HTCondor
Overview
Download
Documentation
Release Highlights
Release Schedule

HTCondor-CE
Overview
Download
Documentation
Release Highlights

General
News
Security
Documentation
Download

Documentation
HTCondor
HTCondor-CE

Support
HTCSS Contract Support
Community Mailing List
External Support Organizations

Email Lists
Users / Help
World / Announcements

Workshops
Throughput Computing 2024
Materials from past Workshops

HTCSS
What is HTCSS?
Logos

CHTC
Website ⬏
Staff ⬏
Jobs ⬏
Research & Publications ⬏

CONDOR-2008-0001

Summary:

It is possible for a user that can submit jobs to a condor_schedd to modify arbitrary attributes of the job, including attributes an ordinary user should not be able to modify. For instance, a user can change the owner of their job to run as any non-root user.

Component	Vulnerable Versions	Platform	Availability	Fix Available
condor_schedd	6.8.0 - 6.8.8 7.0.0 - 7.0.4 7.1.0 - 7.1.2	all	not known to be publicly exploited	6.8.9 7.0.5 7.1.3
Status	Access Required	Host Type Required	Effort Required	Impact/Consequences
Verified	local ordinary user with a condor authorization	submission host	low	high
Fixed Date	Credit
2008-Oct-07	Greg Thain

Access Required:

local ordinary user with a condor authorization

This vulnerability requires local access on a machine where the user has write authorization to the condor_schedd (i.e., a host and account where the user can submit a job).

Effort Required:

low

The use of ordinary condor command line tools is all that is required to exploit this vulnerability.

Impact/Consequences:

high

The attacker can run arbitrary code as a non-root user on the execute host or submission host depending on the job type. This can allow attacks on other users accounts or system resources.

Full Details:

There is a list of sensitive job attributes that an ordinary user is not allowed to modify to ensure the security of the system. These include the "owner" attribute. When a job is submitted, its attributes are checked and a sensitive attribute is not allowed to be set.

The user can also use condor_qedit to change attributes of a job. When this tool is used, the attribute and value are passed to condor_schedd as separate values and the attribute name from the user is checked to verify that it is not a sensitive attribute by comparing the user supplied name against a list. Unfortunately an attacker can surround the the attribute name with whitespace and the attribute will not test as being a sensitive attribute. Later code then removes whitespace from the attribute name and inserts it into the job ad. The following will change the owner of job 1.0 to the "condor" user:


        condor_qedit 1.0 ' owner' '"condor"'

Cause:

injection
failure to validate input

The attribute name supplied from condor_qedit to the condor_schedd was not validated to prevent illegal characters in the name, nor was the name transformed into a canonical form so the attribute name used in the test is the same name that is changed in the job ad.

Actual Fix:

Whitespace and other illegal characters in the attribute name are now rejected in the check of attribute names supplied by condor_qedit and in the lower level code that inserts or replaces an attribute in the job ad.

European HTCondor Workshop: Abstract Submission Open

Mining millions of genomes for the next powerful antibiotic

Collaborations Between Two National Laboratories and the OSG Consortium Propel Nuclear and High-Energy Physics Forward

NOAA funded marine scientist uses OSPool access to high throughput computing to explode her boundaries of research

Addressing the challenges of transferring large datasets with the OSDF

Learning and adapting with OSG: Investigating the strong nuclear force

What is HTCSS?

CONDOR-2008-0001