vulnerability requires local access on a machine running a condor daemon. This is exploitable only on a host running the Windows operating system or an old version of UNIX. |
|||||||||||||||||||||||||
Effort Required: |
high |
||||||||||||||||||||||||
The system must also be configured to use persistent configuration changes, and the attacker needs to win a race condition. |
|||||||||||||||||||||||||
Impact/Consequences: |
high |
||||||||||||||||||||||||
If the attacker is successful they can control the configuration of all the Condor daemons on the host, they can gain root access. |
|||||||||||||||||||||||||
Full Details: |
|
||||||||||||||||||||||||
A temporary file is created in the /tmp directory containing the contents of the persistent configuration changes that were made. This file is then read to set the actual configuration. Persistent configuration file changes are disabled by default. The file is created using mkstemp where it exists, but on systems without mkstemp (Windows and old versions of UNIX), the name of the file is created using the tmpnam function, and then opened without using O_EXCL. This allows for a race condition where someone may create a file or symbolic link to the pathname. The attacker can then modify the contents of this file to change any option in the system, except those defined in the root configuration file. Since one of the items in the configuration file is the list of daemons to start as root, a root compromise is possible. |
|||||||||||||||||||||||||
Cause: |
race condition |
||||||||||||||||||||||||
The cause of this is a file system race condition by using the unsafe tmpnam function to create a filename in the /tmp directory and is subsequently not created in a safe fashion. |
|||||||||||||||||||||||||
Proposed Fix: |
|
||||||||||||||||||||||||
Use the condor_mkstemp function that does exist on all platforms and creates a temporary file in a safe fashion and returns a FILE handle to the opened file instead of just the pathname. |
|||||||||||||||||||||||||
Actual Fix: |
|
||||||||||||||||||||||||
As proposed. |
|||||||||||||||||||||||||
Acknowledgment: |
|
||||||||||||||||||||||||
This research funded in part by National Science Foundation under subcontract with San Diego Supercomputer Center. |