CONDOR-2006-0009


Summary:

 

It is possible to update a class ad in the collector, such that the contents of the class ad can cause a buffer in the condor_negotiator to overflow. This can result in a crash, or potentially a root compromise of the condor_negotiator. This compromise requires the user to be able to use the condor_advertise command. This is the case for ordinary users, if host-based authorization is used on machines running Condor daemons, which includes all submission and execution hosts.


Component Vulnerable Versions Platform Availability Fix Available
condor_negotiator all 6.6 & 6.7
6.8.0
all not known to be publicly available 6.8.1 -
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified local ordinary user any Condor daemon host medium high
Fixed Date Credit
2006-Sep-19 Derek Wright

Access Required:

local ordinary user

This vulnerability requires local access on a machine that is able to use the condor_advertise command to change a class ad. If host-based authorization is used this will be at least those hosts that run a Condor daemon.

Effort Required:

medium

If the user can use the condor_advertise command, the effort is fairly low to create a denial of service attack, by crashing the negotiator, while gaining root access requires the ability to run arbitrary code through stack smashing techniques. If a stronger form of authentication and authorization is used, then ordinary users cannot run condor_advertise, and the vulnerability is mitigated.

Impact/Consequences:

high

Successful exploitation of this vulnerability could result in an escalation of privilege to the account used to run the condor_negotiator on the central manager host. If the negotiator is running as root, which is not required in all configurations, then a root compromise is possible.

Full Details:

 

There were two potential buffer overflows in the function Accountant::GetResourceName in the file Accountant.C. The function looks up the Name and StartdIpAddr in the startd class ad. These values were placed in two 64 byte buffers. Since the user can control the values of these two attributes by calling condor_advertise, they can set a value that overflows the storage. The storage for these two values is on the stack, so a stack smashing attack could be attempted, which could result in an escalation of privilege to root, or a denial of service (crash).

The condor_advertise command requires the user to have DAEMON access privilege. If host-based authorization is used then any host with a Condor daemon will have this privilege. This means that any user on such a host will be able to use the condor_advertise command. They can use the condor_advertise to update startd ads to contain attributes "StartdIpAddr," or "Name" to have a value of greater than 64 bytes.

Cause:

fixed size buffer
failure to validate input

The cause of this is the use of a fixed sized buffer, where the value to be placed in the buffer is blindly copied into the buffer without first checking the size of the value.

Proposed Fix:

 

Use a string class that resizes itself automatically and prevents buffer overflows.

Use a more strict authentication and authorization than host-based authorization, so only daemons and administrators can update class ads in the collector.

Actual Fix:

 

Changed type of buffers from char[64] to MyString.

Acknowledgment:

 

This research funded in part by National Science Foundation under subcontract with San Diego Supercomputer Center.